how to block Instant Messaging Yahoo, AIM etc..?

Unanswered Question
Jan 31st, 2005

Since some of these are web implementations it seems difficult to block. Will this be easier in the PIX 7.0 code?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
aftermath Mon, 01/31/2005 - 15:08

I have felt your pain,

The troublesome issue about blocking the IM's is that a couple like Yahoo, will attempt to use port 80, if it's own default port is blocked. Skype uses 443 as well.

I have provided some information that can help you resolve these issue's. This is an extensive list, but covers most all known IM's..

HTH....

BLOCKING IM's

--------------------------------------------------------------------------------

Yahoo Messenger uses these port:

Voice Chat: 5000-5001

Messages: 5050

Webcams: 5100

Games: 11999

MS Netshow: 1755

MSN Messenger: 1863

AOL IM: 5190

Kazaa: 1214

[0003]

Type=TCP

Translation=NORMAL

Port=3000

AIM Talk

OUT TCP 4099

IN TCP 5190

CuSeeMe

OUT UDP 24032

IN UDP 1414 [use H.323 protocol if available]

IN UDP 1424 [use H.323 protocol if available]

IN TCP 1503

IN TCP 1720 [use H.323 protocol if available]

IN UDP 1812 1813

IN TCP 7640

IN TCP 7642

IN UDP 7648

IN TCP 7648

IN TCP 7649 7649

IN UDP 24032

IN UDP 56800

OUT UDP 1414 [use H.323 protocol if available]

OUT UDP 1424 [use H.323 protocol if available]

OUT TCP 1503

OUT TCP 1720 [use H.323 protocol if available]

OUT UDP 1812 1813

OUT TCP 7640

OUT TCP 7642

OUT UDP 7648

OUT TCP 7648

ICQ

OUT UDP 4000

IN TCP 20000 20019 for one user

OR

IN TCP 20000 20039 for two users

OR

IN TCP 20000 20059 for three users, etc.

ICUII Client

OUT TCP 2019

IN TCP 2000 2038

IN TCP 2050 2051

IN TCP 2069

IN TCP 2085

IN TCP 3010 3030

OUT TCP 2000 2038

OUT TCP 2050 2051

OUT TCP 2069

OUT TCP 2085

OUT TCP 3010 3030

ICUII Client (Version 4.xx)

IN TCP 1024 - 5000

IN TCP 2000 - 2038

IN TCP 2050 - 2051

IN TCP 2069

IN TCP 2085

IN TCP 3010 - 3030

IN TCP 6700 - 6702

IN TCP 6880

IN UDP 12000 - 16090

mIRC DCC / IRC DCC

IN TCP 1024 - 5000

mIRC Chat

(The IRC port is usually 6667)

IN TCP 6660 - 6669

mIRC IDENT

IN UDP 113

MSN Messenger

NOTE:

Ports 6891-6900 enable File send,

Port 6901 is for voice communications

Allows Voice, PC to Phone, Messages, and Full File transfer capabilities.

IN TCP 6891 - 6900

IN TCP 1863

IN UDP 1863

IN UDP 5190

IN UDP 6901

IN TCP 6901

Net2Phone

OUT UDP 6801

IN UDP 6801

PhoneFree

IN UDP 1034 - 1035

IN UDP 9900 - 9901

IN TCP 1034 - 1035

IN TCP 2644

IN TCP 8000

This Mapping is needed to hear the audio from the incoming party, outgoing audio would work without it.

** According to phonefree the ports you need open are:

8000 TCP For Server access

1034 UDP Voice in/out

1035 TCP Voice in/out

2644 TCP Personal Communication Center

I found that port range 9900-9901 UDP is also needed but not mentioned at phonefree support.

Also shut off any other firewall programs you may have running.

To make PC-TO-PHONE calls, it seems only UDP port 9900 must be opened (the fewer ports open, the better!).

Polycom ViaVideo H.323

IN TCP 3230 - 3235

IN UDP 3230 - 3235

Yahoo Messenger Chat

IN TCP 5000 - 5001

Yahoo Messenger Messages

IN TCP 5050

Yahoo Messenger Webcams

IN TCP 5100

Yahoo Messenger Phone

IN UDP 5055

hernacar Mon, 01/31/2005 - 16:04

thank you aftermath! I'm hoping that in the new release of the pix 7.0 maybe there will be some fixup's that'll take care of this..

jackko Tue, 02/01/2005 - 16:12

you may manipulate the dns record by pointing those domain/url to a fake ip address.

however, it only works if your company hasn't got many IT staff since it can be overcome by adding a local host entry.

tony_ecmyy Tue, 02/01/2005 - 17:47

Hi,

It's not easy to block msn messenger unless the port 80 is also blocked.

but somebody suggest me to block messenger.msn.com....but nothing happen...

How to effectively block this messenger without blocking port 80?

Thanks

Tonny

Krystian9 Wed, 02/02/2005 - 01:16

I would not bet my money on this.

Cisco has another product (NBAR) which is designed to block such protocols.

aftermath Wed, 02/02/2005 - 05:48

Hi Again,

Blocking the repsective IM ports will keep the IM's from using those ports. However, IM's like Yahoo, and AOL, will also SEARCH for other ports to use, if their respective default ports have been blocked.

NBAR as previoulsy suggested will take care of those issues. I have supplied the link for you as well.

HTH

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087cd0.html

Actions

Login or Register to take actions

This Discussion

Posted January 31, 2005 at 1:10 PM
Stats:
Replies:6 Avg. Rating:
Views:449 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard