Re: Blocking we browsing completely and allowing only Skype out to the Internet

[John Adams <jna () retina net>]

While I don't know why you'd want to do this (the web is a very  
useful business tool), it's pretty easy.

Here goes:

First, Permit access to the skype website. At last check this is:

www.skype.com   canonical name = web1.skype.com.
Name:   web1.skype.com
Address: 204.9.163.136
Name:   web1.skype.com
Address: 198.173.5.35

So, on a Cisco, that's:

access-list 101 permit tcp any host 204.9.163.136 eq 80
access-list 101 permit tcp any host 204.9.163.136 eq 443
access-list 101 permit tcp any host 198.173.5.35 eq 80
access-list 101 permit tcp any host 198.173.5.35 eq 443

# Then block HTTP ports 80,443,8080, etc..
access-list 101 deny tcp any any eq 80
access-list 101 deny tcp any any eq 443
access-list 101 deny tcp any any eq 8080

# And as a last rule, permit traffic to the internet...
access-list 101 permit ip any any

The skype port is 36013, and that should pass with the above ruleset,  
although skype does use 80 and 443 to get around firewalls. This  
might cause some trouble communicating with some clients. I recommend  
that you don't do this at all.

If you're interested in restricting web usage, why not look at  
products like Bluecoat or other transparent (WCCP) web proxies?

-j



On Oct 23, 2007, at 1:28 PM, Siju George wrote:

> Hi,
>
> Is anybody doing Something like this on any of their firewalls?
>
> i.e blocking all web browsing and at the same time allowing only skype
> to the outside world?
>
> Could you please let me know how you do that?
>
> Thank you so much
>
> Kind Regards
>
> Siju
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards