LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Block MSN Again !! (https://www.linuxquestions.org/questions/linux-networking-3/block-msn-again-470372/)

ALInux 08-03-2006 06:16 AM
Block MSN Again !!
 
Hi Guys
Ive got Squid, Dansguardian and Iptables installed. And I know on what ports msn messenger operates "blocking those ports does not work anymore" . I want a solution to totally block the usage of msn messenger on my network. Ive read alot of posts here and elsewhere, the solutions either dont work partially or at all.

Any help would be highly appreciated !!


Note: This might sound silly, but if you redirect all traffic comming to port 1863 to a running daemon on ur linux box "ex: 25" it stops msn messenger from working. But I have different subnets and not all have access to the same ports and this method does not work for me.

peter_robb 08-03-2006 08:51 AM
You will need to do some listening to an MSN connection as it sets up.
Blocking the high ports will force it to use http methods.
Watch the dansguardian logs for the first signs of msn urls, then add them to the url blocklist.

As an added precaution, run a small dns proxy, eg dnsmasq, and add the msn domains to /etc/hosts but with a 127.0.0.1 ip address.
If users can't get dns working, they can't establish calls.

benjithegreat98 08-03-2006 09:40 AM
I've never tried to block MSN Messenger but I do know a good way to block AOL is to add a dns entry to your internal servers where login.oscar.aol.com (or something like that0 is 127.0.0.1.

I don't use MSN but maybe you could open up a client and see what it actually connects to in the configuration (if it tells) and block that. Alternatley I've seen where you can just straight out block the IP's that it uses. Users may complain they can't get to hotmail though.....

If you do make the DNS change and it works, your end users might be able to just take out the domain name in the config and replace it with an IP if they are smart enough.

OT: Are you in Lebanon right now? Are you in the northern part or southern part?

ALInux 08-03-2006 11:37 AM
To Peter
Hmm...so what you mean is that if I add the msn urls to url blocklist...msn will not switch to using the http method...? What if they initiate a troubleshoot session and press repair ?

To Ben
Iam living in beirut city..near AUB the American University of Beirut ...which is a relatively safe place..but my house was destroyed.... Ive been sleeping at my office for the last 20 days..but if you want me to check out somebody for you Iam willing to do so.
-= Mod Note: You can continue this conversation via email pls =-

peter_robb 08-03-2006 11:55 AM
Actually, the other way around.

If you block the high ports with iptables, the logon must use http methods, which dansguardian can control, and you can block.

ALInux 08-03-2006 12:30 PM
I will try that and post results


All times are GMT -5. The time now is 06:18 PM.