Pix con blocco emule

[mulasso]

Ciao a tutti ho questo tipo di configurazione sul mio pix501. Ma nonostante abbia un comando di Deny, Emule funziona sempre.

Mi sapete dire gentilmente qual'è il problema, o l'inghippo



User Access Verification

Password:
Type help or '?' for a list of available commands.
pixfirewall> en
Password: ***
Invalid password
Password:
pixfirewall#
pixfirewall#
pixfirewall# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 88.35.186.147 eq smtp
access-list outside_access_in permit tcp any host 88.35.186.147 eq pop3
access-list outside_access_in permit tcp any host 88.35.186.147 eq https
access-list inside_outbound_nat0_acl permit ip any 192.168.20.192 255.255.255.22
4
access-list outside_cryptomap_dyn_20 permit ip any 192.168.20.192 255.255.255.22
4
access-list inside_access_in deny tcp any any eq 4661
access-list inside_access_in deny tcp any any eq 4672
access-list inside_access_in deny udp any any eq 4672
access-list inside_access_in deny tcp any any eq 4662
access-list inside_access_in deny tcp any any eq 4673
access-list inside_access_in deny udp any any eq 4665
access-list inside_access_in deny tcp any any eq 4711
access-list inside_access_in permit ip any any
pager lines 24
icmp permit any outside
icmp permit any echo outside
icmp permit any echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside 88.35.186.146 255.255.255.248
ip address inside 192.168.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool esterni 192.168.20.201-192.168.20.220
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 88.35.186.147 192.168.20.3 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 88.35.186.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.20.5 255.255.255.255 inside
http 192.168.20.83 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn-casoria address-pool esterni
vpngroup vpn-casoria idle-time 1800
vpngroup vpn-casoria password ********
telnet 192.168.20.5 255.255.255.255 inside
telnet 192.168.20.83 255.255.255.255 inside
telnet 192.168.20.150 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username admin password z.HIy5OvO6nwJHOL encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 2
username ospite1 password 49OFceEfCbuMOifp encrypted privilege 15
terminal width 80
Cryptochecksum:19e6e2cc8babc8673d9e81702d7e2460
: end
pixfirewall#

[andrewp]

E' semplice...emule è in grado di funzionare anche in passive...

Bloccare il traffico p2p non è per niente facile, l'unico ISP che attualmente fa questo è Tiscali, si basa su un appliance della Cisco che fa analisi statistica sui pacchetti.

[Wizard]

Con i PIX501 è un casino, con la versione 7 del PIX si riescono a bloccare i protocolli kazaa, e2k, bittorrent...
Che router hai? Se hai un Cisco gli puoi limitare di brutto la banda!
Cmq se non natti le porte emule avrà sepre un ID basso, con un ID basso scaricherà a velocità molto basse ma purtroppo l' upload lo usa tutto...!!!

[mulasso]

Il mio router è un cisco soho97.
C'è un modo per blcccare?

Grazie amici

[TheIrish]

E' un argomento che mi ha sempre interessato. Purtroppo però i protocolli p2p sono decisamente bastardi e bloccare delle porte non sembra essere sufficiente.
Ricordo invece una soluzione Linux da mettere in un ideale gateway... pensa se può essere il caso.

[MaiO]

Io ho da poco aggiornato il mio 515E alla 7.21 e posso dirti che "ste cosette" le fà egregiamente!

Ciao

[TheIrish]

Eh, immagino. Ci stanno dando dentro parecchio sull'argomento, se non altro perché (giustamente) le politiche aziendali stanno diventando più serie.

[mulasso]

Lo posso anch'io aggiornare il Pix 501 con la nuova versione.

Come fare per non perdere i miei settaggi

Grazie

[MaiO]

No non puoi, minimo 515E con 16F/64R.

Ciao

[mulasso]

Grazie, altre soluzioni ne avete?

[andrewp]

Grazie, altre soluzioni ne avete?

Fare rapporto ai tuoi superiori su chi utilizza p2p in azienda.
O, come diceva Irish, installare un proxy linux.

[mulasso]

Che tipo di proxy Linux e con quale versione?
Avete documentazione a riguardo?

Un

[Wizard]

Per conoscienza:

DTS on Main Interface Example

In the following example, traffic leaving interface pos1/0/0 is shaped at the rate of 10 Mbps:

Router(config)# class-map class-interface-all

Router(config-cmap)# match any

Router(config-cmap)# exit

Router(config)# policy-map dts-interface-all-action

Router(config-pmap)# class class-interface-all

Router(config-pmap-c)# shape average 10000000

Router(config-pmap-c)# exit

Router(config)# interface pos1/0/0

Router(config-if)# service-policy output dts-interface-all-action

Class-Based DTS on Main Interface Example

In the following example, two classes are created and the match criteria is defined based on the access list number. Traffic leaving interface fd4/0/0 and matches access list 10 is shaped to 16 Mbps. Traffic leaving interface fdi 4/0/0 and matches access list 20 is shaped to 8 Mbps.

Router(config)# access-list 10 permit 172.16.0.0

Router(config)# access-list 20 permit 192.168.0.0

Router(config)# class-map class1

Router(config-cmap)# match access-group 10

Router(config-cmap)# exit

Router(config)# class-map class2

Router(config-cmap)# match access-group 20

Router(config-cmap)# exit

Router(config)# policy-map dts-interface-class-action

Router(config-pmap)# class class1

Router(config-pmap-c)# shape average 16000000

Router(config-pmap-c)# exit

Router(config-pmap)# class class2

Router(config-pmap-c)# shape average 8000000

Router(config-pmap-c)# exit

Router(config-pmap)# interface fd4/0/0

Router(config-if)# service-policy output dts-interface-class-action

DTS on Frame Relay Point-to-Point Subinterface Example

In the following example, traffic leaving sub interface 6/1/0.1 or 6/1/0.2 is shaped to 1 Mbps:

Router(config)# class-map class-p2p-all

Router(config-cmap)# match any

Router(config-cmap)# exit

Router(config)# policy-map dts-p2p-all-action

Router(config-pmap)# class class-p2p-all

Router(config-pmap-c)# shape average 1000000

Router(config-pmap-c)# exit

Router(config)# interface hssi6/1/0.1 point-to-point

Router(config-subif)# service-policy output dts-p2p-all-action

Router(config-subif)# exit

Router(config)# interface hssi6/1/0.2 point-to-point

Router(config-subif)# service-policy output dts-p2p-all-action

Class-Based DTS on Frame Relay Point-to-Point Subinterface Example

In the following example, two classes are created with the match criteria defined by QoS number. Traffic leaving subinterface 6/1/0.5 or 6/1/0.6 with the QoS group number 30 shaped to 800 kbps and traffic leaving the same subinterfaces with the QoS group number 40 shaped is to 1.6 Mbps. For the incoming Frame Relay packet that has the forward explicit congestion notification (FECN) bit on, a backward explicit congestion notification (BECN) message is sent out from the interface. For the outgoing Frame Relay packets that match the QoS group number 40, the shape rate could be further reduced to 800 kbps.

Router(config)# class-map class3

Router(config-cmap)# match qos-group 30

Router(config-cmap)# exit

Router(config)# class-map class4

Router(config-cmap)# match qos-group 40

Router(config-cmap)# exit

Router(config)# policy-map dts-p2p-class-action

Router(config-pmap)# class class3

Router(config-pmap-c)# shape average 800000

Router(config-pmap-c)# shape fecn-adapt

Router(config-pmap-c)# exit

Router(config-pmap)# class class4

Router(config-pmap-c)# shape average 1600000

Router(config-pmap-c)# shape adaptive 800000

Router(config-pmap-c)# exit

Router(config)# interface serial 6/1/0.5 point-to-point

Router(config-subif)# service-policy output dts-p2p-class-action

Router(config-subif)# exit

Router(config)# interface serial 6/1/0.6 point-to-point

Router(config-subif)# service-policy output dts-p2p-class-action

[TheIrish]

In realtà quello che serve non è un proxy, ma questo: http://www.ipp2p.org/ che non è altro che un'estensione di iptables.

Che tipo di proxy Linux e con quale versione?
Avete documentazione a riguardo?

Un

[Wizard]

E' vero, io tenpo fa lo avevo provato in una azienda che aveva un firewall linux basato su IPTable e andava molto bene!