One might also suggest that explicit "denials", as opposed to explicit "permits", as an access-control policy is fundamentally flawed security approach in the first place.... My $.02, - ferg -- "Scott Morris" <swm@emanon.com> wrote: Tcp/1719 is part of the H323 Gatekeeper default ports (which can be changed) Tcp/1720 is the H.225 call setup port, and I haven't heard of this being a configurable port. -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Joe Shen Sent: Thursday, November 11, 2004 6:40 AM To: NANGO Subject: How to Blocking VoIP ( H.323) ? Hi, How could it be done to block VoIP at access router? I've thought about using ACL to block UDP port 1719,but this could be overcome by modifying protocol port number. regards Joe -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg@netzero.net or fergdawg@sbcglobal.net