We help IT Professionals succeed at work.

Blocking WOW ports with a Linksys WRT54G running Firmware v4.30.5

JackWooten
JackWooten asked
on
Medium Priority
8,015 Views
Last Modified: 2011-08-18
I am managing access for a WLAN.  Our user agreement states that the main purpose for the WLAN is for email, IM, and Webcams as it is for deployed soldiers.

I am having issues with soldiers abusing the network by downloading large files from iTunes and playing online games like World of Warcraft.

Is there a way for me to block this traffic without blocking the computer?  Please advise.

Jack.
Comment
Watch Question

Yes, Just restict all the ports that those games use, or block port 80 and set only one pc to use port 80 and make that pc a proxy server and have everyone point there local internet explorer to that proxy.
use websense it has great filtering features.
Im sure there is a feature to only allow one pc internet access then just redirect everyone to that pc's proxy
Have you already blocked port 3724 for WoW traffic?

Author

Commented:
Sorry to ask the rediculously easy question... but I thought all ports other than standard were blocked by default.  The admin screen seems to only allow you to opt in ports... not opt out.

So, how do you block the port through the admin?
Rich RumbleSecurity Samurai
CERTIFIED EXPERT
Top Expert 2006

Commented:
Some firewalls can block IP's as well as DNS names, if you can find a list of the WOW ip's or DNS names it would be easy to block. You can block iTunes by blocking apple.com or these ip's
[whois.arin.net]
OrgName:    Apple Computer, Inc.
OrgID:      APPLEC-3
Address:    20740 Valley Green Drive, MS32E
City:       Cupertino
StateProv:  CA
PostalCode: 95014
Country:    US
NetRange:   17.0.0.0 - 17.255.255.255     (the subnet mask would be, 17.0.0.0 / 255.0.0.0 or for some firewalls the reverse, 0.255.255.255)
CIDR:       17.0.0.0/8
NetName:    APPLE-WWNET

There are however several sources that sell iTunes, so blocking apple.com won't block them all. This can be a real up hill battle, so I'd suggest implementing systems to alert you to the offenses and take action against the user as soon as a violation occurs. There are many ways to do this, some simpler than others. You can throttle the BW allocated to each PC using Traffic Shaping: http://en.wikipedia.org/wiki/Traffic_shaping
Monitoring useage with tools like Cacti, Ntop. Cacti has a plugin that can send pages or emails when a certain threshold has been exceeded, and ntop can simply compile a real-time report on current usage and break down the traffic by popular protocols.
http://www.ntop.org/overview.html (here is a win32 port) http://www.openxtra.co.uk/freestuff/ntop-xtra.php
http://cacti.net/  http://cactiusers.org/downloads/ (it's called Thold)
-rich
You should be able to restrict traffic on that port by clicking "access restrictions" and configuring a DENY rule (probably for all traffic) and then an ALLOW rule for traffic you want to let through (like port 80).

Or, you can just selectively deny access on port 3724 if all you want to block is WoW.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Got it.

Does anyone know what ports have to be blocked to restricted file downloads from iTunes?  I know this sounds overly restrictive... but we are fighting an up hill battle here for bandwidth.
Richrumble has a correct but possibly hard to implement answer to blocking iTunes traffic (you might want to give him some credit too).

Your router doesn't support DNS redirection as far as I know.  It does offer QoS, or "traffic shaping", which means you could give bandwidth priority to certain services (like video conferencing, for example).

Or, if you have control over your users' computers, you can edit their hosts files to block DNS, as outlined in this article:
http://www.teamonetickets.com/software/how-to-block-itunes-radio-streams.html

Rich is right that there are LOTS of sources for iTunes music so it's hard to block.  To get serious, you should consider a monitoring tool (I personally use ntop, cacti sounds pretty cool too).

If you want to take a chance on messing with your router(!), you could check out the OpenWRT project.  Basically this is a firmware replacement for your Linksys router that could give you extra features.  See if your router is compatible here (pay attention to version number for the WRT54G):
http://wiki.openwrt.org/TableOfHardware?action=show&redirect=toh

It does allow advanced features like hosting a mini DNS on it (http://wiki.openwrt.org/OpenWrtDocs/dnsmasq) and QoS (http://wiki.openwrt.org/MiniHowtos/QoSHowto).  However it's a labor intensive project, so if you're not very comfy with Linux I wouldn't recommend it.
Rich RumbleSecurity Samurai
CERTIFIED EXPERT
Top Expert 2006

Commented:
I've sniffed Itunes traffic and it all depends where you DL from, some send files FTP (port 21) some port 80, most however use HttpS (SSL 443)... all of which are very common and unless you are blocking those ports from specific ip's or ranges... you'll block alot of legit traffic as well. Monitoring is great, traffic shaping is awesome when you have a good set of criteria to go by. You'll need to do some testing and trending to see what values to use for your traffic shaping, and sometimes you can use traffic shaping rules that allow you to use different settings for different traffic.
-rich

Author

Commented:
Thank you for the comments... I am learning as I go and you have both given me much to think and act on

Jack.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.