[opensuse-security] Blocking Skype
Good afternoon. My client is running an openSUSE 10.3 gateway server with Squid and fetchmail/postfix/maildrop/qpopper. He wants to restrict Internet HTTP access to servers on an allowed list and no direct access to external mail. Is there any way I can stop the uncontrolled use of Skype or other messengers from the Windows workstations? Will appreciate any hint as how to handle this. Regards Wolfgang Kluge --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Tuesday 23 October 2007 12:05:33 kl wrote:
Good afternoon.
My client is running an openSUSE 10.3 gateway server with Squid and fetchmail/postfix/maildrop/qpopper. He wants to restrict Internet HTTP access to servers on an allowed list and no direct access to external mail.
Is there any way I can stop the uncontrolled use of Skype or other messengers from the Windows workstations?
Will appreciate any hint as how to handle this.
Hello KL, We can achieve this through several ways: 1. From squid, blocking the url. For example: acl dstdomain "/etc/squid/ban.txt" http_access deny acl contents of ban.txt: xxx.com yyy.com 2. By iptables: For mail: iptables -I FORWARD -p tcp --dport 25 -s yourclientip -j DROP For messenger (yahoo): iptables -I INPUT -p tcp --dport 5050 -s yourclientop -j DROP (skype): iptables -I INPUT -p tcp --dport 443 -s yourclientip -j DROP However since tcp 443 is https, then any website that uses it will be inaccessible too. HTH, -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 13:26:48 up 5 min, 2.6.20-16-generic GNU/Linux Let's use OpenOffice. http://www.openoffice.org The real challenge of teaching is getting your students motivated to learn.
Fajar Priyanto wrote:
On Tuesday 23 October 2007 12:05:33 kl wrote:
Good afternoon.
My client is running an openSUSE 10.3 gateway server with Squid and fetchmail/postfix/maildrop/qpopper. He wants to restrict Internet HTTP access to servers on an allowed list and no direct access to external mail.
Is there any way I can stop the uncontrolled use of Skype or other messengers from the Windows workstations?
Will appreciate any hint as how to handle this.
Hello KL, We can achieve this through several ways: 1. From squid, blocking the url. For example: acl dstdomain "/etc/squid/ban.txt" http_access deny acl
contents of ban.txt: xxx.com yyy.com
2. By iptables: For mail: iptables -I FORWARD -p tcp --dport 25 -s yourclientip -j DROP For messenger (yahoo): iptables -I INPUT -p tcp --dport 5050 -s yourclientop -j DROP (skype): iptables -I INPUT -p tcp --dport 443 -s yourclientip -j DROP
However since tcp 443 is https, then any website that uses it will be inaccessible too.
HTH,
I'm afraid this would not work - Skype does not necessarily use port 443 Skype will use any available port it finds, even port 80 which I obviously cannot block. Wolfgang Kluge --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 kl wrote:
Fajar Priyanto wrote:
On Tuesday 23 October 2007 12:05:33 kl wrote:
My client is running an openSUSE 10.3 gateway server with Squid and fetchmail/postfix/maildrop/qpopper. He wants to restrict Internet HTTP access to servers on an allowed list and no direct access to external mail.
Is there any way I can stop the uncontrolled use of Skype or other messengers from the Windows workstations?
I'm afraid this would not work - Skype does not necessarily use port 443 Skype will use any available port it finds, even port 80 which I obviously cannot block.
Why shouldn't you? As you are already running Squid, you could set it up as (transparent) proxy and block all direct access to port 80. You would have to anyway to accomplish the allowed list requirement of your client. So just block _any_ direct outside access, use Squid as transparent proxy and implement the allowed list and the Skype problem should be solved automagically. Regards, Stefan Seifert -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHHaop1QuEJQQMVrgRAm7rAJ4hP/EUD/Dt6P2AAxjPzjbWNzP1mgCfVLhU cSYe+oZbhGt8rc0SscgSq24= =g2hd -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
kl wrote:
Good afternoon.
My client is running an openSUSE 10.3 gateway server with Squid and fetchmail/postfix/maildrop/qpopper. He wants to restrict Internet HTTP access to servers on an allowed list and no direct access to external mail.
Is there any way I can stop the uncontrolled use of Skype or other messengers from the Windows workstations?
Will appreciate any hint as how to handle this.
Hi, http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs... This should offer some hints. I don't know how "current" it is, though, but I assume it is still relevant. Then, from the same bugtraq-thread: http://www.icir.org/christian/outback/blackhat-eads-skype.pdf Seems to be more recent. If you read the above, you know *why* you want to block it ;-) Best Regards, Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (4)
-
Fajar Priyanto -
kl -
Rainer Duffner -
Stefan Seifert