Allow Skype in a very restrictive network
-
Some time ago, I posted some info about L7 and Skype at http://forum.pfsense.org/index.php?topic=40558.0
-
Try to just disable squidguard option to do not allow direct ip access in url.
That is disabled Marcello. As I had mentioned earlier, only selective domains and URLs are allowed from my network. I do not want to do "ALLOW ALL", but only want to allow Skype to connect.
I understand that it is not possible anyhow, so I am considering this thread as closed.
-
Thanks Dhatz.
Some time ago, I posted some info about L7 and Skype at http://forum.pfsense.org/index.php?topic=40558.0
But this is not going to be of any help in my scenario, where I want to selectively allow Skype, POP3S, IMAPS, SMTPS, FTP, SSH, Jabber, HTTP/S but block everything else.
-
codemarauder,
I was with the same issue as yours and I solved It by doing this:
1- I've created a layer 7 rule that blocks http traffic.
2- Then I've granted access through ports 80 and 443 but applying the layer 7 filter created on step 1.
3- Note that I've placed the 7 layared rules at the end of the rules so it doesn't block other http "Pass" rules.
4- The last rule is a "Block" all traffic.
Hope it helps… let me know.
-
You've created a allow rule on port 80 blocking all http traffic? why? ???
This l7 rule is able to filter ssl connections on 443?
-
marcelloc,
All of my HTTP traffic must go through proxy (3128) and I'm not using transparent proxy.
HTTPS through 443 was an concern, but it seams that the http layer 7 filter is blocking HTTPS as well.
My network is very restrictive and all out traffic must be allowed if It is the case.
-
ok, Entendi :)
-
Hi, I've been using this solution as well, but 3 weeks ago, it stoped working. The PCs can't connect to Skype, it times out. Does anyone knows if the Skype Protocol was changed lately? Is there another way to allow Skype but block HTTP/HTTPS?
Thanks!
-
I have the same problem, with only 80 and 443 outbound open Skype doesn't work..
How did you solve? -
For anyone that has the problem: you need to open also 33033 TCP outbound that is need for first time authentication
