How-to Block Msn Messenger and Other IM



  • Hi to all,

    I don't know how to block IM with pfsense firewall??? You can help me plz???

    Thanks to all for reply and sorry for my english  :D



  • There are different attempt:

    • Block access to IPs the messemgers use to log on (IPs might change)
    • Override DNS for the Logonservers with the DNS-Forwarder (make sure people only can use the DNS forwarder for DNS then)
    • set up a restrictive firewallpolicy and/or use a Proxy

    Try to google, ports and servernames can be found there.



  • Thanks Hoba for reply,

    I need some help for this problem

    how-to Block access to IPs the messemgers use to log on (IPs might change) ??? you can help me with step-by-step guide?

    or

    how-to set up a restrictive firewallpolicy??? with step-by-step guide?

    Thanks …  :-[



  • Don't know why Microsoft doesn't publish this article in english anymore but it has the solution (at least for MSN): http://support.microsoft.com/kb/889829

    1. Block Access incoming at Port 1863 :
    incoming traffic is blocked by default but maybe you should set up a block rule at lan to stop traffic deriving from port 1863.

    2. Block HTTP Access to "messenger.hotmail.com" and "webmessenger.msn.com" (to also block the http version of the messenger):
    either force your clients to only use the dns forwarder by blocking DNS traffic that doesn't have the pfSense as destination and enter fake IPs for these 2 hosts (like resolving them as 127.0.0.1) which might affect other services run by these sites too
    or do a nslookup for these hosts and block traffic at LAN with these hosts as destination, destinationport http.

    There are similiar lits for other messengers (yahoo, icq, …). out there too. as I said, google is your friend. The only messenger that is hard to stop without some kind of proxy is skype as skype has a p2p infrastructure and doesn't work with fixed servers but with known dynamic supernodes (see http://www.mail-archive.com/support@pfsense.com/msg04808.html for some links on how skype works and why it is hard to stop).

    http://nscsysop.hypermart.net/no_chat.html has some nice info about the different attempts I mentioned too.



  • hi Hoba,

    I've try to Block Access incoming at Port 1863 in this sequence in FIREWALL:RULES – LAN:

    Proto  Source      Port  Destination          Port  Gateway  Description

    • LAN net       *     *                 *     *            Default LAN -> any 
      TCP         192.168.2.0/24   *         *         1863     *     msn block lan
      TCP         *                 * 65.54.239.140 1863     *           ip msn.hotmail.com

    But this solution doesn't work with msn messenger or live messenger, i try to add in DNS FORWARDER this:

    Domain                      IP    Description 
    messenger.hotmail.com  127.0.0.1  messenger fake

    But doesn't work?!? You can help me plz?



  • Put the block rules first!  It will work better then  ;)



  • @Juve:

    Put the block rules first!  It will work better then  ;)

    Yeah, rules are matched top down and first match wins  ;)


Locked