MSN can recieve files even though everything is blocked?
-
I don't use MSN myself, but I discovered this wierdness when a student told me. I thought this was very strange? I NAT and the following ports open for outgoing traffic, the rest is blocked:
53, DNS
80, HTTP and Windows Live Messenger
443, HTTPS and Windows Live Authentication
110, POP3
143, IMAP
3724, WOW
20720-20750, HL II Steam
1200, 27000-27015, UDP HL II Steam
6112, WC III
1883, MSNBlock -> any
Does the file from the host outside the network go to MSN's server and then being transfered over port 80 to the client here inside the firewall?
-
Good question. You can answer this yourself if you enable logging on the port 80 rule and test again..
-
Do you have miniupnp enabled?
-
I don't have miniupnp no.
The problem is that I don't have a Windows machine myself, and I don't have a MSN account. I REALLY don't wanna break my MS free record :P
-
This is what is considered NAT hole punching and affects almost all routers.
Try the modulate state option in the firewall rules screen. -
Here are some good explanations on NAT hole punching.
http://snyke.net/blog/2006/01/24/nat-hole-punching-explained/
http://en.wikipedia.org/wiki/UDP_hole_punchingThat said, I believe you can solve your problem by enabling advanced outbound NAT. What this will do is disable all the autogenerated outbound NATs, and use the NAT's you create. You will need to create an outbound NAT for each service that you want to allow outbound. I.E. http, dns, etc traffic will each need their own outbound NAT.
This may or may not solve your problem since MSN Messenger is a sly little devil ;).
The only other option is to install the Snort package and filter the IM clients category and set Snort to automatically block any detected traffic.
-
I only thought NAT hole punching worked with UDP and not TCP?
-
It works with both
-
@sdale:
It works with both
I've read it works with Linux with TCP, but I didn't thought *BSD suffered from this. Is it possible to do this in pf?
What is this "modulate state"? I don't get the description fra the man page to good.
-
I've enabled NAT Outbound and setup rules for the ones I want to enable. But I can't see how this would do any difference? I must enable port 80 because I need the www to work.
Anyone?
-
http://doc.pfsense.org/index.php/How_Do_I_block_Instant_Messengers might help
-
@sai:
http://doc.pfsense.org/index.php/How_Do_I_block_Instant_Messengers might help
I'm not interessed in blocking MSN. Only the file transfer side of it.
-
Not sure if the imspector package can do this but it's not yet ready anyway afaik. Check it out once it is done.
-
You can also install Snort to detect and block file transfers for MSN messenger.
-
@sdale:
You can also install Snort to detect and block file transfers for MSN messenger.
Installed Snort and got it working. But I couldn't see rules for MSN filetransfers… In what category is it hiding?
-
Its under the chat.rules
-
@sdale:
Its under the chat.rules
I saw that one, but that is outbound and not on port 80 :/ I'll take TCPView:
http://www.microsoft.com/technet/sysinternals/utilities/TcpView.mspx
To one of the students computer and look myself. Since I don't have neither Windows nor MSN :P
-
You can edit the snort rule to detect file transfers on any port. The only problem with using snort to block file transfers is if someone initiates a file transfer, snort will block that IP from having ANY contact to your network. So basically it will cut off the file transfer and any further IM traffic to that IP for an hour.