WinGate Forums

[jiandc]

Hi,

Is there a way to block P2P programs using NAT. I have some users with BearShare installed in their Laptop and its using NAT to connect outside and I see a lot of NAT connections from those users.

jian

[Pascal]

Block the port ranges?

[jiandc]

I have blocked all connections from PC to internet except those that we are using and the port that BearShare used is not included in the allowed list/range.

jian

[Pascal]

So does that mean it's working or not? Two suggestions:

1. Check the default action for the traffic.
2. When BearShare is running, check what it is doing in the activity screen. That will give you an idea of where to begin blocking.

[jiandc]

It believe that the blocking did not Work. From the activity screen, I can see many NAT entries of the Workstation connecting to one outside IP using 2 or 3 different ports.

[Pascal]

So, how did you set it up? How did you configure the port ranges, etc. (Which ranges, which protocols, etc.) If you like, you can send me the WinGate configuration (Use Options->Advanced to export it) via email with a brief list of the ports in use and which protocol they use. Then I'll import it tomorrow and tell you what needs to change.

[jiandc]

I have sent the registry file

[Pascal]

The port range for "LAN connections to the Internet" is set to allow all connections. There are certain exclusions setup, but I haven't installed BearShare to check if that port range overlaps with any of those.

Did you configure it on that page? (The ports you are blocking)

[jiandc]

Yes, I am adding ports to be opened on thesame page.

[Pascal]

Were they on the list you sent me? It didn't look that way - and that group (LAN connections to the Internet) was set to accept all traffic.

[Pascal]

Okay. More on this. Bearshare uses port 6346 by default. That's blocked on your setup. However, talking to the guys in our QA Lab, they've indicated that you can change the ports Bearshare uses. So, all bets are basically off on blocking on specific port. If somebody was going to run Bearshare on a network where an administrator wanted to stop them, then trying another port until an open one is found seems reasonably intuitive Your configuration has it's default action as "Allow" so once they go above port 6800, they'll have access.

When you look at the NAT entry as the users on laptops are connecting out, you should be able to see what port number they are using to validate if that's the case or not.

As you have a large number of specified allow entries configured - maybe you could make the default "Deny". That should discourage people from using it as they'd have to work much harder to find an open port. (Still possible if they use one of the ones you have expressly opened for other applications).

User education maybe?

One possible alternative could be to use a product that can analyse traffic and issue warnings / reports on it. (NetPatrol is one example) I'm reasonably sure by crafting a good rule-set you will be able to detect a P2P application (Specifically their connect strings) and with integrated firewall control then block that computer (For a given amount of time). If not blocking them, you have the option of receiving an administrative alert - which will give you the chance to find the user and instruct them to not use Bearshare.