Allow Skype in a very restrictive network

EOC2611P · Jul 21, 2012, 8:37 AM

I am not considering using proxy for skype access. I want to do it with the firewall itself.

I had to resort to a web proxy to be able to login on Facebook, as nobody could came up with a workable solution….good luck to you

marcelloc · Jul 21, 2012, 6:30 PM

@codemarauder:

I am not considering using proxy for skype access. I want to do it with the firewall itself.

The way it could work is to allow https for an internal clients host alias applied to a lan rule.
It will allow access to any https site too but skype will work.

@EOC2611P:

I had to resort to a web proxy to be able to login on Facebook, as nobody could came up with a workable solution….good luck to you

web proxy is a workable solution. ;)

EOC2611P · Jul 22, 2012, 5:14 AM

@marcelloc:

@EOC2611P:

I had to resort to a web proxy to be able to login on Facebook, as nobody could came up with a workable solution….good luck to you

web proxy is a workable solution. ;)

Yes it is, but i guess the end-users would expect it to work in a different way, maybe for developers is different.
I mean, if you buy a car to go for shopping, once you start your engine, there should not be a need to also call a taxi to towing you to the shop and back :D

codemarauder · Jul 23, 2012, 5:34 PM

@marcelloc:

The way it could work is to allow https for an internal clients host alias applied to a lan rule.
It will allow access to any https site too but skype will work.

web proxy is a workable solution. ;)

Actually, I also have web proxy configured which doesn't allow access by IP addresses and only handful of sites are allowed. Default rule for each group on squidguard being "DENY", which is not skype friendly. And I can't befriend skype inviting ALL friends and foes together.

I had studied skype's web-access logs and it works in multiple stages connecting to servers/hosts in a tiered manner as described on this wikipedia article http://en.wikipedia.org/wiki/Skype_protocol. I tried to allow network ranges in the proxy as well (converting them to individual IPs, there were hundreds IPs in hundreds of ranges), which doesn't work reliably. Randomly clients were able to connect but most of the time could not because they tried to connect to some IPs which were not in the whitelist. This method was like a never ending wild goose chase. Add to that, the network ranges of Microsoft that Skype connects to since when MS has bought it.

When compared, I like GoToMyPC's documentation perfect for Network Administrators. They have provided all the IP ranges that you can use to selectively allow in your proxy or firewall.

marcelloc · Jul 23, 2012, 7:12 PM

@codemarauder:

Actually, I also have web proxy configured which doesn't allow access by IP addresses and only handful of sites are allowed. D

Try to just disable squidguard option to do not allow direct ip access in url.

dhatz · Jul 23, 2012, 7:59 PM

Some time ago, I posted some info about L7 and Skype at http://forum.pfsense.org/index.php?topic=40558.0

codemarauder · Jul 24, 2012, 3:50 AM

@marcelloc:

Try to just disable squidguard option to do not allow direct ip access in url.

That is disabled Marcello. As I had mentioned earlier, only selective domains and URLs are allowed from my network. I do not want to do "ALLOW ALL", but only want to allow Skype to connect.

I understand that it is not possible anyhow, so I am considering this thread as closed.

codemarauder · Jul 24, 2012, 4:13 AM

Thanks Dhatz.

@dhatz:

Some time ago, I posted some info about L7 and Skype at http://forum.pfsense.org/index.php?topic=40558.0

But this is not going to be of any help in my scenario, where I want to selectively allow Skype, POP3S, IMAPS, SMTPS, FTP, SSH, Jabber, HTTP/S but block everything else.

alvaro · Sep 25, 2012, 6:31 PM

codemarauder,

I was with the same issue as yours and I solved It by doing this:

1- I've created a layer 7 rule that blocks http traffic.

2- Then I've granted access through ports 80 and 443 but applying the layer 7 filter created on step 1.

3- Note that I've placed the 7 layared rules at the end of the rules so it doesn't block other http "Pass" rules.

4- The last rule is a "Block" all traffic.

Hope it helps… let me know.

marcelloc · Sep 25, 2012, 7:20 PM

You've created a allow rule on port 80 blocking all http traffic? why? ???

This l7 rule is able to filter ssl connections on 443?

alvaro · Sep 25, 2012, 8:35 PM

marcelloc,

All of my HTTP traffic must go through proxy (3128) and I'm not using transparent proxy.

HTTPS through 443 was an concern, but it seams that the http layer 7 filter is blocking HTTPS as well.

My network is very restrictive and all out traffic must be allowed if It is the case.

marcelloc · Sep 25, 2012, 8:52 PM

ok, Entendi :)

odrakir · Mar 28, 2013, 2:37 PM

Hi, I've been using this solution as well, but 3 weeks ago, it stoped working. The PCs can't connect to Skype, it times out. Does anyone knows if the Skype Protocol was changed lately? Is there another way to allow Skype but block HTTP/HTTPS?

Thanks!

Gabri.91 · May 5, 2013, 2:07 PM

I have the same problem, with only 80 and 443 outbound open Skype doesn't work..
How did you solve?

Gabri.91 · May 5, 2013, 4:49 PM

For anyone that has the problem: you need to open also 33033 TCP outbound that is need for first time authentication