Pix 501 - Restricting outbound (BitTorrent) traffic from a range of IPs

Hi there,

A number of machines behind my Pix 501 are using Bit Torrent, which is seriously impacting upon the speed of other incoming and outgoing traffic.  I'd like to restrict outgoing BitTorrent (port 6881) from all PCs but 'DESKTOP' (, but still allow any other ports to get out successfully so the clients can browse, use messenger etc.
The config below I think is fairly standard - gets an outside IP address from a router (which we don't have access to) and allocates addresses between and to clients connected via a wireless access point that's plugged into the LAN side of the Pix.  There are a couple of rules for incoming traffic, namely port 80, 4899 and 6881 (BitTorrent) which all forward to 'DESKTOP'.

: Saved
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password x encrypted
passwd x encrypted
hostname pix501
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq www
access-list inbound permit tcp any any eq 4899
access-list inbound permit tcp any any eq 6881
access-list inbound permit udp any any eq 6881
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
static (inside,outside) tcp interface www DESKTOP www netmask 0 0
static (inside,outside) tcp interface 4899 DESKTOP 4899 netmask 0 0
static (inside,outside) tcp interface 6881 DESKTOP 6881 netmask 0 0
static (inside,outside) udp interface 6881 DESKTOP 6881 netmask 0 0
access-group inbound in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
: end

Any help much appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You need to create an access-list and apply it to the inside interface of the PIX, like such:

access-list inside permit tcp host any eq 6881
access-list inside deny tcp any any eq 6881
access-list inside permit ip any any

access-group inside in interface inside

The list will permit 6881 from, deny it from any other host on the inside network and then permit all other traffic as it is now.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DhopeAuthor Commented:
Hi there,

Sorry for the slow reply.

That went in fine, and it seems to be blocking 6881.  Sorry to shift the question slightly, but many BitTorrent clients will use random ports.  I don't suppose there's any way of the Pix recognising BitTorrent traffic and blocking it, or would it simply be a case of restricting all traffic for ports >10000 for example (as I think that's the range used generally).

If so, could you provide a snippet for blocking a range of ports - just hope I don't have to put in one rule for each port.

DhopeAuthor Commented:
Or failing that, is there any way to limit the bandwidth allocated to DHCP clients?  I have a feeling it's the quantity of connections that's slowing the connection though, so even if they're being turned away it's still slowing the connection before they're still taking the time to be turned away?
If I'm missing the concept though let me know ;)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.