[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] How to block MSN using SuSEfirewall2?

On Fri, 2004-02-20 at 17:25, Arjen de Korte wrote:
> On Friday 20 February 2004 09:23, Ray Leach wrote:
> > So, are you saying that squid can proxy any protocol?
> No, I'm saying because MSN Chat is able to work via a proxy AFAIK, security 
> wise it is probably a better solution than using masquerading of the internal 
> network and firewalling the ports in question.
Except that MSN Messenger is a crafty little piece of cr#p. It uses UPnP
(initially on TCP port 1863) to try and find a way through the firewall
and bypass the squid proxy.

> Since there is a Squid proxy on the network already, this will provide far 
> better granularity for whom and when to block access and will provide much 
> better access (proxy authentication comes to mind) and logging facilities 
> than you'll ever get with a masquerading/firewall based approach. Therefor I 
> think it is a better solution to block access on the proxy.
If there is a squid proxy on the network, then it should have acl's
similar to these in order to block MSN messenger:

acl msnmessenger req_mime_type -i ^X-MSN-Messenger$
http_access deny msnmessenger

> One may need to block other ports/hosts than I mentioned previously, but this 
> can be done fairly easily once you have gathered a few days worth of proxy 
> access logfiles and know which ports and hosts the girl in question needs for 
> chatting.
> Best regards,
> Arjen
Raymond Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx>
Network Support Specialist
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28

Attachment: signature.asc
Description: This is a digitally signed message part