PDA

View Full Version : restricting traffic through router



limepile
08-03-2008, 06:40 AM
Good morning,
have a smart teenager who has found p2p sharing and I want to prevent this. I cannot change any settings on his computer as he'll just change them right back, so I think my best bet is to restrict traffic through the router, but I don't want to stop my wife or myself from using the net in any way .
We have a dynalink 4 port router, all run xp sp2,and have assigned ip addresses.
I'm guessing that I need to filter the ports available and my router gives me the choice of port ranges to allow or stop. I think allowing a certain range would be the easiest option, but what range ? He needs to be able to browse the net for homework etc...
thanks in advance.

Speedy Gonzales
08-03-2008, 07:06 AM
Cant QOS if the router supports it, do this??

Dont ask me how, I dont use QOS or P2P programs.

Or uninstall the P2P program. That'll fix it :badpc:

Or put SP2 on it, if its got XP on it, that'll slow it down.

The only thing you'll get is viruses etc in the end.

limepile
08-03-2008, 07:21 AM
QOS seems to be about voip, the p2p program will be reinstalled before I can finish my cup of tea!

Speedy Gonzales
08-03-2008, 07:31 AM
Well whos PC is he using? Is it his or yours??

If its his, dont put it on the net, if it yours dont put any P2P programs on it.

Easy as that. Otherwise, make a guest account and chuck him on it. Then he wont be installing anything.

Ask him whos going to fix it, if it gets infected??

Will you fix it?

Will he know how to fix it?

limepile
08-03-2008, 08:07 AM
My router offers these options;
allow traffic y/n
protocol (drop down menu) tcp
udp
icmp
ah
esp
gre
All
user defined
source ip
destination ip (which will be his assigned ip)
port range

I think the port range is my solution. I'm looking on google but so far no luck, for an adequate range, he'll need to access g-mail and wikipedia etc, do these all fall in the 0-200 port range, or is that too narrow?
And what is the difference between tcp and udp ?

Speedy Gonzales
08-03-2008, 08:09 AM
Well, you'll have to find out what ports this P2P program uses.

Only thing is, if you block them, it wont work at all.

There's no point in having it installed.

limepile
08-03-2008, 08:26 AM
Exactly.

Speedy Gonzales
08-03-2008, 08:33 AM
The ports for it should be in its options (in the P2P program) somewhere. And it should say whether they're TCP or UDP.

If he wont let you near the PC lol, go to the site, and see what the ports are. And add them to the router

And change the password in the router to something else (just dont forget it)!

So he cant change it or delete the ports you added.

It shouldnt affect anything else (file sharing / the net) at all.

Well in theory that is. Unless someone is using another program, that uses exactly the same TCP or UDP ports as this P2P program.

Only thing is, he may download / try another P2P program

And this may not use the same ports.

Speedy Gonzales
08-03-2008, 08:50 AM
And you maybe able to change the ports in the program to something else.

So, even if you add whats in the program now, to the router.

If the ports can be changed, you'll have to add the new ports to the router.

And this could take forever, if he keeps changing the ports

2 ways of fixing it, uninstall the program, or remove him from the network.

Too bad if he needs the net for homework, tell him to get his own line / net access. And pay for it

If he insists on using P2P programs

If you're paying for it, you decide what gets used on it, not him.

limepile
08-03-2008, 09:25 AM
You and I sound so alike! My wife lets him have free reign on the net, this I disagree with strongly and many many arguments have been caused by this.
My solution so far today has been to configure the routers firewall to restrict traffic in both tcp and udp to ports 20-200 as most p2p software randomises ports and I'd be here till I die trying to catch the correct port. Now I need to see if he can connect, naturally i will deny all knowledge of his lack of access, thanks for your help Speedy, sometimes its enough to just bounce ideas off of someone.

Speedy Gonzales
08-03-2008, 09:46 AM
Well if it gets infected get the wife to fix it!

We'll see what she says after that!

What P2P program is he using at the mo??

Do you know??

Whats the model of your dynalink router?

Does your router have an entry for apps like P2P programs?

And are there any P2P programs listed?? If there is delete them.

Like on this router (Dlink G604T), theres an apps option under advanced / virtual server.

ughnz
08-03-2008, 09:52 AM
QOS is not just for VOIP. If the router supports port based QOS then just enable it for the port he is connected to and set the required limit.

Other option is to use the likes of IPCOP with layer 7 filtering.

wainuitech
08-03-2008, 10:11 AM
Port blocking sometimes wont work - Lots of the P2P programs these days generate random ports and its a nightmare trying to block them all.

I have been using IMLock (http://www.comvigo.com/buynow/index.php?app=ccp0&ns=display&ref=splash&sid=5pdp1dms69vk4156a7175cm5a8v2s2wd) - Its not free, but the professional version is great(look at the features list on the left of the site) - the home version blocks many things, but the professional is needed to block P2P programs.

It comes preloaded with many , but you can also add in your own programs to block.
It simply stops the program from running - it can block many things that cause problems - including specific websites - the site closes and wont open.

My son LOVES playing on Runescape - I have installed this program on his and my wifes PC ( he plays it on that to) SO FAR I have only had to activate the site block once as he wont do his homework sometimes or get off of it, the Program can be scheduled to allow/disallow at certain times, can be deactivated or activated at your will.

Its password protected so any settings require a password to change.

AND the good thing about it is its not shown in the add/remove programs - so you cant simple uninstall it.

NOTE: Has a 7 day trial - sometimes just the knowledge that you WILL stop them if they don't listen is enough to slow it down.

bob_doe_nz
08-03-2008, 10:21 AM
Port blocking sometimes wont work - Lots of the P2P programs these days generate random ports and its a nightmare trying to block them all.

Really?
At home I just block all but ports 80 (http) and 443(ssh) works a treat.

that and keyword blocking.

wainuitech
08-03-2008, 10:29 AM
Really?
At home I just block all but ports 80 (http) and 443(ssh) works a treat.

that and keyword blocking.
Yes really!

I set the ports to block certain things and the programs simply looked for open ports - and found them.

Keyword blocking will knock out MANY items for homework / general use as well

I'm also running servers that need remote access along with many other things - many programs use more than the standard ports you mention.

Being a tech I can easily configure the ports - but remember who you are dealing with on this site - NON tech people simply wanting help - most of the time. Setting the router is easy to bypass - even pass worded.

ughnz
08-03-2008, 11:29 AM
Being a tech I can easily configure the ports - but remember who you are dealing with on this site - NON tech people simply wanting help - most of the time. Setting the router is easy to bypass - even pass worded.

Very hard to bypass layer 7 filtering, even if you encrypt the payload, more so if you combine with snort and traffic sensing.

Even thou IPCOP is not simple for non-technical people it is simple enough to use and configure with lots of howto guides with lots of screen shots to boot.

wainuitech
08-03-2008, 11:32 AM
So instead of rubbishing other peoples suggestions on simple to use solutions -

Tell this person how to do it , or point people in the right direction with links etc.

Saying theres plenty of articles is a useless lead, most people will have looked as this poster has and cant find what he wants, making comments without providing actual help is pointless - about as good as the winning lotto numbers for last week.

ughnz
08-03-2008, 11:50 AM
So instead of rubbishing other peoples suggestions on simple to use solutions -

Tell this person how to do it , or point people in the right direction with links etc.

Saying theres plenty of articles is a useless lead, most people will have looked as this poster has and cant find what he wants, making comments without providing actual help is pointless - about as good as the winning lotto numbers for last week.

Good place to start is www.ipcop.org

Also was not rubbishing the suggestions, just commenting on the issue of how easy it is to bypass some of the common port blocking solutions you can do with a basic router, my bad on the quote.

IPCOP and other standalone firewall solutions do give you allot of control over the internet connection and can be very good if you wont to control children's access without effecting your own to much.

But I cannot help echo comments made by others in the many other threads that have come up on this issue that education and trust can be a very effective method of restricting internet access :)

wainuitech
08-03-2008, 12:17 PM
Good place to start is www.ipcop.org

Also was not rubbishing the suggestions, just commenting on the issue of how easy it is to bypass some of the common port blocking solutions you can do with a basic router, my bad on the quote.

IPCOP and other standalone firewall solutions do give you allot of control over the internet connection and can be very good if you wont to control children's access without effecting your own to much.

But I cannot help echo comments made by others in the many other threads that have come up on this issue that education and trust can be a very effective method of restricting Internet access :)
Totally agree :thumbs: - biggest problem is you cant watch them 24 /7 and if they "dont listen / learn" thats when "effective measures" have to be put in place.

Had that yesterday from a parent who's son was downloading through P2P - he thought it was a great joke until they asked me to do two things -

1. Completely Lock out the Internet till Tuesday next week - password it and don't want to know what the password is - and return on Tuesday it unlock it again.

I put in that IMLock as linked in Post# 13 ( Trial), allowed the Emails and thats all.

Its set to allow the connection to the Internet again at 4 pm Tuesday, so I in case I cant get there on Tuesday the internet will go again as the parents requested.

2. He was paying for the repairs / my time :eek:

Can you guess the look on his face

Speedy Gonzales
08-03-2008, 12:23 PM
Some parents are just too kind / lenient on their kids. When they use the net.

Either deal with it now (if they use P2P programs), uninstall the program or remove the kid/s. Simple as that.

Or suffer later, when all their computers are filled with malware and everything else. Its a bit too late saying duh, why is my pc infected, after it happens.

And then blame the kid, its the parents fault for being too lenient, and not getting rid of the program, in the 1st place.

Its a known fact that any P2P program, can screw a system up, if you dont know what you're getting / or doing, and if you dont scan whatever, BEFORE you use it / install it.

They've only got themselves to blame.

You give in to kids when theyre young, they'll expect the same thing, when they're older. And if they dont get it / their way, they'll pack a sad. I know. Seen it happen around here, not with myself, but with other people.

Then you'll be sorry / regret it.

gary67
08-03-2008, 12:42 PM
So true Speedy my step son has his own laptop and although he connects through our router I put zone alarm on mine and my wife's pc's so that I could lock him out of infecting us too, so far he's been good and does not use P2P but being 14 I just know he will get into it soon then I might look at WT's IM lock

beeswax34
08-03-2008, 01:19 PM
Seriously, just use QOS on your router (if you have these settings) and put the offending PC on such a low bandwidth allowance that it will take him a month to download a simple .txt file.

Its all nice to use professional programs and try to guess which ports to block but just slow a computer down. This generation has no patience :D

dirtbag
08-03-2008, 02:00 PM
I have the same problem, but with a brother of mine, so I can't reign parental fire all over his parade. An older computer running xp, with pfsense in a vmware server instance (pfsense and vmware is free) solves the problem nicely. I have squid logging to check out http downloads, and bandwidthd checking download amounts to IPs. And then its traffic shaping activated with a very easy to use wizard. I have http/ftp/gaming/voip/imap/pop/ssh at the highest they can go, and everything else at the lowest, so it doenst matter what p2p program, what port, what encryption etc. it will come in under "other" and be highly limited if/when anything else wants to get through

The traffic shaping is only really there to allow http/gaming traffic not grind to a standstill when he is downloading. Me asking him to stop during "peak" hours nicely worked better than any traffic shaping.
programs like utorrent are extremely resiliant, and can run with ports blocked, just a little slower.

ice
08-03-2008, 04:27 PM
best way to solve his/yourwifes/your problem,
spend a few minutes - take one for the team,

go on his computer, access some porography sites. leave traces of such material maybie on his hard drive, leave traces in his internet browsing history.

"stumble" across the offending material while looking for a file you think you may have left on his computer...

tell the wife you found adult material on your sons PC. your wife probally wont have a word of it. she will agree to ban your kid from the internet and that solves your problem till a due date.

beeswax34
08-03-2008, 04:37 PM
best way to solve his/yourwifes/your problem,
spend a few minutes - take one for the team,

go on his computer, access some porography sites. leave traces of such material maybie on his hard drive, leave traces in his internet browsing history.

"stumble" across the offending material while looking for a file you think you may have left on his computer...

tell the wife you found adult material on your sons PC. your wife probally wont have a word of it. she will agree to ban your kid from the internet and that solves your problem till a due date.


Yeah, great parental advice. Truth and Honesty all the way huh?

wainuitech
08-03-2008, 05:11 PM
Yeah, great parental advice. Truth and Honesty all the way huh?
The saying " do what I say not what I do" springs to mind:groan:

This thread must be catching - just got back from a client today wanting me to restrict Porn sites from their computer - seems teenage son has been "Visiting" while mum and dad are in bed at night - some how he got hold of the Credit card as well- Surprise as to a couple of " Bills" on the card.

Me thinks some oneeesssss in troublllllleeeeee !!