[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: KaZaA/Morpheus and other file sharing

On Sat, Oct 13, 2001 at 05:37:03PM -0300, Alvaro Reguly wrote:
> Hello, I want to filter out KaZaA/Morpheus
> IMesh gnutella and the like from our administrative LAN.
>
> I do not want our users to connect to those services and if that is not
> possible I want them to not serve any files.
> 
> Does anyone here knows what are the correct ports/protocols
> for those services ?

For the past week I've been working on something similar w/ IPChains on
potato.  It certainly doesn't stop everything but most of the users were
running KaZaA and it got rid of it.  Please excuse the chains as I've
haven't gotten any time to clean them up:

>	### Napster (bandwidth hog)
>	$IPCHAINS -N NAPSTER		# make Napster chain
>	$IPCHAINS -F NAPSTER		# flush Napster chain
>		$IPCHAINS -A NAPSTER -p tcp -d 208.195.149.0/24 8888 -j DENY
>		$IPCHAINS -A NAPSTER -p tcp -d 64.124.41.0/24 8888 -j DENY
>		$IPCHAINS -A NAPSTER -p tcp -s 208.184.216.223/24 8875 -b -j DENY
>		$IPCHAINS -A NAPSTER -p tcp -s 64.124.41.0/24 8875 -b -j DENY
>		$IPCHAINS -A NAPSTER -p tcp -d 0.0.0.0/0 6699 -j DENY
>		$IPCHAINS -A NAPSTER -p tcp -s 0.0.0.0/0 6699 -j DENY
>		$IPCHAINS -A NAPSTER -p udp -d 0.0.0.0/0 6699 -j DENY
>		$IPCHAINS -A NAPSTER -p udp -s 0.0.0.0/0 6699 -j DENY
>
>	### eDonkey [http://www.edonkey2000.com/] (bandwidth hog)
>	$IPCHAINS -N EDONKEY	# make eDonkey chain
>	$IPCHAINS -F EDONKEY	# flush eDonkey chain
>		# clients connect to the server on port 4661
>		$IPCHAINS -A EDONKEY -p tcp -d 0.0.0.0/0 4661 -j DENY
>		$IPCHAINS -A EDONKEY -p tcp -s 0.0.0.0/0 4661 -j DENY
>		# clients connect to each other on port 4662
>		$IPCHAINS -A EDONKEY -p tcp -d 0.0.0.0/0 4662 -j DENY
>		$IPCHAINS -A EDONKEY -p tcp -s 0.0.0.0/0 4662 -j DENY
>		# clients can communicate w/ other servers than the ones
>		# they are connected to.  This is what this is for.
>		$IPCHAINS -A EDONKEY -p udp -d 0.0.0.0/0 4665 -j DENY
>		$IPCHAINS -A EDONKEY -p udp -s 0.0.0.0/0 4665 -j DENY
>
>	### Gnutella AutoConnect Hosts (bandwidth hog)
>	$IPCHAINS -N GNUTELLA		# make Gnutella chain
>	$IPCHAINS -F GNUTELLA		# flush Gnutella chain
>		$IPCHAINS -A GNUTELLA -p tcp -d 0.0.0.0/0 6345 -j DENY
>		$IPCHAINS -A GNUTELLA -p udp -d 0.0.0.0/0 6345 -j DENY
>		$IPCHAINS -A GNUTELLA -p tcp -d 0.0.0.0/0 6346 -j DENY
>		$IPCHAINS -A GNUTELLA -p udp -d 0.0.0.0/0 6346 -j DENY
>		$IPCHAINS -A GNUTELLA -p tcp -d 0.0.0.0/0 6347 -j DENY
>		$IPCHAINS -A GNUTELLA -p udp -d 0.0.0.0/0 6347 -j DENY
>		$IPCHAINS -A GNUTELLA -p tcp -d 0.0.0.0/0 6348 -j DENY
>		$IPCHAINS -A GNUTELLA -p udp -d 0.0.0.0/0 6348 -j DENY
>		$IPCHAINS -A GNUTELLA -p tcp -d 0.0.0.0/0 6349 -j DENY
>		$IPCHAINS -A GNUTELLA -p udp -d 0.0.0.0/0 6349 -j DENY
>
>	### Kazaa (file sharing thingy... bandwidth hog)
>	$IPCHAINS -N KAZAA		# make Kazaa chain
>	$IPCHAINS -F KAZAA		# flush Kazaa chain
>		$IPCHAINS -A KAZAA -p tcp -d 0.0.0.0/0 1214 -j DENY
>		$IPCHAINS -A KAZAA -p tcp -s 0.0.0.0/0 1214 -j DENY
>		$IPCHAINS -A KAZAA -p udp -d 0.0.0.0/0 1214 -j DENY
>		$IPCHAINS -A KAZAA -p udp -s 0.0.0.0/0 1214 -j DENY

That should get you started.  Another thing we have found to work well
is look for prolonged spikes in either incoming or outbound traffic, and
when that happens run 'netwatch -t' and see who is using up the most
bandwidth.  Then 'netstat -anM | grep $IP' will give you a list of all
masq'ed connections w/ ports.  That is how I tracked down eDonkey.

-- 
Adam VanderHook
acidos@users.sourceforge.net
Reply to: