How-to Block Msn Messenger and Other IM

acid47

Hi to all,

I don't know how to block IM with pfsense firewall??? You can help me plz???

Thanks to all for reply and sorry for my english  :D

hoba

There are different attempt:

• Block access to IPs the messemgers use to log on (IPs might change)
• Override DNS for the Logonservers with the DNS-Forwarder (make sure people only can use the DNS forwarder for DNS then)
• set up a restrictive firewallpolicy and/or use a Proxy

Try to google, ports and servernames can be found there.

acid47

Thanks Hoba for reply,

I need some help for this problem

how-to Block access to IPs the messemgers use to log on (IPs might change) ??? you can help me with step-by-step guide?

or

how-to set up a restrictive firewallpolicy??? with step-by-step guide?

Thanks …  :-[

hoba

Don't know why Microsoft doesn't publish this article in english anymore but it has the solution (at least for MSN): http://support.microsoft.com/kb/889829

1. Block Access incoming at Port 1863 :
incoming traffic is blocked by default but maybe you should set up a block rule at lan to stop traffic deriving from port 1863.

2. Block HTTP Access to "messenger.hotmail.com" and "webmessenger.msn.com" (to also block the http version of the messenger):
either force your clients to only use the dns forwarder by blocking DNS traffic that doesn't have the pfSense as destination and enter fake IPs for these 2 hosts (like resolving them as 127.0.0.1) which might affect other services run by these sites too
or do a nslookup for these hosts and block traffic at LAN with these hosts as destination, destinationport http.

There are similiar lits for other messengers (yahoo, icq, …). out there too. as I said, google is your friend. The only messenger that is hard to stop without some kind of proxy is skype as skype has a p2p infrastructure and doesn't work with fixed servers but with known dynamic supernodes (see http://www.mail-archive.com/support@pfsense.com/msg04808.html for some links on how skype works and why it is hard to stop).

http://nscsysop.hypermart.net/no_chat.html has some nice info about the different attempts I mentioned too.

acid47

hi Hoba,

I've try to Block Access incoming at Port 1863 in this sequence in FIREWALL:RULES – LAN:

Proto  Source      Port  Destination          Port  Gateway  Description

• LAN net       *     *                 *     *            Default LAN -> any 
  TCP         192.168.2.0/24   *         *         1863     *     msn block lan
  TCP         *                 * 65.54.239.140 1863     *           ip msn.hotmail.com

But this solution doesn't work with msn messenger or live messenger, i try to add in DNS FORWARDER this:

Domain                      IP    Description 
messenger.hotmail.com  127.0.0.1  messenger fake

But doesn't work?!? You can help me plz?

Juve

Put the block rules first!  It will work better then  ;)

hoba

@Juve:

Put the block rules first!  It will work better then  ;)

Yeah, rules are matched top down and first match wins  ;)