Hi, I''m trying to block Windows Messenger by Shorewall 1.4.10b, but I]m don´t have success. If the rules below, all access are blocked /etc/shorewall/rules # Windows Messenger Rules REJECT:info loc net tcp 1863 REJECT:info fw net tcp 1863 But if use the rules below, any access are allowed, why ???? /etc/shorewall/rules # Windows Messenger Rules REJECT:info loc:$MSN net tcp 1863 REJECT:info fw net tcp 1863 and /etc/shorewall/params MSN=172.88.14.65,172.88.14.77 What´s wrong ??? Best Regards, Anderson.
MSN also will use UDP ports as an alternative. The apparent use ports for the more popular messenging services are as follows: Ports listed apply to both LOCAL & REMOTE ports: Yahoo: TCP: 80, 5000-5050 UDP: 5000-5050 MSN: TCP: 1863, UDP: 1503, 3389, 5004-65535 AOL IM: TCP: 5190-5193 UDP: 5190-5193 NetMeeting: TCP: 1720, 1024-1503, 1504-65534 UDP: 1024-65534 On Tue, 16 Nov 2004 20:44:30 -0200, Anderson do Carmo Watanabe de Oliveira <anderson@institutopaideia.org> wrote:> Hi, > > I''m trying to block Windows Messenger by Shorewall 1.4.10b, but I]m don´t have success. > > If the rules below, all access are blocked > > /etc/shorewall/rules > # Windows Messenger Rules > REJECT:info loc net tcp 1863 > REJECT:info fw net tcp 1863 > > But if use the rules below, any access are allowed, why ???? > > /etc/shorewall/rules > # Windows Messenger Rules > REJECT:info loc:$MSN net tcp 1863 > REJECT:info fw net tcp 1863 > > and > > /etc/shorewall/params > MSN=172.88.14.65,172.88.14.77 > > What´s wrong ??? > > Best Regards, > > Anderson. > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gary Buckmaster wrote:> MSN also will use UDP ports as an alternative.And the IP addresses in the original post appear to have nothing to do with MSN. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBmojPO/MAbZfjDLIRAm2kAKCj380RjYbl2cDzhQAMJEfVYkrIeQCfYFpj aC2y4MKM/sEv0y2FD03iuJk=13IJ -----END PGP SIGNATURE-----
Didn''t even look at that part. For MSN, you shouldn''t need to add a block rule for their systems. Just blocking those ports should be enough. Yahoo IM will default to using port 80, so it is necessary to block port 80 traffic directed to the Yahoo IM servers, but that goes beyond the scope of his question. On Tue, 16 Nov 2004 15:10:07 -0800, Tom Eastep <teastep@shorewall.net> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Gary Buckmaster wrote: > > MSN also will use UDP ports as an alternative. > > And the IP addresses in the original post appear to have nothing to do > with MSN. > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.5 (GNU/Linux) > > iD8DBQFBmojPO/MAbZfjDLIRAm2kAKCj380RjYbl2cDzhQAMJEfVYkrIeQCfYFpj > aC2y4MKM/sEv0y2FD03iuJk> =13IJ > -----END PGP SIGNATURE----- > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Unfortunately, all IM have a http/https FAIL OVER mechanism. Try blocking all outgoing access except HTTP, HTTPS and DNS: they will still connect. Two suggestions: 1) block their authenticating server''s IPs. 2) use transparent proxy via squid and block their ''http" traffic. Some example for the second one could be found at http://www.google.com/search?q=msnoverhttp&hl=en&lr=&safe=off&filter=0 [Guilsson] On Tue, 16 Nov 2004 17:16:05 -0600, Gary Buckmaster <inherently.evil@gmail.com> wrote:> Didn''t even look at that part. For MSN, you shouldn''t need to add a > block rule for their systems. Just blocking those ports should be > enough. Yahoo IM will default to using port 80, so it is necessary to > block port 80 traffic directed to the Yahoo IM servers, but that goes > beyond the scope of his question. > > > > > On Tue, 16 Nov 2004 15:10:07 -0800, Tom Eastep <teastep@shorewall.net> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Gary Buckmaster wrote: > > > MSN also will use UDP ports as an alternative. > > > > And the IP addresses in the original post appear to have nothing to do > > with MSN. > > > > - -Tom > > - -- > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.5 (GNU/Linux) > > > > iD8DBQFBmojPO/MAbZfjDLIRAm2kAKCj380RjYbl2cDzhQAMJEfVYkrIeQCfYFpj > > aC2y4MKM/sEv0y2FD03iuJk> > =13IJ > > -----END PGP SIGNATURE----- > > > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >