Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Well, this is a common enough question - how to block yahoo messenger, MSN, etc. Well, earlier, the answer used to be - allow through only 'Safe' ports like http, smtp, ftp and such like, drop everything else.
Well, this isn't a complete solution. YMessenger, for one, can use other ports like smtp, nntp, in addition to http - so how on earth do I block it on my gateway?
Especially the usage of port 80! Alright, I can allow through on port 25, only access to my mail server, through 119 only to trusted newsgroups - but what about port 80? Do I need to know all the IPs of yahoo messenger servers to drop connections to them? What do the sysadmins recommend?
But your simple or UNsimple iptables question is not actually limited to iptables scope only, Using squid for these filtering would be very usefull.
Apart from squid & iptables you can also use snort(configured with iptables inline function) for dropping packets.
But the best suggestion would be with domain policies; Using domain policies to enforce users not to install such applications. This helps stopping streaming media as well.
As far as my understanding goes, just using squid won't be enough. Ports proxied by Squid must be blocked by a firewall right? Else you can't force users to use the proxy.
And ultimately, you do have to know the IP ranges/FQDNs of servers you have to block - whether you use squid or not.
I haven't tried Snort with iptables though. Domain policies are the hardest to enforce - it's hard to take control of their own computers away from people.
As far as my understanding goes, just using squid won't be enough. Ports proxied by Squid must be blocked by a firewall right?
The highlighted text is absolutely correct in a general approach but in context of messengers, why would someone'll be allowing these ports through squid if he's supposed to enforce a block.(Btw we can block ports with squid as well)
Else you can't force users to use the proxy.
Are there any clients/users which are being given a direct access via MASQUERADING or SNATing ? Only if this is the case then we would be requiring same squid rules to be implemented at firewall level as well. And here your saying goes OK of "ports proxied/blocked must be blocked by a firewall also."
And ultimately, you do have to know the IP ranges/FQDNs of servers you have to block - whether you use squid or not.
Yea, that is true; Since our more conventional way of blocking applications via dport isnt really effective these days. (as these days most of the messenger's have started falling back on 80 port in case of non-availability of their default ports)
Domain policies are the hardest to enforce - it's hard to take control of their own computers away from people.
Are we talking about M$ or SAMBA domain ?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.