This one should be what you are lookin for. Here is a URL which
has NOC numbers as well.
Mike F.
Earthlink NOC
Does anybody know of any good software or way to restrict Internet gaming on
a corporate Network?
What kind of games specifically?
Like online Java games (Bejeweled)? Or games like Quake, Unreal, Tribes
etc?
The latter is much easier, just block all traffic to/from the default
ports which use them. A quick google would yield what they use. I'll
give you a quick hint and say Quake3 is 29760-5 or so and Tribes1/2 is
28000-28005 or so.
- James
I'm unsure of details of your situation, but there are enough types of
games and ways to access them that you will not be able to block them
effectively. In a corporate environment, its really a management issue and
the most effective way of dealing with it is to set a policy documenting
the punishment of gaming at work and make it really not worth it.
andy
Problem with that is you can spec those ports pretty much at will. This came up
on the focus-ids@securityfocus list last week. Policy is a good place to
start. Make it obvious that your org does not approve of this type of thing.
Then start looking at tcpdump output to find the ports/people, and go from
there.
toddler
They are specifiable on the server side. And most server operators run
on default ports as it is easier to connect. But you are right. An
organization policy of no games is better.
You could maybe also see if a tool like esniff (not free) or tcpdump
(free) would work to track people down.
- James
There was a similar discussion to this one back when I first joined
NANOG - anyways - to repeat my comment from back then..
I work for a healthcare network - for obvious reasons, we don't allow
incoming connections through our firewall. The interesting part is though,
that we also only allow limited access _out_ through our firewall - mainly
because back in the days when we first got the setup, $$$'s for internet
access were scarce, and in order to keep the traffic at reasonable rates
(not to saturate our connection), we had to limit traffic in some way.
The basic setup is disallow all outbound connections, save ports 20-21,
23, 109/110, 80 (with restiction, explanation follows) and 443.
The restrictions on port 80, is done using Checkpoint's HTTP Client Auth
agent - which authenticates through LDAP into NDS (we also restrict what
users are allowed outbound access - not everybody at a hospital needs
internet access).
This setup tends to stop most internet-based games ('cept http-based ones)
- and allows for nice monitoring of the remaining (allowed traffic). (We
log all traffic going through the firewall - And don't give me any grief
about violation of privacy.. big deal.)
"James" <james@james-web.net> writes:
What kind of games specifically?
Like online Java games (Bejeweled)? Or games like Quake, Unreal, Tribes
etc?The latter is much easier, just block all traffic to/from the default
ports which use them. A quick google would yield what they use. I'll
give you a quick hint and say Quake3 is 29760-5 or so and Tribes1/2 is
28000-28005 or so.
Doesn't that cause trouble with occasionally blocking ephemeral ports?
If you're not allowing incoming connections of any kind (including
non-PASV FTP) it shouldn't matter, but blocking ports above 1024
always makes me nervous...
----ScottG.
It would make me nervous too. Plus, I hate when things stop working
because then people call me and I have to talk to them 
But if a brand new packet is outbound to 29760, you know it is probably
going to a Half Life server (I think that's the port). So wouldn't it
be wise to deny that? Specifically it would be UDP 29760, not TCP.
Doesn't FTP use TCP when negotiating a connection?
- James
:Doesn't that cause trouble with occasionally blocking ephemeral ports?
:If you're not allowing incoming connections of any kind (including
:non-PASV FTP) it shouldn't matter, but blocking ports above 1024
:always makes me nervous...
That's what "permit tcp any any established" is for.
cheers,
brian
[snip]
But if a brand new packet is outbound to 29760, you know it is probably
going to a Half Life server (I think that's the port). So wouldn't it
be wise to deny that? Specifically it would be UDP 29760, not TCP.
TCP 27015/27016 by default
For Half-life, it's 27015/UDP, not TCP. Cheers.
-a
[snip]
The basic setup is disallow all outbound connections, save ports 20-21,
23, 109/110, 80 (with restiction, explanation follows) and 443.
[snip]
Since several people have commented on us not allowing SSH through by
default, I'll re-quote my private reply:
".. if someone's clueful enough to use SSH, they're clueful enough to
request we allow SSH through for them..."
We do allow other outbound connections upon written request.
We've had good luck here with the Packeteer packetshaper 6500.
http://www.packeteer.com/products/packetshaper/index.cfm
We use it mainly to control [not block] music download traffic.
Dan
Dan Schmiedt
Network Services
Clemson University DCIT
WILLYS@clemson.edu
(864)656-7556
We've had good luck here with the Packeteer packetshaper 6500.
http://www.packeteer.com/products/packetshaper/index.cfm
We use it mainly to control [not block] music download traffic.
Anybody tried nmap against a Packet Shaper recently? I tried it against
a box here which is no longer in service (not the 6500 model), and the
result isn't exactly reassuring.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
Try adding some traffic classes which match connections to the local
box from non-trusted locations, and set the policy to deny.
Joe
Verisign Buys .tv Web Domain for $45 Million
In the immortal words of Walter Gray (wgray@wwns.net):
Does anybody know of any good software or way to restrict Internet gaming on
a corporate Network?
Yes. A magic product called "Official HR Policy."
You'd be amazed how quickly people get the message once someone is
fired or docked vacation days for violation of company network usage
guidelines.
-n
------------------------------------------------------------<memory@blank.org>
"Look, I don't know how they do things on your home planet, spaceman...but
here in Mayberry, we just don't talk to gun-toting, redneck, amphetamine
freaks that way." (--Red Meat, "Microwave Pet Carrier")
<http://blank.org/memory/>----------------------------------------------------
I used to use a wonderful little tool called trafshow for identifying chatty
streams/conversations. I haven't had to use it in a while, but it may still be
worth looking at. Had a very nice interface, and accepted tcpdump-ish grammar
for filtering iirc.
-j