From owner-freebsd-questions Sat Jan 25 11:26: 5 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DC4E37B405 for ; Sat, 25 Jan 2003 11:26:03 -0800 (PST) Received: from radzinschi.com (pcp02453672pcs.owngsm01.md.comcast.net [68.55.91.96]) by mx1.FreeBSD.org (Postfix) with ESMTP id 193E943ED8 for ; Sat, 25 Jan 2003 11:24:38 -0800 (PST) (envelope-from marco@radzinschi.com) Received: from localhost (marco@localhost.radzinschi.com [127.0.0.1]) by radzinschi.com (8.12.6/8.12.6) with ESMTP id h0PEqMrM074079; Sat, 25 Jan 2003 09:52:23 -0500 (EST) (envelope-from marco@radzinschi.com) Date: Sat, 25 Jan 2003 09:52:22 -0500 (EST) From: Marco Radzinschi To: Doug Poland Cc: Subject: Re: IPFW, blocking IM servers In-Reply-To: <34651.63.104.35.130.1043185192.squirrel@email.polands.org> Message-ID: <20030125093953.O74053-100000@radzinschi.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 21 Jan 2003, Doug Poland wrote: > Sorry for this slightly off-topic post... Is there a comprehensive > list of IM servers (names, IPs) available? I'd like to block IM > servers from certain users on my network. > > >From what I've gathered on google, the only effective stragegy is to > use firewall (in my case, IPFW) rules to block IP's, names. > > -- > Regards, > Doug Block everything going out, and set up a Squid proxy server for web access. Furthermore, only allow the Squid proxy access to HTTP port 80 and SSL port 443, and any others like gopher or FTP which you want to allow. This will take care of most rogue programs, with the exception of the newer ones like MSN, Yahoo, and AOL Messenger programs, which will use an HTTP proxy. The way to get around this is to only allow the Squid Proxy server access to the internet, run an internal nameserver, and use Squid access control lists (ACL). With ACL's, one can block entire domains, subdomains, or hosts. ACL's will also allow you to give some users full access and restrict others. Squid will do reverse DNS lookups if a user were to use an IP address instead of a domain name to bypass a block, and it will block it as well. This is where running an internal nameserver is key, and denying external DNS lookups from user machines. Since the user machines will use a Squid proxy, the proxy will do DNS lookups on their behalf. I have a text file on the Squid proxy which contains a list of blocked sites, which I include below. Only a technically astute user would be able to bypass this setup. S1ince this would require very deliberate and complicated steps, such as setting up a VPN tunnel through SSL, this would be clear grounds for termination. Here is my Squid deny list, which has blocked MSN messenger, AOL Instant Messenger, Yahoo Messenger, and various other annoyances. .login.oscar.aol.com .bucp1-vip-m.blue.aol.com .bucp2-vip-m.blue.aol.com .aim.com .messenger.hotmail.com .messenger.msn.com .messenger.microsoft.com .icq.com .csa.yahoo.com .pager.yahoo.com .msg.edit.yahoo.com .cs.yahoo.com .messenger.yahoo.com .messenger.yahoo.akadns.net .msg.yahoo.com .chat.yahoo.com .chat.sc5.yahoo.com .kazaa.com .kazaa.net .weatherbug.com .winmx.com .morpheus.com .filetopia.com .filetopia.net .filetopia.org .gnutella.com .gnutella.net .gnutella.org .jabber.com .jabber.net .jabber.org Marco Radzinschi E-Mail: marco@radzinschi.com Sat Jan 25 09:39:53 EST 2003 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message