ACCESS LIST question

Discussion in 'Cisco' started by TonyF, Jul 6, 2004.

  1. TonyF

    TonyF Guest

    Can you just block a range of ports above a certain value in order to help
    prevent p2p? Or can it break other stuff, like maybe windows update?
    TonyF, Jul 6, 2004
    #1
    1. Advertising

  2. In article <>,
    TonyF <> wrote:

    :Can you just block a range of ports above a certain value in order to help
    :prevent p2p? Or can it break other stuff, like maybe windows update?

    You can safely block most high-port *destinations*.

    Anything beyond about 8000 is likely fairly specialized. For example:

    7001 -- windows messenger

    8000, 8080, 8800, 8888 -- variant http ports (the p2p programs will
    likely try these.) 8800 and 8888 are not particularily common, but
    blocking 8000 and 8080 would likely end up blocking some places that
    users want to see.

    11371 - openPG enrollment

    38293 - Norton Anti-Virus "call home" (license checking)

    20050 - 20054 - often used by MS Exchange for data transfer and control
    (only if you are talking to a remote MS Exchange server.)


    If you do block high-numbered UDP destinations, then you would
    probably break Unix traceroute (windows tracert works by icmp by
    default). The exact range of high-numbered ports used by Unix
    traceroute depends on the implimentation.
    --
    Warhol's Second Law of Usenet: "In the future, everyone will troll
    for 15 minutes."
    Walter Roberson, Jul 6, 2004
    #2
    1. Advertising

  3. TonyF

    TonyF Guest

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:ccee8b$h5u$...

    > If you do block high-numbered UDP destinations, then you would
    > probably break Unix traceroute (windows tracert works by icmp by
    > default). The exact range of high-numbered ports used by Unix
    > traceroute depends on the implimentation.


    Thanks very much for this pricesless advice. Therefore I dont think I will
    range block ports across the whole network at least as it might break too
    much.

    At the moment I am just trying blocking specific ports, sometimes even on
    specific hosts so thats fine.

    I have looked on it another way, and blocked at the website level even
    accessing certain pages to download these clients, although there are always
    ways around I want to make it more difficult than just going to the main
    pages.

    Hence I have blocked www.kazaalite.com etc, by determining their IP and then
    adding it to a group setup for deny outgoing.

    However this doesnt work for www.morpheus.com, and www.kazaa.com but has
    worked for most of them.

    Any ideas why this is and how I can find out the specific IP I need to block
    if it isnt the one returned by the ping command?
    TonyF, Jul 7, 2004
    #3
  4. In article <>,
    TonyF <> wrote:
    :Hence I have blocked www.kazaalite.com etc, by determining their IP and then
    :adding it to a group setup for deny outgoing.

    :However this doesnt work for www.morpheus.com, and www.kazaa.com but has
    :worked for most of them.

    :Any ideas why this is and how I can find out the specific IP I need to block
    :if it isnt the one returned by the ping command?

    I don't at the moment see why it wouldn't work for morpheus.

    www.kazaa.com is a cname for www.kazaa.com.edgesuite.net
    which in turn is a cname for [at least a the moment for me]
    a342.g.akamai.net . akamai.net is a very large content distribution
    provider that keeps mirrors of sites all over North America [and
    probably parts of Europe] and figures out which one is "closest" to
    you at the time and serves the information from there. It could be
    any of literally hundreds of systems, and those same systems
    serve content that you probably want, so you probably don't want
    to block all of akamai's sites just to block kazaa .
    --
    Most Windows users will run any old attachment you send them, so if
    you want to implicate someone you can just send them a Trojan
    -- Adam Langley
    Walter Roberson, Jul 7, 2004
    #4
  5. TonyF

    TonyF Guest

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    > :Any ideas why this is and how I can find out the specific IP I need to

    block
    > :if it isnt the one returned by the ping command?
    >
    > I don't at the moment see why it wouldn't work for morpheus.
    >
    > www.kazaa.com is a cname for www.kazaa.com.edgesuite.net
    > which in turn is a cname for [at least a the moment for me]
    > a342.g.akamai.net . akamai.net is a very large content distribution
    > provider that keeps mirrors of sites all over North America [and
    > probably parts of Europe] and figures out which one is "closest" to
    > you at the time and serves the information from there. It could be
    > any of literally hundreds of systems, and those same systems
    > serve content that you probably want, so you probably don't want
    > to block all of akamai's sites just to block kazaa .


    Hmm ok.
    I had actually changed it so as to block at the 213.253.135.0 level on
    255.255.255.0 instead of the exact IP on 255.255.255.255 which was the only
    way I could find to stop it. And it did.
    Are you saying that anything USEFUL and BUSINESS related comes out of that
    area and its the same as Morpheus?
    IF so I might need to look up the list of sites, because I might need to
    unblock that domain.
    Or I could just wait until someone complains and then review my
    access-list/site groups.

    Tony
    TonyF, Jul 7, 2004
    #5
  6. In article <>,
    TonyF <> wrote:

    :"Walter Roberson" <-cnrc.gc.ca> wrote in message
    :> I don't at the moment see why it wouldn't work for morpheus.

    :> www.kazaa.com is a cname for www.kazaa.com.edgesuite.net
    :> which in turn is a cname for [at least a the moment for me]
    :> a342.g.akamai.net . akamai.net is a very large content distribution


    :I had actually changed it so as to block at the 213.253.135.0 level on
    :255.255.255.0 instead of the exact IP on 255.255.255.255 which was the only
    :way I could find to stop it. And it did.

    I'm not sure there whether you are referring to morpheus or kazaa .
    When I chase through the various levels, www.morpheus.com for me
    resolves to an IP in the 38.119 range, which is in the USA and
    no-where near 213.253. But it could certainly be the case that
    the nameservers at dnsmanaged are taking into account where I am
    placing the query from, and are giving me a different answer than
    they would give you.


    :Are you saying that anything USEFUL and BUSINESS related comes out of that
    :area and its the same as Morpheus?

    I do not have any information about that. The akamai reference was
    with respect to kazaa. Quite a bit of very useful business related
    content is delivered by akami -- some of the best known computer
    companies in the world deliver content via akamai. I believe that I've
    even seen some of of the Windows Update patches served by akamai
    servers. Blocking akamai just to block kazaa would be a drastic
    measure.
    --
    Entropy is the logarithm of probability -- Boltzmann
    Walter Roberson, Jul 8, 2004
    #6
  7. TonyF

    TonyF Guest

    "Walter Roberson" <-cnrc.gc.ca> wrote in message > I do not
    have any information about that. The akamai reference was
    > with respect to kazaa. Quite a bit of very useful business related
    > content is delivered by akami -- some of the best known computer
    > companies in the world deliver content via akamai. I believe that I've
    > even seen some of of the Windows Update patches served by akamai
    > servers. Blocking akamai just to block kazaa would be a drastic
    > measure.


    See your point. It works very cleverly doesnt it. Ebay also seems to use it
    albeit for static stuff like logos. That outrules the blocking speciifcally
    of those IP's unfortunately. Not so good for those with firewalls.
    TonyF, Jul 13, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. J Bard
    Replies:
    2
    Views:
    4,005
    J Bard
    Jan 10, 2004
  2. PS2 gamer
    Replies:
    6
    Views:
    6,692
    Hansang Bae
    Jun 9, 2004
  3. Yehavi Bourvine
    Replies:
    1
    Views:
    1,063
    Hansang Bae
    Aug 26, 2004
  4. paeengi8
    Replies:
    0
    Views:
    796
    paeengi8
    Jun 25, 2007
  5. Southern Kiwi
    Replies:
    6
    Views:
    2,118
    Southern Kiwi
    Mar 19, 2006
Loading...

Share This Page