seriously though any takers on this...how do you stop yahoo messenger using a central firewall...all I can think of is using an active IDS and set a custom signature for Yahoo messenger packets and stop it....

Let me know what u guys do

On my Linux partition I use Guarddog firewall frontend for the iptables, it has listings for all protocols used by IM programs, you can select block, allow, or reject.

-{ Quote: "seriously though any takers on this...how do you stop yahoo messenger using a central firewall...all I can think of is using an active IDS and set a custom signature for Yahoo messenger packets and stop it...." }-
Are you trying to deal with the normal ports associated to the client or when the client uses something like HTTP which is generally permitted globally?

Regards,

CrazyM

By http blocking I assume you mean we can also block the web messenger, I don't think we can stop it unless we filter by packet/protocol and not IP ranges or port ranges they seem to use a lot and its very tedious to try and do that for every type of messenger....then there are proxies....

Since we use IP tables for our firewall I'll give Guarddog it seems to support a bunch of protocols.....worst comes to works I'll just take the IP rules it sets and implement them on our fire wall if its too messy (we are taking about a gateway here)

I still say an active IDS is the way to go though.....and I am not that familiar with snort and not sure how to pull it off..we'll see!

Is this at a work/business environment? If so, is their no policies in place for systems and what is installed, can be installed or used etc.?

Regards,

CrazyM

There are policies, and by and large they are enforced, however for local admins because of their access priviliges on their machine they can technically install anything so we were looking for a technical solution to this.

Dear all,

I’m working with a Linux gateway/firewall and I have been having trouble blocking services such as yahoo messenger in an office environment. Yahoo can use an http proxy to by pass the firewall and aside from using an active IDS and setting it to stop packets with signatures of IM pckets such as Yahoo, I am not sure what to do.

I have come across, IPP2P which “search’s the payload of TCP packets for signaling patterns of P2P networks.” I am not sure how to replicate that for chat protocols and I doubt it’s the same thing I am looking for as what I am trying to do is independent of port number.

I have thought of testing guard dog front end for IP tables then seeing how the back end works and replicating that on our gateway.

“IPP2P works together with connection tracking and connection marking - in that way you can catch the bigger part of all P2P packets and limit the bandwidth rate.”

How can I use connection tracking and connection marking to my advantage to stop Messenger clients? Or am I barking up the wrong tree?

Let me know what you guys suggest... I found a guy talking about this problem on insecure.org and mentioned Active IDS


Anyone making an IPP2P module for Chat/IM ? ...bad idea?

Hi! I am currently using Astaro and have Yahoo droped by both rules and from ips/ids signatures. I use the integrated Content filter that will detect an illegal use of a foreign proxy and drop the connection(s)... You can optionally do it manually for each client. Just edit the /etc/rc.d/rc.firewall.up

and after the line:

/sbin/iptables -P OUTPUT ACCEPT

(add)

/sbin/iptables -A FORWARD -p TCP -i $GREEN_DEV -s 192.168.2.3 --dport 5050 -j DROP


You can also implement an ACL in Squid to catch the traffic if they decide to bypass the content filter or proxy/both... Smoothwall also works great with the advanced proxy mod.. Good luck

Jazzie