Re: [fw-wiz] Blocking Video/Audio Streaming



The pix is not just a packet filter only. It is a stateful firewall which
keeps track of sessions not just source and destination. Just source and
destination would be an example of a router access list. If you want to do
content filtering then look at the fixup command which will interogate the
actual packets themselves for certain protocols when enabled. try fixup
protocol http and fixup protocol rtsp 80. If the fixup on rtsp doesnt work
which it should, then the fixup on http when enable will allow you filter
urls once you track them down (more tedious but doable). Also if you have
the resources invest in a reverse proxy. If you have a big user community
you are shooting yourself in the foot not having one. Enjoy.

Kevin



-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx on behalf of Mathew
Want
Sent: Tue 5/23/2006 7:30 PM
To: 'Firewall Wizards Security Mailing List'
Subject: Re: [fw-wiz] Blocking Video/Audio Streaming

Hi.

Pix can't as far as I know as it is a packet filter only. It makes its
decision based on source and destination, not content as it has (or at least
had) no application layer gateway (ALG) inspection ability. If you want to
control content like that you probably want to look at a proxy
server/firewall or content filter that is able to see if the traffic is in
fact HTTP or !HTTP and allow or deny based on this.

My best guess anyway......

Mat

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of R.
Rocky
Sent: Tuesday, 23 May 2006 9:31 AM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] Blocking Video/Audio Streaming

Hi List,

Many of the streaming video/audios uses http port 80 as
transport, It is possible to block this type of traffic on
Cisco PIX/IOS FW? a sample config will really help me.

MMS and RTSP ports are already closed but i am still getting
large traffic thru http port 80.

Thanks.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • RE: about access-list location?
    ... "Standard Access List" = Can only filter based on the Source Address. ... Because of this limitation, it has to be near the "Destination" host, ... without effecting the communication between Host1-Host2. ... Router1 and then create rules to allow Host1-Host2 ...
    (Security-Basics)
  • Re: suggestions on router w/firewall
    ... a simple packet filtering firewall should process HTTP ... > is received on port 21 by the same rules that would be used for FTP. ... A simple packet filter type of firewall cannot do that, ...
    (comp.security.firewalls)
  • Re: Help on HTTP Filter
    ... However, in my ISA 2004 Server Standard Edition, ... "Web Proxy Filter" on the Parameters tab of the HTTP properties. ...
    (microsoft.public.isaserver)
  • Re: accf_http and incqlen
    ... I setup the http accept filter with apache and I was having a hard time ... So why is it that it "appears" that the TCP connections never terminate, ... Last time I looked these were connections that got stuck in an early stage, that is, before the HTTP request had been received. ... The 'accf_http' filter which wants to parse said request waits forever in this situation because there is no timeout implemented, ...
    (freebsd-stable)
  • Re: help with securenat clients
    ... > "enabled" on the Filter list while yet still setting it to not redirect ... > SecureNAT and Firewall Clients to the Web Proxy Service. ... But the ISA2000 HTTP redirector does no HTTP filtering. ...
    (microsoft.public.isa)