How-to Block Msn Messenger and Other IM

  • Hi to all,

    I don't know how to block IM with pfsense firewall??? You can help me plz???

    Thanks to all for reply and sorry for my english  :D

  • There are different attempt:

    • Block access to IPs the messemgers use to log on (IPs might change)
    • Override DNS for the Logonservers with the DNS-Forwarder (make sure people only can use the DNS forwarder for DNS then)
    • set up a restrictive firewallpolicy and/or use a Proxy

    Try to google, ports and servernames can be found there.

  • Thanks Hoba for reply,

    I need some help for this problem

    how-to Block access to IPs the messemgers use to log on (IPs might change) ??? you can help me with step-by-step guide?


    how-to set up a restrictive firewallpolicy??? with step-by-step guide?

    Thanks …  :-[

  • Don't know why Microsoft doesn't publish this article in english anymore but it has the solution (at least for MSN):

    1. Block Access incoming at Port 1863 :
    incoming traffic is blocked by default but maybe you should set up a block rule at lan to stop traffic deriving from port 1863.

    2. Block HTTP Access to "" and "" (to also block the http version of the messenger):
    either force your clients to only use the dns forwarder by blocking DNS traffic that doesn't have the pfSense as destination and enter fake IPs for these 2 hosts (like resolving them as which might affect other services run by these sites too
    or do a nslookup for these hosts and block traffic at LAN with these hosts as destination, destinationport http.

    There are similiar lits for other messengers (yahoo, icq, …). out there too. as I said, google is your friend. The only messenger that is hard to stop without some kind of proxy is skype as skype has a p2p infrastructure and doesn't work with fixed servers but with known dynamic supernodes (see for some links on how skype works and why it is hard to stop). has some nice info about the different attempts I mentioned too.

  • hi Hoba,

    I've try to Block Access incoming at Port 1863 in this sequence in FIREWALL:RULES – LAN:

    Proto  Source      Port  Destination          Port  Gateway  Description

    • LAN net       *     *                 *     *            Default LAN -> any 
      TCP   *         *         1863     *     msn block lan
      TCP         *                 * 1863     *           ip

    But this solution doesn't work with msn messenger or live messenger, i try to add in DNS FORWARDER this:

    Domain                      IP    Description  messenger fake

    But doesn't work?!? You can help me plz?

  • Put the block rules first!  It will work better then  ;)

  • @Juve:

    Put the block rules first!  It will work better then  ;)

    Yeah, rules are matched top down and first match wins  ;)