Pix 501 - Restricting outbound (BitTorrent) traffic from a range of IPs
Hi there,
A number of machines behind my Pix 501 are using Bit Torrent, which is seriously impacting upon the speed of other incoming and outgoing traffic. I'd like to restrict outgoing BitTorrent (port 6881) from all PCs but 'DESKTOP' (192.168.0.2), but still allow any other ports to get out successfully so the clients can browse, use messenger etc.
The config below I think is fairly standard - gets an outside IP address from a router (which we don't have access to) and allocates addresses between 192.168.0.10 and 192.168.0.20 to clients connected via a wireless access point that's plugged into the LAN side of the Pix. There are a couple of rules for incoming traffic, namely port 80, 4899 and 6881 (BitTorrent) which all forward to 'DESKTOP'.
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password x encrypted
passwd x encrypted
hostname pix501
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.0.2 DESKTOP
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq www
access-list inbound permit tcp any any eq 4899
access-list inbound permit tcp any any eq 6881
access-list inbound permit udp any any eq 6881
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) tcp interface www DESKTOP www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4899 DESKTOP 4899 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6881 DESKTOP 6881 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 6881 DESKTOP 6881 netmask 255.255.255.255 0 0
access-group inbound in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.10-192.168.0.20 inside
dhcpd dns 194.168.4.100 194.168.8.100
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:9ecea854b24
: end
Any help much appreciated.
A number of machines behind my Pix 501 are using Bit Torrent, which is seriously impacting upon the speed of other incoming and outgoing traffic. I'd like to restrict outgoing BitTorrent (port 6881) from all PCs but 'DESKTOP' (192.168.0.2), but still allow any other ports to get out successfully so the clients can browse, use messenger etc.
The config below I think is fairly standard - gets an outside IP address from a router (which we don't have access to) and allocates addresses between 192.168.0.10 and 192.168.0.20 to clients connected via a wireless access point that's plugged into the LAN side of the Pix. There are a couple of rules for incoming traffic, namely port 80, 4899 and 6881 (BitTorrent) which all forward to 'DESKTOP'.
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password x encrypted
passwd x encrypted
hostname pix501
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.0.2 DESKTOP
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq www
access-list inbound permit tcp any any eq 4899
access-list inbound permit tcp any any eq 6881
access-list inbound permit udp any any eq 6881
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) tcp interface www DESKTOP www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4899 DESKTOP 4899 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6881 DESKTOP 6881 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 6881 DESKTOP 6881 netmask 255.255.255.255 0 0
access-group inbound in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.10-192.168.0.20 inside
dhcpd dns 194.168.4.100 194.168.8.100
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:9ecea854b24
: end
Any help much appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Or failing that, is there any way to limit the bandwidth allocated to DHCP clients? I have a feeling it's the quantity of connections that's slowing the connection though, so even if they're being turned away it's still slowing the connection before they're still taking the time to be turned away?
If I'm missing the concept though let me know ;)
If I'm missing the concept though let me know ;)
ASKER
Sorry for the slow reply.
That went in fine, and it seems to be blocking 6881. Sorry to shift the question slightly, but many BitTorrent clients will use random ports. I don't suppose there's any way of the Pix recognising BitTorrent traffic and blocking it, or would it simply be a case of restricting all traffic for ports >10000 for example (as I think that's the range used generally).
If so, could you provide a snippet for blocking a range of ports - just hope I don't have to put in one rule for each port.
Thanks