[c-nsp] Peer-to-peer NBAR rules

omar parihuana omar.parihuana at gmail.com
Mon Oct 2 17:01:15 EDT 2006 

Hi,

I used the follow configuration (generated by SDM on Cisco 871, so far
work well)

Router# sh run
Building configuration...

Current configuration : 11442 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$wFU6$kdvYB802ZsR2WrNozJqwo1
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip name-server 200.89.26.3
ip name-server 200.89.26.4
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
!
appfw policy-name SDM_HIGH
  application im aol
    service default action reset alarm
    service text-chat action reset alarm
    server deny name login.oscar.aol.com
    server deny name toc.oscar.aol.com
    server deny name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action reset alarm
    service text-chat action reset alarm
    server deny name messenger.hotmail.com
    server deny name gateway.messenger.hotmail.com
    server deny name webmessenger.msn.com
    audit-trail on
  application http
    strict-http action reset alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action reset alarm
  application im yahoo
    service default action reset alarm
    service text-chat action reset alarm
    server deny name scs.msg.yahoo.com
    server deny name scsa.msg.yahoo.com
    server deny name scsb.msg.yahoo.com
    server deny name scsc.msg.yahoo.com
    server deny name scsd.msg.yahoo.com
    server deny name cs16.msg.dcn.yahoo.com
    server deny name cs19.msg.dcn.yahoo.com
    server deny name cs42.msg.dcn.yahoo.com
    server deny name cs53.msg.dcn.yahoo.com
    server deny name cs54.msg.dcn.yahoo.com
    server deny name ads1.vip.scd.yahoo.com
    server deny name radio1.launch.vip.dal.yahoo.com
    server deny name in1.msg.vip.re2.yahoo.com
    server deny name data1.my.vip.sc5.yahoo.com
    server deny name address1.pim.vip.mud.yahoo.com
    server deny name edit.messenger.yahoo.com
    server deny name messenger.yahoo.com
    server deny name http.pager.yahoo.com
    server deny name privacy.yahoo.com
    server deny name csa.yahoo.com
    server deny name csb.yahoo.com
    server deny name csc.yahoo.com
    audit-trail on
!
!
crypto pki trustpoint TP-self-signed-3808206144
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3808206144
 revocation-check none
 rsakeypair TP-self-signed-3808206144
!
!
crypto pki certificate chain TP-self-signed-3808206144
 certificate self-signed 01
  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33383038 32303631 3434301E 170D3032 30333031 30303434
  33305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38303832
  30363134 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81009C87 9DD5C2EE 97171B9E 7F12A0E3 3140FCAB 69AFF409 6C7B2D14 EAE8A437
  2C96168B 9741661D 80DF3EE1 1DCF58DF 72300782 80A5568E 661505F2 771D30B9
  F2015556 73C310CD 1A737920 2280A998 586E2C68 202BEDE5 CFFE3E4C 01656EB9
  F1018E77 01AA8F68 6816ACE6 2AC7DB18 B6A06F81 F1443D86 FCC6D2B9 1A3435D7
  446B0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
  551D1104 0B300982 07526F75 7465722E 301F0603 551D2304 18301680 1455CE84
  02D8A996 4266A31F ED4B7ED6 D7A910B4 05301D06 03551D0E 04160414 55CE8402
  D8A99642 66A31FED 4B7ED6D7 A910B405 300D0609 2A864886 F70D0101 04050003
  8181007D 3BEAE085 61462E29 2F40B5E2 5F053D1A CADD99C4 8EE6B57E 8B9E4F90
  D3AAE6E5 B0EA2686 3B27871B 37AA35FD C9F92E45 AD7EFA01 031EA42F 938FBE43
  8ACCF237 49746FFC 843EB5E0 6D8069AE BDA3014F ACF5A1FE 47F94FC6 48DFF405
  8C70BECC E1142C0C 906097A0 42F697C4 BE9415A6 3B7FB61A 9C1D0D4E 2A958893 1108D7
  quit
username omarp privilege 15 view root secret 5 $1$sA30$bnyMO9/vXXxx6FRA1oTWf.
!
!
class-map match-any SDMVoice-FastEthernet4
 match protocol rtp audio
class-map match-any SDMTrans-FastEthernet4
 match protocol citrix
 match protocol finger
 match protocol notes
 match protocol novadigm
 match protocol pcanywhere
 match protocol secure-telnet
 match protocol sqlnet
 match protocol sqlserver
 match protocol ssh
 match protocol telnet
 match protocol xwindows
class-map match-any SDMScave-FastEthernet4
 match protocol napster
 match protocol fasttrack
 match protocol gnutella
class-map match-any sdm_p2p_kazaa
 match protocol fasttrack
 match protocol kazaa2
class-map match-any sdm_p2p_edonkey
 match protocol edonkey
class-map match-any sdm_p2p_gnutella
 match protocol gnutella
class-map match-any SDMIVideo-FastEthernet4
 match protocol rtp video
class-map match-any SDMSVideo-FastEthernet4
 match protocol cuseeme
 match protocol netshow
 match protocol rtsp
 match protocol streamwork
 match protocol vdolive
class-map match-any sdm_p2p_bittorrent
 match protocol bittorrent
class-map match-any SDMBulk-FastEthernet4
 match protocol exchange
 match protocol ftp
 match protocol irc
 match protocol nntp
 match protocol pop3
 match protocol printer
 match protocol secure-ftp
 match protocol secure-irc
 match protocol secure-nntp
 match protocol secure-pop3
 match protocol smtp
 match protocol tftp
class-map match-any SDMSignal-FastEthernet4
 match protocol h323
 match protocol rtcp
class-map match-any SDMRout-FastEthernet4
 match protocol bgp
 match protocol eigrp
 match protocol ospf
 match protocol rip
 match protocol rsvp
class-map match-any SDMManage-FastEthernet4
 match protocol dhcp
 match protocol dns
 match protocol imap
 match protocol kerberos
 match protocol ldap
 match protocol secure-imap
 match protocol secure-ldap
 match protocol snmp
 match protocol socks
 match protocol syslog
!
!
policy-map SDM-Pol-FastEthernet4
  class sdm_p2p_edonkey
   drop
  class sdm_p2p_kazaa
   drop
  class SDMRout-FastEthernet4
  bandwidth remaining percent 3
  set dscp cs6
  class sdm_p2p_bittorrent
   drop
  class SDMManage-FastEthernet4
  bandwidth remaining percent 3
  set dscp cs2
  class SDMTrans-FastEthernet4
  bandwidth remaining percent 33
  set dscp af21
  class sdm_p2p_gnutella
   drop
  class SDMVoice-FastEthernet4
  priority percent 70
  set dscp ef
  class SDMSignal-FastEthernet4
  bandwidth remaining percent 40
  set dscp cs3
policy-map sdmappfwp2p_SDM_HIGH
  class sdm_p2p_gnutella
   drop
  class sdm_p2p_bittorrent
   drop
  class sdm_p2p_edonkey
   drop
  class sdm_p2p_kazaa
   drop
!
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $FW_OUTSIDE$
 bandwidth 256
 ip address 192.168.190.217 255.255.255.0
 ip access-group 103 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat outside
 ip inspect SDM_HIGH out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 service-policy input sdmappfwp2p_SDM_HIGH
 service-policy output SDM-Pol-FastEthernet4
!
interface Vlan1
 description $FW_INSIDE$
 ip address 172.16.20.1 255.255.255.128
 ip access-group 102 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
router bgp 100
 no synchronization
 bgp log-neighbor-changes
 network 172.16.20.0 mask 255.255.255.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.190.1
!
!
ip http server
ip http access-class 1
ip http secure-server
ip nat inside source list 2 interface FastEthernet4 overload
!
ip access-list extended IPs-Allowed
 remark Only IPs Allowed
 remark SDM_ACL Category=1
 remark LAN Internal
 permit ip 172.16.20.0 0.0.0.127 any
!
logging trap debugging
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.190.215
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 172.16.20.0 0.0.0.127
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp host 192.168.190.215 host 192.168.190.217 eq 22
access-list 100 permit tcp host 192.168.190.215 host 192.168.190.217 eq 443
access-list 100 permit tcp host 192.168.190.215 host 192.168.190.217 eq cmd
access-list 100 deny   tcp any host 192.168.190.217 eq telnet
access-list 100 deny   tcp any host 192.168.190.217 eq 22
access-list 100 deny   tcp any host 192.168.190.217 eq www
access-list 100 deny   tcp any host 192.168.190.217 eq 443
access-list 100 deny   tcp any host 192.168.190.217 eq cmd
access-list 100 deny   udp any host 192.168.190.217 eq snmp
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host 192.168.190.215 any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny   ip 192.168.190.0 0.0.0.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp host 200.89.26.4 eq domain host 192.168.190.217
access-list 103 permit udp host 200.89.26.3 eq domain host 192.168.190.217
access-list 103 deny   ip 172.16.20.0 0.0.0.127 any
access-list 103 permit icmp any host 192.168.190.217 echo-reply
access-list 103 permit icmp any host 192.168.190.217 time-exceeded
access-list 103 permit icmp any host 192.168.190.217 unreachable
access-list 103 permit tcp host 192.168.190.215 host 192.168.190.217 eq 443
access-list 103 permit tcp host 192.168.190.215 host 192.168.190.217 eq 22
access-list 103 permit tcp host 192.168.190.215 host 192.168.190.217 eq cmd
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
 login authentication local_authen
 no modem enable
line aux 0
 login authentication local_authen
line vty 0 4
 access-class 101 in
 authorization exec local_author
 login authentication local_authen
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Router#

Rgds

On 10/2/06, Church, Chuck <cchurch at multimax.com> wrote:
> Anyone have a decent set of NBAR 'match protocol' rules that they're
> willing to share that cover all the keywords beyond just the protocol?
> I've got:
>
> class-map match-any File-Sharing
>  match protocol edonkey
>  match protocol gnutella
>  match protocol kazaa2
>  match protocol napster
>  match protocol winmx
>
> On a 2650 running 12.4(9) mainline.  I know some of the protocols
> support additional protocols like Gnutella:
>
> xxx2650(config-cmap)#match pro gnutella ?
>  file-transfer  Match file transfer stream
>  <cr>
>
> xxx2650(config-cmap)#match pro gnutella file
> xxx2650(config-cmap)#match pro gnutella file-transfer ?
>  WORD  Enter a string as the sub-protocol parameter
>
> I'm looking to catch as many of the current popular file sharing/P2P
> apps as possible, as this is supporting a wireless ISP (Wimax) with
> really limited bandwidth.
>
> Thanks in advance,
>
> Chuck
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


-- 
Omar E.P.T
-----------------
Certified Networking Professionals make better Connections!

http://omarept.blogspot.com/

  Usysnet Corp
Open Source Solutions
www.usysnet.com.pe

More information about the cisco-nsp mailing list