D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: locsom20 on June 04, 2009, 10:07:49 AM

Title: Help Blocking IM & P2P with DFL-210
Post by: locsom20 on June 04, 2009, 10:07:49 AM

I´m traying to configure the blocking IM & P2P in my DFL-210, but I dont kow how to do this, in the datasheet I read that this specific blocking is possible but I only find the java applets bloking and activex blocking but nothing about IM or P2P.
Its possible this kind of bloking in the DFL-210 firewall??  ??? Please some help whit this.....

*** edited by Fatman to fix the spelling in the subject.

Title: Re: Help Blocking IM & P2P with DFL-210
Post by: Fatman on June 04, 2009, 10:13:30 AM

You can block any traffic you can designate via services, or you can block any traffic you don't designate with services (more secure).

The best way to do what you need to do would be to enumerate every allowed outbound service above a default drop.

Then ensure an ALG is applied for every outbound service possible to catch the simplest level of monkey business with common ports.

This won't help if the program can hide it's traffic in valid traffic for an allowed outbound port though.  I know skype is good at hiding on port 80, but if it does so and communicates inside valid HTTP headers (which may be the case, I wouldn't know) then our ALG is not going to catch it.

Truthfully to be more complete than that you would want a layer 7 gateway.

*** edited by Fatman to fix the spelling in the subject.

Title: Re: Help Blocking IM & P2P with DFL-210
Post by: locsom20 on June 05, 2009, 03:02:17 PM

Thanks for the answer :D, I block all the tcp/udp ports, and open only the necesary ones. All is working now ;D

Title: Re: Help Blocking IM & P2P with DFL-210
Post by: DL1NKUSER on July 20, 2009, 11:05:56 PM

Just a quick question. Do D-Link make a Layer 7 gateway & if so what is the model range? Thank you.

Title: Re: Help Blocking IM & P2P with DFL-210
Post by: Fatman on July 22, 2009, 10:30:01 AM

The only one that might still be available is the DFL-M510.

Title: Re: Help Blocking IM & P2P with DFL-210
Post by: silica on January 26, 2010, 02:00:50 AM

How do you block all the TCP/UDP Ports? And then I open the port 80? for surfing or is this not enough? I need e-mail, and web browsing to work... thats it.. the rest should not work, P2P, skype, spotify, etc...

Thanks.
Robert

Title: Re: Help Blocking IM & P2P with DFL-210
Post by: Fatman on January 26, 2010, 10:07:49 AM

Create a rule rejecting all services then above it create rules NAT'ing the following services.  I would recommend creating a service group with all these services so that you will only need 2 rules.

ICMP
21 TCP FTP
25 TCP SMTP
53 TCP/UDP DNS
80 TCP HTTP
110 TCP POP3
443 TCP HTTPS

*** Modified by Fatman, because he forgot Poland ICMP. ***