Blocking MSN (and any other service for that matter)

[Jean Paul López <jplopez () netthink es>]

Hi there,

I hope my words find you all well :)

I stumbled across this forum when looking for a workeable solution regarding
blocking certain users - and others not - for chatservices. I use OpenBSD pf
and instead of using a proxy (which is the commonly found advise on the
internet), I came up with the following - straight-forward - approach (which
blocks MSN completely, even the adds and allows other services to be added
to the services tables and IP tables easily).

For the BOFH fans under us (*evil grin*): The brass ordered inexorably that
interns should not have access to IM. Hell, why not? The targeted
alternative proxy system available happens to be a dedicated CS server...
<BOFH mode = "666"> *clicketyclick* </BOFH mode> }XD

*ahem* ;)

Here are the relevant instructions from my own pf.conf

# Groups
#
# table IM not permitted
table <NoIM> { 192.168.1.210 192.168.1.211 192.168.1.212 192.168.1.213
192.168.1.214 192.168.1.215 192.168.1.216 192.168.1.217 192.168.1.218
192.168.1.219 192.168.1.220 192.168.1.221 192.168.1.222 192.168.1.223
192.168.1.224 192.168.1.225 }
# table IPs in use by MSN IM
table <IM_IPs> { 65.54.194.117 207.68.178.239 207.46.104.0/24
207.46.111.0/24 207.46.107.0/24 207.46.110.0/24 } # table de IP's de IM
#
# Table of permitted IPs
table <YesIM> { 192.168.1.71 192.168.1.129 192.168.1.130 192.168.1.131
192.168.1.132 192.168.1.133 192.168.1.134 192.168.1.135 192.168.1.136
192.168.1.137 192.168.1.138 192.168.1.139 192.168.1.140 192.168.1.141
192.168.1.142 192.168.1.143 192.168.1.144 192.168.1.145 192.168.1.146
192.168.1.147 192.168.1.148 192.168.1.149 192.168.1.150 192.168.1.151
192.168.1.152 192.168.1.153 192.168.1.154 192.168.1.155 192.168.1.156
192.168.1.157 192.168.1.158 192.168.1.159 192.168.1.160 192.168.1.161
192.168.1.162 192.168.1.163 192.168.1.164 192.168.1.165 192.168.1.166
192.168.1.167 192.168.1.168 192.168.1.169 192.168.1.170 192.168.1.171
192.168.1.172 192.168.1.173 192.168.1.174 192.168.1.175 192.168.1.176
192.168.1.177 192.168.1.178 192.168.1.179 192.168.1.180 192.168.1.181
192.168.1.182 192.168.1.183 192.168.1.184 192.168.1.185 192.168.1.186
192.168.1.187 192.168.1.188 192.168.1.189 192.168.1.190 }
# Services
#
tcp_emule= "{ 4661 4662 3000 4242 4343 4646 4661 4662 4711 5555 6667 6969
7777 7778 8888}" # emule & edonkey...
udp_emule= "{ 4665 4672 }"
tcp_IM= "{ 80 1863 6891 6892 6893 6894 6895 6896 6897 6898 6899 6900 6901
5190 }"
udp_IM= "{ 80 1863 5190 6901 }"
# Default policy
block in log all
# VPN & local
pass quick on enc0 all keep state
pass quick on lo0 all keep state
pass proto tcp from <YesIM> to any
pass proto udp from <YesIM> to any
#
# /VPN & local
#
# Blocks for internal users (quick rules)
#
block log quick proto tcp from <NoIM> to <IM_IPs> port $tcp_IM
block log quick proto udp from <NoIM> to <IM_IPs> port $udp_IM

As said, just lookup specific ports for any (P2P?) connection you need to
zap and narrow down, if necessary, with netstat to get all the available
server IPs for the specific software and add them to the IP and services
tables.

That's all folks!!!! :-D

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards