# P2P Port Blocking



## ~Candy~ (Jan 27, 2001)

What ports do I need to block in my router to stop users from accessing P2P downloads, i.e. Limewire, Kazaa, Ares, etc.?


----------



## JohnWill (Oct 19, 2002)

http://pcquest.ciol.com/content/p2p/102091201.asp


----------



## ~Candy~ (Jan 27, 2001)

How do I do that in my router?

That looks foreign to me


----------



## Couriant (Mar 26, 2002)

what router do you have?


----------



## ~Candy~ (Jan 27, 2001)

D-Link DI-524.


----------



## Couriant (Mar 26, 2002)

This may not help, but it should give you a general idea:

http://www.portforward.com/english/routers/port_forwarding/Dlink/DI-524/DI-524index.htm

The link is already set for your router, all you need to do is click on the program and then it should tell you what ports it uses. Since it's been so long since I use a D-Link I am not sure where you need to set the DENY. I think it's in Advanced > Firewall.

Note that some P2P programs will change their ports if they cannot detect them on their 'normal' ports.


----------



## ~Candy~ (Jan 27, 2001)

Ok, thanks, I'll look at it tomorrow....may not be until later in the day, as I have things to do in the morning.


----------



## ~Candy~ (Jan 27, 2001)

No time today, will look tomorrow, all other ideas welcome


----------



## Couriant (Mar 26, 2002)

proxy server would be another way. I would think you can block sites with keywords.


----------



## JohnWill (Oct 19, 2002)

The proxy server would have to run on the machine, and I suspect the whole point of doing it in the router is to keep it from tampering fingers.


----------



## Tapeuup (Apr 6, 2005)

*WOW! Our fearless leader asking questions!*

these are some that I've blocked
*Let John double check it but I've had no issues, yep it's poss Tape made a mistake* 

*DENY*
*kazaa - fasttrack clones*
tcp from any to any 1214
udp from any to any 1214
*edonkey and clones*
tcp from any to any 4661-4672
udp from any to any 4661-4672
*winmx and napster*
tcp from any to any 6257
udp from any to any 6257
tcp from any to any 6699
udp from any to any 6699
*bittorrent*
tcp from any to any 6881-6889
udp from any to any 6881-6889
*gnutella*
tcp from any to any 6346
udp from any to any 6346
*eMule is a clone of eDonkey* 
tcp from any to any 5555
tcp from any to any 4242
tcp from any to any 3306
tcp from any to any 2323
tcp from any to any 6667
tcp from any to any 7778

If you want to block p2p and just about any other application that requires a persistent connection to a client machine,
do the following:

Set up 2 el cheapo NAT routers (in series). Make them secure (don't set up any virtual servers), close down everything that you don't need. Connect a proxy server to the inside LAN interface and have all of your clients connect to a seperate NIC on the Proxy.

Set your servers (that require internet access) up on a different leg of your incoming connection so that they do not go through the double NAT/Proxy Server.

Your users will start to complain that they cannot access steaming audio, and all kinds of other bandwidth robbing appz.
The best way to stop p2p is to limit the bandwidth. The p2p ports I have, are limited to 1Kb/s. This way they still connect but don't use up any bandwidth. This method is the only real way to block p2p.


----------



## StumpedTechy (Jul 7, 2004)

I find pulling the ethernet cable from the cablemodem is pretty effective at stopping P2P


----------



## ~Candy~ (Jan 27, 2001)

JohnWill said:


> The proxy server would have to run on the machine, and I suspect the whole point of doing it in the router is to keep it from tampering fingers.


EXACTLY JW :up: I KNOW you understand


----------



## ~Candy~ (Jan 27, 2001)

StumpedTechy said:


> I find pulling the ethernet cable from the cablemodem is pretty effective at stopping P2P


Unfortunately, that is not an option


----------



## ~Candy~ (Jan 27, 2001)

Tapeuup said:


> *WOW! Our fearless leader asking questions!*
> 
> these are some that I've blocked
> *Let John double check it but I've had no issues, yep it's poss Tape made a mistake*
> ...


Lol @ me having a question 

Would I do this on the special application page of the router settings, or virtual server page?


----------



## StumpedTechy (Jul 7, 2004)

The problem with most P2P applications is they usually will find some unused port and star t to use it. This will of course slow down the P2P but it won't stop it 100%. Unless you have them behind some kind of proxy or some kind of lockdown users can usually configure the client around your port limitations as well.

Out on the web there are numerous posts on this - http://forums.speedguide.net/showthread.php?t=221902 for reference.


----------



## ~Candy~ (Jan 27, 2001)

Well, it hardly seems right that you can't easily block them, when ISPs are sending out emails and/or letters threatening to shut your service down. Maybe the ISPs should be the ones who have to block these programs.


----------



## Tapeuup (Apr 6, 2005)

AcaCandy said:


> Lol @ me having a question
> 
> Would I do this on the special application page of the router settings, or virtual server page?


it will be on your router page Firewall settings.
*Port triggering*

*Outbound protocol*: you will see TCP&UDP.
*Inbound protocol*:you will see TCP&UDP.
also D-Link has an on line that explains this within the router settings.


----------



## ~Candy~ (Jan 27, 2001)

Ok, I see the page....didn't look there......if anything, maybe I can keep changing it around to make it less convenient


----------



## ~Candy~ (Jan 27, 2001)

Ok, looking at the page, I need an IP start range? and end range? And should source and destination be LAN or WAN?


----------



## StumpedTechy (Jul 7, 2004)

The thing is for the ISP to contend with P2P they also have to incur heavy costs to stop it and thus why most like to send threats to their users first. Whats easier? A lawyer who okays a form letter they can send out over and over with a slight modification or 2 depending on the offender or the thousands of dollars in technicians, network appliances, and infrastructure to deal with P2P apps?

Here you go here is a goos toutorial on D-Link setups -

http://club.cdfreaks.com/showthread.php?t=126288



> Go into your router's web interface through your web browser and go to the Firewall page. On D-Link Wireless routers, click on the 'Advanced' tab and click on 'Firewall' down the left column. It will probably show a list of current default rules.
> 
> Firewalls work by taking a piece of data, going through the rules one by one starting from the top of the list and if it meets a rule that matches the data's port, it decides on what to do with the data based on the rule and does not perform any rule checks on this data. For example if the outgoing data has a port SMTP (Outgoing E-mail), the firewall looks for either a rule specifically on SMTP, source& destination or a range of ports that includes SMTP. If it finds one and the source is LAN (internal network) and the destination is WAN (Outside network, i.e. the Internet), then if the rule is 'Allow' the firewall allows the data pass and does not check the next rule. If the rule is 'Deny', the firewall discards the data without checking any further rules.
> 
> ...


Note the following though if you perform it this way you will have to do an ADD for everything you want users to do on your network.


----------



## Squashman (Apr 4, 2003)

You could always just keep them from running the program.
http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm

We used a similar program on our Netware network, when I worked for the school district.


----------



## ~Candy~ (Jan 27, 2001)

Squashman said:


> You could always just keep them from running the program.
> http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm
> 
> We used a similar program on our Netware network, when I worked for the school district.


Wouldn't that have to be installed on the individual computers though? If so, that isn't an option for me


----------



## Couriant (Mar 26, 2002)

most likely firewall page. *EDIT* didn;t realize there were more posts 

as to my suggestion, I only thought of it if you have a spare machine to put inbetween the router and modem. (or router and LAN if you have a switch)


----------



## ~Candy~ (Jan 27, 2001)

Well, I can certainly put MY machine in the middle if there is an easy solution.


----------



## Couriant (Mar 26, 2002)

well, you can go gun-ho and deny all access to all ports except for the well known ports for web, ftp, and e-mail, and any other ports you need for other services.  (I think it was mentioned earlier)


----------



## ~Candy~ (Jan 27, 2001)

Which post?  Remember, this isn't my area of supreme knowledge


----------



## Couriant (Mar 26, 2002)

the post ST has a quote in ( a few posts up).


----------



## ~Candy~ (Jan 27, 2001)

Waaaaahhhhhhhh, no hand holding????


----------



## Tapeuup (Apr 6, 2005)

Candy, are you handling it? It took me a little experimenting, router resetting and a few dirty words to get the hang of it.


----------



## ~Candy~ (Jan 27, 2001)

Haven't been able to try it yet.

Had some electrical problems yesterday (a/c kept blowing breakers  ) --- and since I had them working here anyway, the plugs behind my desk had to be re-wired for some time now, so, that meant moving EVERYTHING off, under and around my desk 

I may not get to test it until after the weekend as I have company arriving Friday, so, other things are taking priority.


----------

