Mailinglist Archive: opensuse-security (457 mails)

< Previous Next >
Re: [suse-security] How to block MSN using SuSEfirewall2?
  • From: Ray Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx>
  • Date: Sat, 21 Feb 2004 20:34:34 +0200
  • Message-id: <1077388473.25167.44.camel@xxxxxxxxxxxxxxxxx>
On Fri, 2004-02-20 at 17:25, Arjen de Korte wrote:
> On Friday 20 February 2004 09:23, Ray Leach wrote:
>
> > So, are you saying that squid can proxy any protocol?
>
> No, I'm saying because MSN Chat is able to work via a proxy AFAIK, security
> wise it is probably a better solution than using masquerading of the internal
> network and firewalling the ports in question.
>
Except that MSN Messenger is a crafty little piece of cr#p. It uses UPnP
(initially on TCP port 1863) to try and find a way through the firewall
and bypass the squid proxy.


> Since there is a Squid proxy on the network already, this will provide far
> better granularity for whom and when to block access and will provide much
> better access (proxy authentication comes to mind) and logging facilities
> than you'll ever get with a masquerading/firewall based approach. Therefor I
> think it is a better solution to block access on the proxy.
>
If there is a squid proxy on the network, then it should have acl's
similar to these in order to block MSN messenger:

acl msnmessenger req_mime_type -i ^X-MSN-Messenger$
http_access deny msnmessenger

> One may need to block other ports/hosts than I mentioned previously, but this
> can be done fairly easily once you have gathered a few days worth of proxy
> access logfiles and know which ports and hosts the girl in question needs for
> chatting.
>
> Best regards,
> Arjen
--
--
Raymond Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28
--
< Previous Next >
Follow Ups