Hello everybody! I love shorewall! One thing I would really like to know how to get right is how to block skype exactly? I understand it uses port 443 etc but is their anyway of doing this? Surely other people have tried this? -- Divan Santana Skype: DivanSantana Gtalk/MSN: Divan.Santana@GMail.com Love God, Love People, Love Life! ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Divan Santana escribió:> Hello everybody! > > I love shorewall! > > One thing I would really like to know how to get right is how to block skype > exactly? > > I understand it uses port 443 etc but is their anyway of doing this? > Surely other people have tried this? >Thta will be pretty hard , skype is designed to bypass firewalls and work Ok with NAT, it uses multiple ports and when it does not find any.. it goes via port 80 or any other commonly opened port. good luck ;-) ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Le jeudi 10 mai 2007 à 04:02 -0400, Cristian Rodriguez R. a écrit :> Divan Santana escribió: > > Hello everybody! > > > > I love shorewall! > > > > One thing I would really like to know how to get right is how to block skype > > exactly? > > > > I understand it uses port 443 etc but is their anyway of doing this? > > Surely other people have tried this? > > > > Thta will be pretty hard , skype is designed to bypass firewalls and > work Ok with NAT, it uses multiple ports and when it does not find any.. > it goes via port 80 or any other commonly opened port. good luck ;-) >This is a job for a web proxy/filter, not really shorewall http://www.net-security.org/article.php?id=876> > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On Thu, May 10, 2007 at 04:02:04AM -0400, Cristian Rodriguez R. wrote:> Divan Santana escribió: > > Hello everybody! > > > > I love shorewall! > > > > One thing I would really like to know how to get right is how to block skype > > exactly? > > > > I understand it uses port 443 etc but is their anyway of doing this? > > Surely other people have tried this? > > > > Thta will be pretty hard , skype is designed to bypass firewalls and > work Ok with NAT, it uses multiple ports and when it does not find any.. > it goes via port 80 or any other commonly opened port. good luck ;-)Skype is indeed designed to make firewalling impossible, by disguising itself as HTTPS traffic. However, you can filter it with a proxy (in current versions, at least): Prohibit all outbound connections and require everybody to use squid for web access. Any other outbound protocols must be proxied or otherwise passed through secure hosts (such as site DNS and mail servers). Include these rules in the squid config: acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ acl connect method CONNECT http access deny connect numerics_IPs all Real HTTPS connects to hostname URLs (because that''s what the certificates contain), skype uses IP addresses. Other non-HTTPS proxy attempts are also likely to be blocked by this. There is not much you can do about that. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Awesome! This is really great! I thought it was something shorewall can do but can understand perfectly why its not! Thanks very much! Given this info below though, how would you allow some source IPs(users) to connect as the below would simply deny all. Wait I just figured out the above if anyone is interested! :) I will do the following rule in /etc/shorewall/rules REDIRECT loc 3129 tcp 443 - !192.168.0.2 The above shorewall rule will not redirect any traffic going to destination of 192.168.0.2. But want I would like to rather do is not redirect to 443 traffic coming from say 192.168.0.2 Is that possible? This way I can allow certain IPs to connect to Skype etc. On Thursday 10 May 2007 10:38:21 Andrew Suffield wrote:> acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ > acl connect method CONNECT > http access deny connect numerics_IPs all-- Divan Santana Skype: DivanSantana Gtalk/MSN: Divan.Santana@GMail.com Love God, Love People, Love Life! ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Saturday 12 May 2007 00:19:58 Divan Santana wrote:> I will do the following rule in /etc/shorewall/rules > REDIRECT loc 3129 tcp 443 - > !192.168.0.2 > > The above shorewall rule will not redirect any traffic going to destination > of 192.168.0.2. But want I would like to rather do is not redirect to 443 > traffic coming from say 192.168.0.2 > > Is that possible?OK I think I have the answer, will do tests. I think i will do the following rule below: REDIRECT loc:!192.168.0.6 3129 tcp 443 - #!82.110.105.11 Yes this works wahoo! So now can specify which IPs go through squid for https/443 and are blocked and which IPs are allowed to connect to skype! Awesome. Thanks for the help Tristan and Andrew. One last question: In the following rule: REDIRECT loc:!192.168.0.6 3129 tcp 443 - #!82.110.105.11 Is it possible to specify a txt file for some data eg: REDIRECT loc:!"/etc/shorewall/allowedskypeusers" 3129 tcp 443 - #!82.110.105.11 And then the /etc/shorewall/allowedskypeusers will contain this: 192.168.0.6 ?? -- Divan Santana Skype: DivanSantana Gtalk/MSN: Divan.Santana@GMail.com Love God, Love People, Love Life! ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Divan Santana wrote:> Awesome! This is really great! I thought it was something shorewall can do but can understand perfectly why its not! Thanks very much! > > Given this info below though, how would you allow some source IPs(users) to connect as the below would simply deny all. > > Wait I just figured out the above if anyone is interested! :) > > I will do the following rule in /etc/shorewall/rules > REDIRECT loc 3129 tcp 443 - !192.168.0.2 > > The above shorewall rule will not redirect any traffic going to destination of 192.168.0.2. > But want I would like to rather do is not redirect to 443 traffic coming from say 192.168.0.2 > > Is that possible? > This way I can allow certain IPs to connect to Skype etc.You cannot transparently proxy HTTPS. Your LAN users'' web browsers must be configured to use an HTTPS proxy (which you can do with proxy autoconfiguration). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Hi Tom, Thanks for the message. At least I understand now how and why its impossible so will try a different method! :) Thanks very much! On Saturday 12 May 2007 00:33:30 Tom Eastep wrote:> You cannot transparently proxy HTTPS. Your LAN users'' web browsers must be > configured to use an HTTPS proxy (which you can do with proxy > autoconfiguration).-- Divan Santana Skype: DivanSantana Gtalk/MSN: Divan.Santana@GMail.com Love God, Love People, Love Life! ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Divan Santana wrote:>Thanks for the message. At least I understand now how and why its impossible >so will try a different method! :)If you have sufficiently detailed logging (and graphing) of network traffic you may be able to spot it by the characteristics of VoIP traffic - which tends to be a relatively constant flow of smallish packets both ways for the duration of the call. After that, go educate your users with a piece of "clue by 4" ! ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Simon Hobson wrote:> Divan Santana wrote: > > >> Thanks for the message. At least I understand now how and why its impossible >> so will try a different method! :) >> > > If you have sufficiently detailed logging (and graphing) of network > traffic you may be able to spot it by the characteristics of VoIP > traffic - which tends to be a relatively constant flow of smallish > packets both ways for the duration of the call. After that, go > educate your users with a piece of "clue by 4" ! >Simon, Excellent point. Human engineering can mitigate all kinds of bandwidth shortfalls. One of my low-bandwidth-low-budget charity clients complained that surfing was slow after I deployed some voip and appropriate bandwidth rules. We got rid of the bandwidth rules, and trained the staff to not download large work related items until 4:30pm. Worked like a charm, and they saved the expense of an additional T1. -- Michael Cozzi cozzi@cozziconsulting.com ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Divan Santana wrote:> Hello everybody! > > I love shorewall! > > One thing I would really like to know how to get right is how to block skype > exactly? > > I understand it uses port 443 etc but is their anyway of doing this? > Surely other people have tried this? > >Can you provide more information? Do you want to stop skype on corporate LAN? or in home network? In first one you can use corporate security policy to forbid skype usage. Also you can use IDS/IPS to detect and block initial Skype requests providing IP to shorewall black list.... ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/