I'm using a cicsco router/firewall 2600 series, i'm getting problems with people using kazaa and other p2p file sharing programs leeching all my bandwidth, causing my gamers to get crap pings.

I've identified I need to block ports

1214 for Kazaa and 6346-6347 for Gnutella Clients, tcp and udp, both outgoing and incoming connections.

How do I do this, what commands do I used etc?

Isn't that set in ACLs? Its something really simple like acl add port x or something.

I've found Cisco's documentation to be quite good.

I belive you want the "access-list" command.

REMEBER THIS

when you create any ACL you get a default DENY ALL command

so you then need to open everything else.

Originally posted by Cabe
REMEBER THIS

when you create any ACL you get a default DENY ALL command

so you then need to open everything else.

just to make that clear... thats EVERYTHING else

You need to create an extended access-list, which you then apply to an 'access-group' either inbound or outbound on the interface

interface ethernet0/0
description "Connection to internet"
ip access-group 101 in
ip access-group 101 out
!
interface ethernet1/0
description "Connection to the plebs"

access-list 101 deny tcp any any eq 1214
access-list 101 deny tcp any any gt 6346 lt 6347
access-list 101 deny udp any any eq 1214
access-list 101 deny udp any any gt 6346 lt 6347
access-list 101 permit ip any any

You are cautioned that access-lists can significantly reduce the forwarding capacity of your router, and performance degradation increases as the ACL gets longer.

<silly question>
OK, I didn't know Cisco routers could do this. I suppose there's no reason why they shouldn't though.

If they can do this, what does a PIX do that a normal router doesn't? Is it things like stateful inspection and the like?
</silly question>

Yes, basically.

You can make a router into a firewall (including NAT and the like) but a PIX offers more control over it from a "stopping things coming in that shouldnt" point of view.

It has "fixup" controls that monitor packet data for content (like making sure you dont get iffy SMTP requests sent to your mail server and the like.

It also has IDS (Intrusion Detection System) to allow you to monitor incoming attacks better.

Basically a PIX is designed to do the FW task, a router isnt but it can be a basic FW if required.

I knew they could do NAT. Its packet mangling with falls into a routers remit i suppose.

Pretty much what I thought, so ta :)

The key theoretical difference between a router ACL and a firewall is that the firewall is stateful - it will build a table of open TCP connections and UDP conversations, and only allow packets in that match existing conversations as well as port/src/dst/protocol filtering rules.

The line gets a bit blurred these days, especially in Cisco-land when stateful firewalling is a feature set available on many of the CPU-forwarding routers. NAT is available pretty much across the product line.

Practically most older firewalls (including the PIX) are not distinct from a hardware point of view, they're general purpose CPU forwarding boxes with Ethernet or other interfaces, just like routers.
Indeed, the original PIXs were just PCs, and you could build your own and put the Cisco software on yourself (if you didn't mind breaking the law).

Newer firewalls tend to have hardware firewalling support, using ASICs, FPGAs or other dedicated firewall-rule-set specific hardware.