Need hardware/software solution for Port Blocking

R

Rtstrider

Gawd
Joined
Dec 3, 2004
Messages
597
Here's the deal, the cable company cut us off last night because my roommate has been downloading files from bittorrent, limewire, and all of the likes. I have explained to him in the past, DO NOT DO THIS, IT IS ILLEGAL! He failed to listen to me, and now our internet connection has been cut off from our ISP. I have tried to block his bittorrent ports in the past on my router (Dlink DIR-655) with no luck. I have googled the ports for Bittorrent and Limewire and have been unable to block those ports. I have tried blocking those ports according to his MAC address (seeing as he change's his IP and computer name often). Here's what I'm looking for. I need a software/hardware solution that will block all ports except for the ones I tell it to leave open. This way when bittorrent does it's scan for open ports (I believe this is called channeling) it will not find any. I need something that will work in a residential environment, and something that I can set without their knowledge. As far as they would be concerned the only thing they could physically do would be to surf the web. If I had my way with them I would only allow port 8080 for them. Please any help would be greatly appreciated! :)

EDIT: Mod's I hope this is in compliance with this rule (18) You will not discuss, suggest, engage, or encourage any ILLEGAL ACTIVITIES. Links provided to locations that deal with any such activity are also expressly forbidden.

If not then I apologize in advance
 
There's nothing wrong with your post, you are trying to PREVENT illegal activity, so that is not a problem.

What you need to do is configure a default block rule for all outbound traffic, then only open/pass traffic on the ports you really need.

Here's a good starting point on the outbound ports to pass:



UDP * * * 53 (DNS) dns
TCP * * * 80 (HTTP) http
TCP * * * 443 (HTTPS) https
UDP * * * 123 ntp
TCP/UDP * * * 1755 media player
TCP * * * 5190 aim
TCP * * * 25 (SMTP) smtp
TCP * * * 110 (POP3) pop3
TCP * * * 3389 rdp
GRE * * * * pptp
TCP * * * 1723 pptp
UDP * * * 500 ike
UDP * * * 4500 ipsec
TCP * * * 21 (FTP) ftp
ICMP * * * * ICMP
 
The only issue with port blocking to prevent P2P is that most P2P apps today will happily run over virtually any port they find open, 80, 23, whatever. The only way to stop him via port blocking is to just pull his cable essentially. What you need to look for is an IDS solution like SNORT + guardian, or some other application. What does your router consist of, linux box, windows box, hardware?

Your not the only one with an issue like this sadly.. I've been yelling at someone on my network about their P2P usage and eventually setup a SNORT + modified guardian that will block an IP entirely from the Internet for a certain duration whenever snort detected any P2P usage (pretty reliable). This has been pretty successful in training him not to use P2P apps unless he wants to be without Internet access for a few hours.

Edit: I see you mentioned a Dlink router... your probably SOL without buying additional hardware (something that be modified to run linux perhaps?) or replacing it with a linux/windows router (I'm assuming Windows has something equivilant.. my experience with blocking P2P is limited to *nix-based solutions.)
 
I will def have to check out the SNORT + Guardian solution.

EDIT: Unfortuantely I'm horrible with linux, yes I do have distro's laying around, but I HATE (am reluctant to change) Linux. I'm a M$ kind of guy. Are there any M$ os's/apps, I could use to effictively do the same thing?
 
Also are there any gigabit wireless routers out there that have more security features than my current dlink?
 
Rtstrider said:
Also are there any gigabit wireless routers out there that have more security features than my current dlink?
Click to expand...

Linksys WRT350N running DD-WRT. Just bought one and got it set up a couple days ago. This thing is a beast compared to my old WRT54G. DD-WRT may not be the simplest to use, but once you figure things out by searching their wiki/forums, I'll bet you can find that someone has already done exactly what you want.

Edit:
The access restrictions page on my dd-wrt setup has a checkbox under blocked services for "catch all P2P protocols". Can't tell you how well it works, though.
 
Once you have Internet access back, I'd just cut the roomate off from Internet access from any machine through the connection you are currently using. Its the same access they have right now.

No change in situation for them. If they NEED Internet access, they can get their own. Maybe you are in a cellular area and they can get cell based net access through EDGE or 3G service.No traffic blocking worries at all then.

If that's not good enough, get an el cheapo Windows XP box. Lock its configuration down using Windows Steady State (http://www.microsoft.com/windows/products/winfamily/sharedaccess/seeit/internetcafe.mspx), remove the CD and/or floppy drive, fill the USB ports with superglue or clip the traces at the motherboard to keep it from booting from anything other than the internal hard drive, lock the case, and set a BIOS password. Only give them Internet access from there.

The DI655 has about as good a feature set you are going to get from a SOHO consumer router without running alternative firmware. Of course, no matter what you implement, if it isn't physically secure from them making modifications, all they have to do is wait for you to leave to plug their workstation directly into your cable modem while you are away...

Digital security begins with good physical security.
 
Good point, I'll call the ISP this afternoon and see if they can turn on MAC filtering to only allow my routers MAC internet access
 
Get an old box with 2 NICs.
Install ClarkConnect.
Give everyone static IPs.
Turn on IPP2P.
Block ALL file sharing traffic on his IP.
STOP FORWARDING THE BITTORRENT PORT HE NEEDS!!!
Profit.

(This cheap stab at Geek Haiku brought to you by a bored Friday afternoon. :p)

IPP2P shapes the traffic; basically, it looks for patterns in the streams that would be indicative of BitTorrent, Limewire, or a dozen other programs, and shuts that traffic down.
 
You must log in or register to reply here.
Back
Top