6 days of trying and no positive result to how block SKYPE in PF 1.2.3



  • Guys i really need help here.

    This is the third day that i am seeking a solution to how block SKYPE in PF 1.2.3

    The snort way in:
    http://www.carbonwind.net/Firewalls/BlockingSkypewithPfsenseandSnort/BlockingSkypewithPfsenseandSnort.htm

    didint work

    Other squid related options didint work too

    I am lost here, i found this very recent topic (june10-2010) that those guys had success, but in smothwall, not PF =/
    http://www.edugeek.net/forums/internet-related-filtering-firewall/57624-blocking-skype-smoothwall.html

    Please, somebody have a working solution in PF 1.2.3 to block skype? our network is composed primary by notebooks, so blocking skype in PF Sense its a question of honor.

    Thanks



  • http://www.riccardoriva.com/archives/275

    Well, this method works for old skype, it not login, but the new (4.2+) no. Its delay a lot the sign in process, but in the end, this beast can login… =/

    Must be a way to block this *****! with pfsense 1.2.3, in this same month some guys do it in smothwall, but in my opinion pfsense is much more powerful

    I need some help here, four days digging it is very very tiring.



  • Find out all the IPs of the skype servers, create an alias containing them all, and block access to this alias.



  • GruensFroeschli

    i believe that SKYPE is the most sophisticated aplication until now to how to block.

    Remember how was the Microsoft Messenger (MSN) before the new LIVE edition, in that times was only necessary to block port 1863 for restrict the app access. Today its a little harder.

    Utorrent follow the same way that SKYPE, it ll be my next objective to block after sucess with the "blue demon".

    Its very logical, all softwares in future ll follow this hard block style.

    Lets complete my tests,

    IF:

    All ports are closed in firewall rules with only the necessary (smtp, pop3, http…) open;
    more those senteces inserted in Proxy Server > Custom Options:
    acl skype_url url_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+;
    http_access deny CONNECT skype_url
    with the https (443) port denied too

    You ll have 100% SKYPE blocked

    But all your https pages too…. bad game here.

    If you pass https port, the SKYPE ll take a long time to connect, longer in the first time, but it ll connect

    So, i believe that this list of IP of the skype servers cant be done, because SKYPE have those questions of supernode, p2p, random IPs...

    just the rule of acl skype_url url_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+;
    http_access deny CONNECT skype_url in SQUID dont block skype anymore, there is something else to do with port 443, i am not a network guru, so i am asking HELP here, i am trying and i wont give up, i dont want pay commercial solutions or change to another firewall distro because i now that PF Sense its very good, i like it, and in a not very distant future, ll be the best one.



  • To login the client still has to access the login server.
    If you block access to these It should not work.



  • A very simple approach is to block all outbound traffic and provide Internet access only via Squid+SquidGuard.  Then in SquidGuard under Default tick the option against Not to allow IP addresses in URL.  I found that a very effective method of blocking Skype (and various other things).



  • Thanks for reply Cry Havok!

    but Well, it didn't work.  :'(

    I did a fresh install of PF 1.2.3 in a test lab

    Skype keeps running, its take a long time to sign, but in the end, the blue demon wins!  >:(

    I believe that in squid, the rule of (acl skype_url url_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+;
    http_access deny CONNECT skype_url) is the same thing that "Not to allow IP addresses in URL" in Proxy Filter (SquidGuard) Correct if this is wrong please.

    Here are my confgurations print screens, one of Firewall Rules, Proxy Server and Proxy Filter








  • Two things to do

    First is to check the squid log to see what's happening.  The second is to view the SquidGuard log to see what's happening ;)



  • Lasted Web GUI SquidGUARD log:

    27.06.2010 19:52:20 : squid_reconfigure: Add new redirector options to Squid config.
    28.06.2010 02:52:32 : sg_reconfigure_user_db: Begin with '/var/db/squidGuard'
    28.06.2010 02:52:32 : sg_reconfigure_user_db: Nothing. User destinations list empty.
    28.06.2010 02:52:32 : sg_create_config: add rewrites: success safesearch;
    28.06.2010 02:52:32 : sg_create_config: add Default
    28.06.2010 02:52:32 : sg_redirector_base_url: Select redirector base url (http://192.168.2.1:80/sgerror.php?url=403 &a=%a&n=%n&i=%i&s=%s&t=%t&u=%u)
    28.06.2010 02:52:32 : sg_reconfigure: save squidGuard config to '/usr/local/etc/squidGuard/squidGuard.conf'.
    28.06.2010 02:52:32 : squid_reconfigure: Remove old redirector options from Squid config.
    28.06.2010 02:52:32 : squid_reconfigure: Add new redirector options to Squid config.

    **Same of "Log type" in Log > Configurator log

    This is the only Log with non configuration style entries

    The "Not to allow IP addresses in URL" in Proxy Filter is working perfectly, i tested IP numbers in browser and it block it:**

    Request denied by pfSense proxy: 403 Forbidden
    Reason:
    Client address: 192.168.2.245
    Client group: default
    Target group: in-addr

    **The access.log in /var/squid/log dont reveled any useful information, just browser navigation downloaded content (jpgs, gifs, urls… not skype related)

    I didint saw any skype IP server numbers, but the skype can login  :-\

    Where i am wrong? Where i need to go?**


Log in to reply