Firewall Wizards mailing list archives
RE: Blocking IM via DNS
From: "d'Ambly, Jeff" <jdambly () monster com>
Date: Fri, 31 Aug 2001 16:39:13 -0400
Well there are a couple of ways to do this 1) block port 5190, however this no longer works, if it fails on 5190 it tries every other available port 2) put your users on a proxy and block login.oscar.aol.com 3) create an outbound access-list on your wan interfaces or make it inbound on you ethernet access-list deny ip any host 205.188.7.176 access-list deny ip any host 205.188.3.160 access-list deny ip any host 205.188.3.176 access-list deny ip any host 205.188.5.204 access-list deny ip any host 205.188.5.208 access-list deny ip any host 205.188.7.164 access-list deny ip any host 205.188.7.168 access-list deny ip any host 205.188.7.172 4) router there traffic to null0 ip route 205.188.7.176 255.255.255.255 null0 ip route 205.188.3.160 255.255.255.255 null0 ip route 205.188.3.176 255.255.255.255 null0 ip route 205.188.5.204 255.255.255.255 null0 ip route 205.188.5.208 255.255.255.255 null0 ip route 205.188.7.164 255.255.255.255 null0 ip route 205.188.7.168 255.255.255.255 null0 ip route 205.188.7.172 255.255.255.255 null0 If this where me I would go with the access-list, and I would put it on our firewall, this why I could use but no one else, they don't call it privileged mode for nothing ;-) -- Jeff d'Ambly Network Engineer http://www.monster.com -------------------------------- Stay the patient course. Of little worth is your ire. The network is up. -----Original Message----- From: Simeon Johnston [mailto:simeonuj () eetc com] Sent: Thursday, August 30, 2001 12:45 PM To: IPTables; ipchains; firewall wizards; FOCUS-LINUX Subject: Blocking IM via DNS I have asked this before and have blocked AIM and others but am wondering if there is an easier way? In iptables (I think you can do this) I could block by URL. But that is another rule and DNS lookup that the FW has to do. Why not change those addresses on the internal DNS to point to something bogus? Like login.oscar.aol.com for AIM would point to a bogus internal address. Would this work? That way the ports wouldn't matter. I would just need to find out what URL the IM is looking for. Is this possible? IIRC all the IM need to login to some server. So blocking that server would be fairly easy w/ a false DNS lookup. That way I don't have to continually lookup the new ips of the URL and blocking the ports (which is impossible for some IM) would be unnecessary. And one of them uses the nntp protocols for communication. We use news servers so I can't block that. Any input? BTW, we have complete control over the internal DNS and lookups go to that computer. sim _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Blocking IM via DNS Simeon Johnston (Oct 30)
- Re: Blocking IM via DNS Scott Gifford (Oct 30)
- Re: Re: Blocking IM via DNS m p (Oct 30)
- RE: Blocking IM via DNS robert_david_graham (Oct 30)
- Re: Blocking IM via DNS raf (Oct 31)
- Re: Blocking IM via DNS Thomas Lussnig (Oct 31)
- RE: Blocking IM via DNS Kenneth Porter (Oct 31)
- Re: Blocking IM via DNS raf (Oct 31)
- <Possible follow-ups>
- RE: Blocking IM via DNS d'Ambly, Jeff (Oct 30)
- Re: Blocking IM via DNS Scott Gifford (Oct 30)