stopping yahoo messneger using IPtables/chains

Discussion in 'other firewalls' started by Sherif Mansour, Nov 29, 2005.

Thread Status:
Not open for further replies.
  1. Sherif Mansour

    Sherif Mansour Registered Member

    Joined:
    Nov 13, 2005
    Posts:
    10
    seriously though any takers on this...how do you stop yahoo messenger using a central firewall...all I can think of is using an active IDS and set a custom signature for Yahoo messenger packets and stop it....

    Let me know what u guys do
     
  2. Saruman

    Saruman Guest

    On my Linux partition I use Guarddog firewall frontend for the iptables, it has listings for all protocols used by IM programs, you can select block, allow, or reject.
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Are you trying to deal with the normal ports associated to the client or when the client uses something like HTTP which is generally permitted globally?

    Regards,

    CrazyM
     
  4. Sherif Mansour

    Sherif Mansour Registered Member

    Joined:
    Nov 13, 2005
    Posts:
    10
    By http blocking I assume you mean we can also block the web messenger, I don't think we can stop it unless we filter by packet/protocol and not IP ranges or port ranges they seem to use a lot and its very tedious to try and do that for every type of messenger....then there are proxies....

    Since we use IP tables for our firewall I'll give Guarddog it seems to support a bunch of protocols.....worst comes to works I'll just take the IP rules it sets and implement them on our fire wall if its too messy (we are taking about a gateway here)

    I still say an active IDS is the way to go though.....and I am not that familiar with snort and not sure how to pull it off..we'll see!
     
  5. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Is this at a work/business environment? If so, is their no policies in place for systems and what is installed, can be installed or used etc.?

    Regards,

    CrazyM
     
  6. Sherif Mansour

    Sherif Mansour Registered Member

    Joined:
    Nov 13, 2005
    Posts:
    10
    There are policies, and by and large they are enforced, however for local admins because of their access priviliges on their machine they can technically install anything so we were looking for a technical solution to this.
     
  7. Sherif Mansour

    Sherif Mansour Registered Member

    Joined:
    Nov 13, 2005
    Posts:
    10
    Dear all,

    I’m working with a Linux gateway/firewall and I have been having trouble blocking services such as yahoo messenger in an office environment. Yahoo can use an http proxy to by pass the firewall and aside from using an active IDS and setting it to stop packets with signatures of IM pckets such as Yahoo, I am not sure what to do.

    I have come across, IPP2P which “search’s the payload of TCP packets for signaling patterns of P2P networks.” I am not sure how to replicate that for chat protocols and I doubt it’s the same thing I am looking for as what I am trying to do is independent of port number.

    I have thought of testing guard dog front end for IP tables then seeing how the back end works and replicating that on our gateway.

    “IPP2P works together with connection tracking and connection marking - in that way you can catch the bigger part of all P2P packets and limit the bandwidth rate.”

    How can I use connection tracking and connection marking to my advantage to stop Messenger clients? Or am I barking up the wrong tree?

    Let me know what you guys suggest... I found a guy talking about this problem on insecure.org and mentioned Active IDS


    Anyone making an IPP2P module for Chat/IM ? ...bad idea?
     
  8. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Hi! I am currently using Astaro and have Yahoo droped by both rules and from ips/ids signatures. I use the integrated Content filter that will detect an illegal use of a foreign proxy and drop the connection(s)... You can optionally do it manually for each client. Just edit the /etc/rc.d/rc.firewall.up

    and after the line:

    /sbin/iptables -P OUTPUT ACCEPT

    (add)

    /sbin/iptables -A FORWARD -p TCP -i $GREEN_DEV -s 192.168.2.3 --dport 5050 -j DROP


    You can also implement an ACL in Squid to catch the traffic if they decide to bypass the content filter or proxy/both... Smoothwall also works great with the advanced proxy mod.. Good luck

    Jazzie
     
    Last edited: Dec 2, 2005
Thread Status:
Not open for further replies.