Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 25 Jan 2003 09:52:22 -0500 (EST)
From:      Marco Radzinschi <marco@radzinschi.com>
To:        Doug Poland <doug@polands.org>
Cc:        <questions@FreeBSD.ORG>
Subject:   Re: IPFW, blocking IM servers
Message-ID:  <20030125093953.O74053-100000@radzinschi.com>
In-Reply-To: <34651.63.104.35.130.1043185192.squirrel@email.polands.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 21 Jan 2003, Doug Poland wrote:

> Sorry for this slightly off-topic post...  Is there a comprehensive
> list of IM servers (names, IPs) available?  I'd like to block IM
> servers from certain users on my network.
>
> >From what I've gathered on google, the only effective stragegy is to
> use firewall (in my case, IPFW) rules to block IP's, names.
>
> --
> Regards,
> Doug

Block everything going out, and set up a Squid proxy server for web
access. Furthermore, only allow the Squid proxy access to HTTP port 80 and
SSL port 443, and any others like gopher or FTP which you want to allow.

This will take care of most rogue programs, with the exception of the
newer ones like MSN, Yahoo, and AOL Messenger programs, which will use an
HTTP proxy.

The way to get around this is to only allow the Squid Proxy server access
to the internet, run an internal nameserver, and use Squid access control
lists (ACL). With ACL's, one can block entire domains, subdomains, or
hosts.  ACL's will also allow you to give some users full access and
restrict others.

Squid will do reverse DNS lookups if a user were to use an IP address
instead of a domain name to bypass a block, and it will block it as well.
This is where running an internal nameserver is key, and denying external
DNS lookups from user machines.  Since the user machines will use a Squid
proxy, the proxy will do DNS lookups on their behalf.

I have a text file on the Squid proxy which contains a list of blocked
sites, which I include below.  Only a technically astute user would be
able to bypass this setup. S1ince this would require very deliberate and
complicated steps, such as setting up a VPN tunnel through SSL, this would
be clear grounds for termination.

Here is my Squid deny list, which has blocked MSN messenger, AOL Instant
Messenger, Yahoo Messenger, and various other annoyances.

.login.oscar.aol.com
.bucp1-vip-m.blue.aol.com
.bucp2-vip-m.blue.aol.com
.aim.com
.messenger.hotmail.com
.messenger.msn.com
.messenger.microsoft.com
.icq.com
.csa.yahoo.com
.pager.yahoo.com
.msg.edit.yahoo.com
.cs.yahoo.com
.messenger.yahoo.com
.messenger.yahoo.akadns.net
.msg.yahoo.com
.chat.yahoo.com
.chat.sc5.yahoo.com
.kazaa.com
.kazaa.net
.weatherbug.com
.winmx.com
.morpheus.com
.filetopia.com
.filetopia.net
.filetopia.org
.gnutella.com
.gnutella.net
.gnutella.org
.jabber.com
.jabber.net
.jabber.org

Marco Radzinschi
E-Mail: marco@radzinschi.com

Sat Jan 25 09:39:53 EST 2003


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030125093953.O74053-100000>