How-to Block Msn Messenger and Other IM
-
Hi to all,
I don't know how to block IM with pfsense firewall??? You can help me plz???
Thanks to all for reply and sorry for my english :D
-
There are different attempt:
- Block access to IPs the messemgers use to log on (IPs might change)
- Override DNS for the Logonservers with the DNS-Forwarder (make sure people only can use the DNS forwarder for DNS then)
- set up a restrictive firewallpolicy and/or use a Proxy
Try to google, ports and servernames can be found there.
-
Thanks Hoba for reply,
I need some help for this problem
how-to Block access to IPs the messemgers use to log on (IPs might change) ??? you can help me with step-by-step guide?
or
how-to set up a restrictive firewallpolicy??? with step-by-step guide?
Thanks … :-[
-
Don't know why Microsoft doesn't publish this article in english anymore but it has the solution (at least for MSN): http://support.microsoft.com/kb/889829
1. Block Access incoming at Port 1863 :
incoming traffic is blocked by default but maybe you should set up a block rule at lan to stop traffic deriving from port 1863.2. Block HTTP Access to "messenger.hotmail.com" and "webmessenger.msn.com" (to also block the http version of the messenger):
either force your clients to only use the dns forwarder by blocking DNS traffic that doesn't have the pfSense as destination and enter fake IPs for these 2 hosts (like resolving them as 127.0.0.1) which might affect other services run by these sites too
or do a nslookup for these hosts and block traffic at LAN with these hosts as destination, destinationport http.There are similiar lits for other messengers (yahoo, icq, …). out there too. as I said, google is your friend. The only messenger that is hard to stop without some kind of proxy is skype as skype has a p2p infrastructure and doesn't work with fixed servers but with known dynamic supernodes (see http://www.mail-archive.com/support@pfsense.com/msg04808.html for some links on how skype works and why it is hard to stop).
http://nscsysop.hypermart.net/no_chat.html has some nice info about the different attempts I mentioned too.
-
hi Hoba,
I've try to Block Access incoming at Port 1863 in this sequence in FIREWALL:RULES – LAN:
Proto Source Port Destination Port Gateway Description
- LAN net * * * * Default LAN -> any
TCP 192.168.2.0/24 * * 1863 * msn block lan
TCP * * 65.54.239.140 1863 * ip msn.hotmail.com
But this solution doesn't work with msn messenger or live messenger, i try to add in DNS FORWARDER this:
Domain IP Description
messenger.hotmail.com 127.0.0.1 messenger fakeBut doesn't work?!? You can help me plz?
- LAN net * * * * Default LAN -> any
-
Put the block rules first! It will work better then ;)
-
Put the block rules first! It will work better then ;)
Yeah, rules are matched top down and first match wins ;)