Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How-to Block Msn Messenger and Other IM

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 3 Posters 9.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      acid47
      last edited by

      Hi to all,

      I don't know how to block IM with pfsense firewall??? You can help me plz???

      Thanks to all for reply and sorry for my english  :D

      1 Reply Last reply Reply Quote 0
      • H Offline
        hoba
        last edited by

        There are different attempt:

        • Block access to IPs the messemgers use to log on (IPs might change)
        • Override DNS for the Logonservers with the DNS-Forwarder (make sure people only can use the DNS forwarder for DNS then)
        • set up a restrictive firewallpolicy and/or use a Proxy

        Try to google, ports and servernames can be found there.

        1 Reply Last reply Reply Quote 0
        • A Offline
          acid47
          last edited by

          Thanks Hoba for reply,

          I need some help for this problem

          how-to Block access to IPs the messemgers use to log on (IPs might change) ??? you can help me with step-by-step guide?

          or

          how-to set up a restrictive firewallpolicy??? with step-by-step guide?

          Thanks …  :-[

          1 Reply Last reply Reply Quote 0
          • H Offline
            hoba
            last edited by

            Don't know why Microsoft doesn't publish this article in english anymore but it has the solution (at least for MSN): http://support.microsoft.com/kb/889829

            1. Block Access incoming at Port 1863 :
            incoming traffic is blocked by default but maybe you should set up a block rule at lan to stop traffic deriving from port 1863.

            2. Block HTTP Access to "messenger.hotmail.com" and "webmessenger.msn.com" (to also block the http version of the messenger):
            either force your clients to only use the dns forwarder by blocking DNS traffic that doesn't have the pfSense as destination and enter fake IPs for these 2 hosts (like resolving them as 127.0.0.1) which might affect other services run by these sites too
            or do a nslookup for these hosts and block traffic at LAN with these hosts as destination, destinationport http.

            There are similiar lits for other messengers (yahoo, icq, …). out there too. as I said, google is your friend. The only messenger that is hard to stop without some kind of proxy is skype as skype has a p2p infrastructure and doesn't work with fixed servers but with known dynamic supernodes (see http://www.mail-archive.com/support@pfsense.com/msg04808.html for some links on how skype works and why it is hard to stop).

            http://nscsysop.hypermart.net/no_chat.html has some nice info about the different attempts I mentioned too.

            1 Reply Last reply Reply Quote 0
            • A Offline
              acid47
              last edited by

              hi Hoba,

              I've try to Block Access incoming at Port 1863 in this sequence in FIREWALL:RULES – LAN:

              Proto  Source      Port  Destination          Port  Gateway  Description

              • LAN net       *     *                 *     *            Default LAN -> any 
                TCP         192.168.2.0/24   *         *         1863     *     msn block lan
                TCP         *                 * 65.54.239.140 1863     *           ip msn.hotmail.com

              But this solution doesn't work with msn messenger or live messenger, i try to add in DNS FORWARDER this:

              Domain                      IP    Description 
              messenger.hotmail.com  127.0.0.1  messenger fake

              But doesn't work?!? You can help me plz?

              1 Reply Last reply Reply Quote 0
              • J Offline
                Juve
                last edited by

                Put the block rules first!  It will work better then  ;)

                1 Reply Last reply Reply Quote 0
                • H Offline
                  hoba
                  last edited by

                  @Juve:

                  Put the block rules first!  It will work better then  ;)

                  Yeah, rules are matched top down and first match wins  ;)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.