On Thu, 09 Sep 2004 14:07:11 +0200, Patrick Benson <benson@chello.se>
wrote:> mynullvoid wrote:
> >
> > Hi,
> >
> > I had saw a few patches to be applied in order to get
> > the firewall to block based on the application.
I know there is a patch to Netfilter to handle layer 7.
I don''t know how Shorewall would interact to it (natively).
http://l7-filter.sourceforge.net/
> > At the moment I am having problem to block ICQ and
> > Yahoo Msgr. Even I only open a few ports like, the ICQ
> > still able to connect through port 80.
> >
> > Any add-in module for shorewall or anyone able to do
> > this?
>
> If you want to block ICQ just add a rule, that is if your policy is
> loc -> net = ACCEPT:
>
> REJECT loc net tcp 5190
>
> since ICQ servers use tcp port 5190 for logins. I''m not familiar
with
> Yahoo, just that the IM chat needs tcp,udp 5050 for the initial
> connection but there are those who have some cumbersome ways of going
> about it..
>
> http://lists.sans.org/pipermail/list/2003-January/055660.html
>
> The point being, just make sure that the login connection is blocked
> from the beginning, when they''re in, well, they''re in....
;)
Nowadays all messengers (and even Kazaa and others sw) has a
"fail-back" mechanism. If they cannot connect to 1863, 5050 or 5090
ports, they will use HTTP and HTTPS ports.
For messengers, with a minimal effort using standard Shorewall, you
can block the Login server for each service.
See this for a list of commom login servers:
http://nscsysop.hypermart.net/no_chat.html
-Gilson Soares