Filtering Cisco VPNs

Discussion in 'OT Technology' started by Jabberwocky, May 16, 2005.

  1. Jabberwocky

    Jabberwocky 06 08 33 35 36

    Joined:
    Jan 24, 2002
    Messages:
    1,140
    Likes Received:
    0
    Location:
    SD, Cali
    I have a problem with my roommates using i2hub and various other P2P's on my internet connection. 25 students at our school just recieved RIAA subpeonas for i2hub alone.

    They use a Cisco VPN program to dial into our university network, and then use that IP to use the P2P programs. I could just block their IP entirely, but I'd prefer if they kept splitting the internet bill with me.

    My question is, what ports do I block on my router / how do I prevent them from accessing the university network? I've tried a few numbers I've found on google, but the VPN just increments up or down to a different port.
     
  2. Rob

    Rob OT Supporter

    Joined:
    Jul 6, 2002
    Messages:
    88,630
    Likes Received:
    41
    Location:
    Atlanta, GA
    It seems as though a social solution would fix this problem better than a technical one.

    Why not just go tell them that the internet is in your name, and that they will stop using P2P.
     
  3. Jabberwocky

    Jabberwocky 06 08 33 35 36

    Joined:
    Jan 24, 2002
    Messages:
    1,140
    Likes Received:
    0
    Location:
    SD, Cali
    I did. They do it behind my back now, and either I sit down and actually invade their computer to stop this, or port block.
     
  4. perry

    perry burp

    Joined:
    Dec 17, 2001
    Messages:
    6,400
    Likes Received:
    0
    Location:
    Cornfields of Indiana
    I'm having a hard time understanding your setup and what part you are trying to put the restrictions on. I see Cisco VPN, university network, and router.. Heh. I'm confused.
     
  5. R-Type

    R-Type The Bydo Empire must die!

    Joined:
    Aug 2, 2002
    Messages:
    1,049
    Likes Received:
    0
    Location:
    CT
    Block outgoing/incoming GRE to/from their machines via your router. If they're using GRE encapsulation over UDP (a togglable option in the cisco client software), you can try blocking outgoing traffic to port 1723/TCP and port 47/UDP. I 'believe' this is consistent with the cisco client's 'gre over udp' function. Or, if the VPN servers aren't hosting anything else of value (if your school's it dept knows what it's doing, they don't), just block all outgoing packets to those IPs and the VPN clients cannot connect.

    Of course, none of these options would prevent them from using your connection directly. Since most p2p protocols are designed to be easily routable around NATs/firewalls, you're going to have a hard time blocking them with simple portblocking. You would need a layer 4 firewall, which can identify and manipulate different kinds of traffic above the packet level.

    As far as i2hub goes, block outgoing connections on port 411/tcp (just pulled that number from their site)...and make sure you have upnp turned off on your router. Some p2p apps (like soulseek) can use that 'feature' to automatically open the ports on the router as they are needed.
     
  6. kingtoad

    kingtoad OT Supporter

    Joined:
    Sep 2, 2003
    Messages:
    55,924
    Likes Received:
    11
    Location:
    Los Angeles
    The problem with P2P applications like Limewire and such, those applications "search" for an open port and use that port, even if it's common ports such as port 80.

    In my opinion, setup a linux box that filters through incoming and outcoming TCP/IP connections and setup iptables. I have heard from someone that iptables can and will block incoming and outgoing traffic to P2P applications.

    If you do not know how to setup iptables and don't want to go through the additional headache to try get this done, I highly recommend m0n0wall.

    It's a freeBSD based firewall that can compete against commercial level firewalls. It's also free, you just have to buy the hardware to throw it on.

    http://www.m0n0.ch/wall/
     
  7. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    I don't see the problem here. If they are VPN'ing into the school, then going out for P2P from their VPN session, their actions are traceable back to their VPN account, and that is where the subpoena would go, providing your school is dill-hole enough to give that info out to the RIAA/MPAA (a recent court ruling said they don't have to). They, not you, would get in trouble.
     
  8. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    Good call.
     
  9. Scoob_13

    Scoob_13 Anything is possible, but the odds are astronomica

    Joined:
    Oct 5, 2001
    Messages:
    73,798
    Likes Received:
    38
    Location:
    Fort Worth. Hooray cowgirls.
    Flat head screwdriver through their keyboard will usually get the point across.


    Bonus points if they're using laptops.
     

Share This Page