Kazaa Ports

Kazaa Ports

[Jeffrey Laramie]

Hi All,

I am trying to provide a modest amount of security for a home LAN using 
NAT and filtering. My family insists on using Kazaa Lite on their 
Windows boxes (aaahhh!!).

My (other) problem is that Kazaa insists on using sequential source 
ports and seemingly random destination ports to make connections. I 
already have a rule to allow ESTABLISHED,RELATED through, but these 
packets must be new connections (connecting to supernodes maybe?). No 
matter how many ports I open I can't seem to open enough ports to make 
it run.

I'm rapidly becoming unpopular in my house. Any ideas how I can make 
Kazaa Lite work and still maintain some security? Are these mutually 
exclusive goals?

Jeff

Re: Kazaa Ports

[SBlaze]

--- Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com> wrote:
> Hi All,
> 
> I am trying to provide a modest amount of security for a home LAN using 
> NAT and filtering. My family insists on using Kazaa Lite on their 
> Windows boxes (aaahhh!!).
> 
> My (other) problem is that Kazaa insists on using sequential source 
> ports and seemingly random destination ports to make connections. I 
> already have a rule to allow ESTABLISHED,RELATED through, but these 
> packets must be new connections (connecting to supernodes maybe?). No 
> matter how many ports I open I can't seem to open enough ports to make 
> it run.
> 
> I'm rapidly becoming unpopular in my house. Any ideas how I can make 
> Kazaa Lite work and still maintain some security? Are these mutually 
> exclusive goals?
> 
> Jeff
> 
> 

Are you using NAT? This is probably your best soloution.

SBlaze

=====
"Winky is not knowing how sir, winky is not knowing how?" -=Winky / Harry Potter and the Goblet of Fire=-"

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Re: Kazaa Ports

[Jeffrey Laramie]

SBlaze wrote:

>--- Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com> wrote:
>  
>
>>Hi All,
>>
>>I am trying to provide a modest amount of security for a home LAN using 
>>NAT and filtering. My family insists on using Kazaa Lite on their 
>>Windows boxes (aaahhh!!).
>>
>>My (other) problem is that Kazaa insists on using sequential source 
>>ports and seemingly random destination ports to make connections. I 
>>already have a rule to allow ESTABLISHED,RELATED through, but these 
>>packets must be new connections (connecting to supernodes maybe?). No 
>>matter how many ports I open I can't seem to open enough ports to make 
>>it run.
>>
>>I'm rapidly becoming unpopular in my house. Any ideas how I can make 
>>Kazaa Lite work and still maintain some security? Are these mutually 
>>exclusive goals?
>>
>>Jeff
>>
>>
>>    
>>
>
>Are you using NAT? This is probably your best soloution.
>  
>
I use SNAT. Here is the rule:

iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP

My default policy on the filter FORWARD chain is drop, so any required ports have to have an ACCEPT rule for in order for services to work. In this case, Kazaa expects to have an unknown (large) number of ports open LAN->Net and it fails when it finds a blocked port.

I can make it work if I stop filtering outbound traffic, but I found a worm last month by checking unauthorized outbound traffic and I'm reluctant to give up that extra security.

Jeff

Re: Kazaa Ports

[SBlaze]

--- Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com> wrote:
> 
> 
> SBlaze wrote:
> 
> >--- Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com> wrote:
> >  
> >
> >>Hi All,
> >>
> >>I am trying to provide a modest amount of security for a home LAN using 
> >>NAT and filtering. My family insists on using Kazaa Lite on their 
> >>Windows boxes (aaahhh!!).
> >>
> >>My (other) problem is that Kazaa insists on using sequential source 
> >>ports and seemingly random destination ports to make connections. I 
> >>already have a rule to allow ESTABLISHED,RELATED through, but these 
> >>packets must be new connections (connecting to supernodes maybe?). No 
> >>matter how many ports I open I can't seem to open enough ports to make 
> >>it run.
> >>
> >>I'm rapidly becoming unpopular in my house. Any ideas how I can make 
> >>Kazaa Lite work and still maintain some security? Are these mutually 
> >>exclusive goals?
> >>
> >>Jeff
> >>
> >>
> >>    
> >>
> >
> >Are you using NAT? This is probably your best soloution.
> >  
> >
> I use SNAT. Here is the rule:
> 
> iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
> 
> My default policy on the filter FORWARD chain is drop, so any required ports
> have to have an ACCEPT rule for in order for services to work. In this case,
> Kazaa expects to have an unknown (large) number of ports open LAN->Net and it
> fails when it finds a blocked port.
> 
> I can make it work if I stop filtering outbound traffic, but I found a worm
> last month by checking unauthorized outbound traffic and I'm reluctant to
> give up that extra security.
> 
> Jeff
> 
> 
> 
Assuming that you are running the Kazza on a Internal windows machine the
POSTROUTING should handle all of the out going of the Kazza Client...

what is probably not making it through is the returning connection attempts of
the Kazza servers? In which case... you shouldn't be using FORWARD lines at all
sinnce these are supposedly destined for the local machine(as in the Linux box
itself and not anything in your lan). What I think is needed here is the
PREROUTING of a range or specific ports. I think this will solve your problem
for Kazza but it offers very little as in the way of security for those ports.

An example of this is when I used to run my Half-Life Deadicated Server on my
internal Windows Machine I used a PREROUTING line such as...

iptables -t nat -A PREROUTING -p udp --dport 27015 -i eth0 -j DNAT
--to-destination 192.168.1.25:27015

While my scenerio was alot simpler than yours it's similar I think. Your
problem will be of course finding the range of ports. I would also say take
note of the use of limiting it to one protocol(if you can). Better to have a
straw open to the world than a big ol sewer pipe!

Hope this helps
SBlaze

=====
"Winky is not knowing how sir, winky is not knowing how?" -=Winky / Harry Potter and the Goblet of Fire=-"

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Re: Kazaa Ports

[Jeffrey Laramie]

Thanks for answering

>Assuming that you are running the Kazza on a Internal windows machine the
>POSTROUTING should handle all of the out going of the Kazza Client...
>  
>

hmmm . . . I revised my rule set recently using the iptables tutorial  
by Oskar Andreasson as a guide, and he recommends again doing any 
filtering in the nat tables.

http://iptables-tutorial.frozentux.net/chunkyhtml/traversingoftables.html#TRAVERSINGGENERAL


>what is probably not making it through is the returning connection attempts of
>the Kazza servers? In which case... you shouldn't be using FORWARD lines at all
>sinnce these are supposedly destined for the local machine(as in the Linux box
>itself and not anything in your lan).
>

If you look further down in the link I posted, there is a diagram that 
shows INPUT going to the localhost and the FORWARD being used for 
packets destined for other hosts.  Hmmm again . . .  :-)

> What I think is needed here is the
>PREROUTING of a range or specific ports. I think this will solve your problem
>for Kazza but it offers very little as in the way of security for those ports.
>
>An example of this is when I used to run my Half-Life Deadicated Server on my
>internal Windows Machine I used a PREROUTING line such as...
>
>iptables -t nat -A PREROUTING -p udp --dport 27015 -i eth0 -j DNAT
>--to-destination 192.168.1.25:27015
>
>While my scenerio was alot simpler than yours it's similar I think. Your
>problem will be of course finding the range of ports. I would also say take
>note of the use of limiting it to one protocol(if you can). Better to have a
>straw open to the world than a big ol sewer pipe!
>
>  
>
Absolutely! That's what makes this an issue for me. I can't nail down 
the ports Kazaa needs and the more I open up the less protection I have. 
I need to find a better strategy and I'm open to suggestions.

Jeff

Re: Kazaa Ports

[SBlaze]

--- Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com> wrote:
> Thanks for answering
> 
> >Assuming that you are running the Kazza on a Internal windows machine the
> >POSTROUTING should handle all of the out going of the Kazza Client...
> >  
> >
> 
> hmmm . . . I revised my rule set recently using the iptables tutorial  
> by Oskar Andreasson as a guide, and he recommends again doing any 
> filtering in the nat tables.
> 
You would not be doing any filtering in the nat table. You are simply passing
the packets destined for a Kazza client onto another machine and ports.
PRE/POST  ROUTING always supercede INPUT and OUTPUT filters.
>
http://iptables-tutorial.frozentux.net/chunkyhtml/traversingoftables.html#TRAVERSINGGENERAL
> 
> 
> >what is probably not making it through is the returning connection attempts
> of
> >the Kazza servers? In which case... you shouldn't be using FORWARD lines at
> all
> >sinnce these are supposedly destined for the local machine(as in the Linux
> box
> >itself and not anything in your lan).
> >
> 
> If you look further down in the link I posted, there is a diagram that 
> shows INPUT going to the localhost and the FORWARD being used for 
> packets destined for other hosts.  Hmmm again . . .  :-)

Again I don't think FORWARD is your answer here... best bet is nat (imho that
is)
> 
> > What I think is needed here is the
> >PREROUTING of a range or specific ports. I think this will solve your
> problem
> >for Kazza but it offers very little as in the way of security for those
> ports.
> >
> >An example of this is when I used to run my Half-Life Deadicated Server on
> my
> >internal Windows Machine I used a PREROUTING line such as...
> >
> >iptables -t nat -A PREROUTING -p udp --dport 27015 -i eth0 -j DNAT
> >--to-destination 192.168.1.25:27015
> >
> >While my scenerio was alot simpler than yours it's similar I think. Your
> >problem will be of course finding the range of ports. I would also say take
> >note of the use of limiting it to one protocol(if you can). Better to have a
> >straw open to the world than a big ol sewer pipe!
> >
> >  
> >
> Absolutely! That's what makes this an issue for me. I can't nail down 
> the ports Kazaa needs and the more I open up the less protection I have. 
> I need to find a better strategy and I'm open to suggestions.
> 
Ok I might can help with this... You may need something like ethereal or
ettercap fired up on your internal device (eth1 I'm guessing?) As the requests
go out you should be able to view source and destination ips/ports. An even
simpler method that might work is fire up Kazza and do a netstat -a from a
DOS/CMD window. mayb a netstat -al too.

> Jeff
> 
> 


=====
"Winky is not knowing how sir, winky is not knowing how?" -=Winky / Harry Potter and the Goblet of Fire=-"

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Re: Kazaa Ports

[jimbo jones]

Have you fiddled with the firewall settings in Kazaa that supposedly let you 
change the outgoing port to anything you like.  I have heard in cases that 
you can change this to, say, port 80 and suddenly everything goes (web port 
and all).  However I have exactly the same setup with exactly the same issue 
and this option didnt work for me.  But maybe it will for someone else.  
Would also like to get this solved.

Suggestions appreciated.

Cheers


>From: Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com>
>To: SBlaze <dagent.geo@yahoo.com>
>CC: netfilter@lists.netfilter.org
>Subject: Re: Kazaa Ports
>Date: Mon, 08 Sep 2003 18:47:18 -0400
>
>Thanks for answering
>
>>Assuming that you are running the Kazza on a Internal windows machine the
>>POSTROUTING should handle all of the out going of the Kazza Client...
>>
>>
>
>hmmm . . . I revised my rule set recently using the iptables tutorial  by 
>Oskar Andreasson as a guide, and he recommends again doing any filtering in 
>the nat tables.
>
>http://iptables-tutorial.frozentux.net/chunkyhtml/traversingoftables.html#TRAVERSINGGENERAL
>
>
>>what is probably not making it through is the returning connection 
>>attempts of
>>the Kazza servers? In which case... you shouldn't be using FORWARD lines 
>>at all
>>sinnce these are supposedly destined for the local machine(as in the Linux 
>>box
>>itself and not anything in your lan).
>>
>
>If you look further down in the link I posted, there is a diagram that 
>shows INPUT going to the localhost and the FORWARD being used for packets 
>destined for other hosts.  Hmmm again . . .  :-)
>
>>What I think is needed here is the
>>PREROUTING of a range or specific ports. I think this will solve your 
>>problem
>>for Kazza but it offers very little as in the way of security for those 
>>ports.
>>
>>An example of this is when I used to run my Half-Life Deadicated Server on 
>>my
>>internal Windows Machine I used a PREROUTING line such as...
>>
>>iptables -t nat -A PREROUTING -p udp --dport 27015 -i eth0 -j DNAT
>>--to-destination 192.168.1.25:27015
>>
>>While my scenerio was alot simpler than yours it's similar I think. Your
>>problem will be of course finding the range of ports. I would also say 
>>take
>>note of the use of limiting it to one protocol(if you can). Better to have 
>>a
>>straw open to the world than a big ol sewer pipe!
>>
>>
>>
>Absolutely! That's what makes this an issue for me. I can't nail down the 
>ports Kazaa needs and the more I open up the less protection I have. I need 
>to find a better strategy and I'm open to suggestions.
>
>Jeff
>
>
>

_________________________________________________________________
Tired of 56k? Get a FREE BT Broadband connection 
http://www.msn.co.uk/specials/btbroadband

Re: Kazaa Ports

[Jeffrey Laramie]

jimbo jones wrote:

>
> Have you fiddled with the firewall settings in Kazaa that supposedly 
> let you change the outgoing port to anything you like.


I don't know if Kazaa Lite has that option, but I'll look for it. We did 
set the maximum number of connections to 10 with the hopes that it would 
be happy with the ports I'd already opened. Unfortunately it appears to 
use source ports in sequence and doesn't reuse them, so all I did was 
delay the problem a few minutes.

> I have heard in cases that you can change this to, say, port 80 and 
> suddenly everything goes (web port and all).  However I have exactly 
> the same setup with exactly the same issue and this option didnt work 
> for me.  But maybe it will for someone else.


I posted an article a couple of days ago about this very issue: the 
ability of some programs to use commonly open ports for other types of 
connections and the ramifications this has on firewalling. Now we're on 
the other side of the fence viewing this as a "feature" rather than a 
threat. Of course if Kazaa didn't behave this way in the first place we 
wouldn't need to use other ports. Still the irony of the situation isn't 
lost on me.

>   Would also like to get this solved.
>
> Suggestions appreciated.
>
> Cheers
>

Ditto. SBlaze had an idea to use DNAT in PREROUTING, but I don't think 
that will work here. I can't predict which ports would need to be natted 
and if I nat every port it'll break all the other services. Something 
tells me the developers of Kazaa Lite just aren't too concerned about 
the security of our proprietary information ;-)

Jeff

Re: Kazaa Ports

[SBlaze]

--- Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com> wrote:
> 
> 
> jimbo jones wrote:
> 
> >
> > Have you fiddled with the firewall settings in Kazaa that supposedly 
> > let you change the outgoing port to anything you like.
> 
> 
> I don't know if Kazaa Lite has that option, but I'll look for it. We did 
> set the maximum number of connections to 10 with the hopes that it would 
> be happy with the ports I'd already opened. Unfortunately it appears to 
> use source ports in sequence and doesn't reuse them, so all I did was 
> delay the problem a few minutes.
> 
> > I have heard in cases that you can change this to, say, port 80 and 
> > suddenly everything goes (web port and all).  However I have exactly 
> > the same setup with exactly the same issue and this option didnt work 
> > for me.  But maybe it will for someone else.
> 
> 
> I posted an article a couple of days ago about this very issue: the 
> ability of some programs to use commonly open ports for other types of 
> connections and the ramifications this has on firewalling. Now we're on 
> the other side of the fence viewing this as a "feature" rather than a 
> threat. Of course if Kazaa didn't behave this way in the first place we 
> wouldn't need to use other ports. Still the irony of the situation isn't 
> lost on me.
> 
> >   Would also like to get this solved.
> >
> > Suggestions appreciated.
> >
> > Cheers
> >
> 
> Ditto. SBlaze had an idea to use DNAT in PREROUTING, but I don't think 
> that will work here. I can't predict which ports would need to be natted 
> and if I nat every port it'll break all the other services. Something 
> tells me the developers of Kazaa Lite just aren't too concerned about 
> the security of our proprietary information ;-)
> 
> Jeff
> 
> 
I still say all that should be needed is finding out what the ports are....
more over what are the minimum ports needed to maintain the service.

Find that out and you may or may not be able to DNAT to the destination you
need. Depending on what services you offer already(ie kazzaa may need port 80
but you are running apache elsewhere).

SBlaze

=====
"Winky is not knowing how sir, winky is not knowing how?" -=Winky / Harry Potter and the Goblet of Fire=-"

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Re: Kazaa Ports

[Jeffrey Laramie]

[-- Attachment #1: Type: text/plain, Size: 349 bytes --]



Kevin Smith wrote:

>I found this web site with a bit on info about Blocking p2p programs.:
>
>http://testweb.oofle.com/messaging/index.htm
>
>Hope it helps. 
>
>Kev
>  
>
Thanks to everyone for their suggestions. I've got my resident Kazaa 
experts (aka children) doing some research on this also. This may take a 
few days, so stay tuned.

Jeff

[-- Attachment #2: Type: text/html, Size: 801 bytes --]

Re: Kazaa Ports

[Chris Lowth]

[-- Attachment #1: Type: text/plain, Size: 751 bytes --]

http://www.lowth.com/p2pwall will block kazaa using iptables "QUEUE" target, if that's what you're after.
It's written up in the October 2003 issue of the Linux Journal (www.linuxjournal.com) 
  ----- Original Message ----- 
  From: Jeffrey Laramie 
  To: ksmith@perfht.com 
  Cc: netfilter@lists.netfilter.org 
  Sent: Wednesday, September 10, 2003 7:34 PM
  Subject: Re: Kazaa Ports




  Kevin Smith wrote:

I found this web site with a bit on info about Blocking p2p programs.:

http://testweb.oofle.com/messaging/index.htm

Hope it helps. 

Kev
  Thanks to everyone for their suggestions. I've got my resident Kazaa experts (aka children) doing some research on this also. This may take a few days, so stay tuned.

  Jeff

[-- Attachment #2: Type: text/html, Size: 2162 bytes --]