On Fri, 2004-02-20 at 17:25, Arjen de Korte wrote:
On Friday 20 February 2004 09:23, Ray Leach wrote:
So, are you saying that squid can proxy any protocol?
No, I'm saying because MSN Chat is able to work via a proxy AFAIK, security wise it is probably a better solution than using masquerading of the internal network and firewalling the ports in question.
Except that MSN Messenger is a crafty little piece of cr#p. It uses UPnP (initially on TCP port 1863) to try and find a way through the firewall and bypass the squid proxy.
Since there is a Squid proxy on the network already, this will provide far better granularity for whom and when to block access and will provide much better access (proxy authentication comes to mind) and logging facilities than you'll ever get with a masquerading/firewall based approach. Therefor I think it is a better solution to block access on the proxy.
If there is a squid proxy on the network, then it should have acl's similar to these in order to block MSN messenger: acl msnmessenger req_mime_type -i ^X-MSN-Messenger$ http_access deny msnmessenger
One may need to block other ports/hosts than I mentioned previously, but this can be done fairly easily once you have gathered a few days worth of proxy access logfiles and know which ports and hosts the girl in question needs for chatting.
Best regards, Arjen -- -- Raymond Leach <raymondl@knowledgefactory.co.za> Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --