Firewall Wizards mailing list archives
Blocking MSN (and any other service for that matter)
From: Jean Paul López <jplopez () netthink es>
Date: Thu, 22 Apr 2004 16:22:50 +0200
Hi there, I hope my words find you all well :) I stumbled across this forum when looking for a workeable solution regarding blocking certain users - and others not - for chatservices. I use OpenBSD pf and instead of using a proxy (which is the commonly found advise on the internet), I came up with the following - straight-forward - approach (which blocks MSN completely, even the adds and allows other services to be added to the services tables and IP tables easily). For the BOFH fans under us (*evil grin*): The brass ordered inexorably that interns should not have access to IM. Hell, why not? The targeted alternative proxy system available happens to be a dedicated CS server... <BOFH mode = "666"> *clicketyclick* </BOFH mode> }XD *ahem* ;) Here are the relevant instructions from my own pf.conf # Groups # # table IM not permitted table <NoIM> { 192.168.1.210 192.168.1.211 192.168.1.212 192.168.1.213 192.168.1.214 192.168.1.215 192.168.1.216 192.168.1.217 192.168.1.218 192.168.1.219 192.168.1.220 192.168.1.221 192.168.1.222 192.168.1.223 192.168.1.224 192.168.1.225 } # table IPs in use by MSN IM table <IM_IPs> { 65.54.194.117 207.68.178.239 207.46.104.0/24 207.46.111.0/24 207.46.107.0/24 207.46.110.0/24 } # table de IP's de IM # # Table of permitted IPs table <YesIM> { 192.168.1.71 192.168.1.129 192.168.1.130 192.168.1.131 192.168.1.132 192.168.1.133 192.168.1.134 192.168.1.135 192.168.1.136 192.168.1.137 192.168.1.138 192.168.1.139 192.168.1.140 192.168.1.141 192.168.1.142 192.168.1.143 192.168.1.144 192.168.1.145 192.168.1.146 192.168.1.147 192.168.1.148 192.168.1.149 192.168.1.150 192.168.1.151 192.168.1.152 192.168.1.153 192.168.1.154 192.168.1.155 192.168.1.156 192.168.1.157 192.168.1.158 192.168.1.159 192.168.1.160 192.168.1.161 192.168.1.162 192.168.1.163 192.168.1.164 192.168.1.165 192.168.1.166 192.168.1.167 192.168.1.168 192.168.1.169 192.168.1.170 192.168.1.171 192.168.1.172 192.168.1.173 192.168.1.174 192.168.1.175 192.168.1.176 192.168.1.177 192.168.1.178 192.168.1.179 192.168.1.180 192.168.1.181 192.168.1.182 192.168.1.183 192.168.1.184 192.168.1.185 192.168.1.186 192.168.1.187 192.168.1.188 192.168.1.189 192.168.1.190 } # Services # tcp_emule= "{ 4661 4662 3000 4242 4343 4646 4661 4662 4711 5555 6667 6969 7777 7778 8888}" # emule & edonkey... udp_emule= "{ 4665 4672 }" tcp_IM= "{ 80 1863 6891 6892 6893 6894 6895 6896 6897 6898 6899 6900 6901 5190 }" udp_IM= "{ 80 1863 5190 6901 }" # Default policy block in log all # VPN & local pass quick on enc0 all keep state pass quick on lo0 all keep state pass proto tcp from <YesIM> to any pass proto udp from <YesIM> to any # # /VPN & local # # Blocks for internal users (quick rules) # block log quick proto tcp from <NoIM> to <IM_IPs> port $tcp_IM block log quick proto udp from <NoIM> to <IM_IPs> port $udp_IM As said, just lookup specific ports for any (P2P?) connection you need to zap and narrow down, if necessary, with netstat to get all the available server IPs for the specific software and add them to the IP and services tables. That's all folks!!!! :-D _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Blocking MSN (and any other service for that matter) Jean Paul López (Apr 22)
- Re: Blocking MSN (and any other service for that matter) Chuck Vose (Apr 22)
- Re: Blocking MSN (and any other service for that matter) Carric Dooley (Apr 23)
- Re: Blocking MSN (and any other service for that matter) Chuck Vose (Apr 23)
- Re: Blocking MSN (and any other service for that matter) Paul D. Robertson (Apr 23)
- Re: Blocking MSN (and any other service for that matter) Carric Dooley (Apr 23)
- Re: Blocking MSN (and any other service for that matter) Jean Paul López (Apr 23)
- Re: Blocking MSN (and any other service for that matter) Chuck Vose (Apr 22)
- <Possible follow-ups>
- RE: Blocking MSN (and any other service for that matter) MHawkins (Apr 23)
- RE: Blocking MSN (and any other service for that matter) Chuck Vose (Apr 24)