Hi all Has anyone had any success in accounting with MSN messenger? The rules in my shorewall setup is to allow any connections from LAN to fw, so there is no restrictions on MSN. Regards Ray -- Ray Booysen rj_booysen@rjb.za.net ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Ray Booysen wrote:> Hi all > > Has anyone had any success in accounting with MSN messenger? The > rules in my shorewall setup is to allow any connections from LAN to > fw, so there is no restrictions on MSN. > > Regards > Ray >Ah ha! finally got it. If you block port 1863 TCP, this forces MSN to use port 80 and POSTs the messages to a server. You can then block the messages using iptables'' string matching E.g. iptables -A <chain> -p TCP --sport 80 -m string --string "text/x-msmsgscontrol" -j DROP --algo bm Anyway of implementing this type of rule in shorewall? Regards Ray -- Ray Booysen rj_booysen@rjb.za.net ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Ray Booysen wrote:> Ray Booysen wrote: >> Hi all >> >> Has anyone had any success in accounting with MSN messenger? The >> rules in my shorewall setup is to allow any connections from LAN to >> fw, so there is no restrictions on MSN. >> >> Regards >> Ray >> > Ah ha! finally got it. If you block port 1863 TCP, this forces MSN to > use port 80 and POSTs the messages to a server. You can then block > the messages using iptables'' string matching > > E.g. > > iptables -A <chain> -p TCP --sport 80 -m string --string > "text/x-msmsgscontrol" -j DROP --algo bm > > Anyway of implementing this type of rule in shorewall? > > Regards > Ray > >And of course I meant MSN blocking, not accounting. :P -- Ray Booysen rj_booysen@rjb.za.net ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Friday 24 March 2006 07:32, Ray Booysen wrote:> Ray Booysen wrote: > > Hi all > > > > Has anyone had any success in accounting with MSN messenger? The > > rules in my shorewall setup is to allow any connections from LAN to > > fw, so there is no restrictions on MSN. > > > > Regards > > Ray > > Ah ha! finally got it. If you block port 1863 TCP, this forces MSN to > use port 80 and POSTs the messages to a server. You can then block the > messages using iptables'' string matching > > E.g. > > iptables -A <chain> -p TCP --sport 80 -m string --string > "text/x-msmsgscontrol" -j DROP --algo bm > > Anyway of implementing this type of rule in shorewall?You can do it in an action with extension script -- Shorewall will never have native support for string match. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> On Friday 24 March 2006 07:32, Ray Booysen wrote: > >> Ray Booysen wrote: >> >>> Hi all >>> >>> Has anyone had any success in accounting with MSN messenger? The >>> rules in my shorewall setup is to allow any connections from LAN to >>> fw, so there is no restrictions on MSN. >>> >>> Regards >>> Ray >>> >> Ah ha! finally got it. If you block port 1863 TCP, this forces MSN to >> use port 80 and POSTs the messages to a server. You can then block the >> messages using iptables'' string matching >> >> E.g. >> >> iptables -A <chain> -p TCP --sport 80 -m string --string >> "text/x-msmsgscontrol" -j DROP --algo bm >> >> Anyway of implementing this type of rule in shorewall? >> > > You can do it in an action with extension script -- Shorewall will never have > native support for string match. > > -Tom >Thanks! -- Ray Booysen rj_booysen@rjb.za.net ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Ray Booysen wrote on 24/03/2006 12:58:18:> Tom Eastep wrote: > > On Friday 24 March 2006 07:32, Ray Booysen wrote: > > > >> Ray Booysen wrote: > >> > >> You can then block the > >> messages using iptables'' string matching > >> > >> E.g. > >> > >> iptables -A <chain> -p TCP --sport 80 -m string --string > >> "text/x-msmsgscontrol" -j DROP --algo bm > >> > >> Anyway of implementing this type of rule in shorewall? > > > > You can do it in an action with extension script -- Shorewall willnever have> > native support for string match. > >I do this here blocking port TCP 1863 and squid ACLs: acl MSN req_mime_type ^application/x-msn-messenger$ ^text/x-msmsgscontrol$ http_access allow hotpeople MSN http_access deny MSN you can see a squid thread here: http://www.squid-cache.org/mail-archive/squid-users/200306/0645.html [ squid-cache.org ] in another article http://hypothetic.org/docs/msn/client/messages.php [ hypothetic.org ], there are other types of req_mime_types related to MSN, like text/x-msmsgsinvite, application/x-msnmsgrp2p and others... anyway, my Windows AD Group Policy prevents using messenger. This rule is up to prevent the use by road warriors and their laptops... hope it helps, -- Eduardo Ferreira