L7 Protocol Definitions for iMessage and Facetime

  • I am looking to block the use of FaceTime and iMessage over our network from iOS Devices.

    Apple docs claim that Factime uses a few UDP ports up in the 16xxx range, plus 80, 443 and 5223. 80 and 443 are open on pfSense for obvious reasons. Turns out if Facetime or iMessage cannot use those 16xxx ports they just stream the whole lot down 443. Which makes blocking them something I cannot figure out (bar blocking 443 to the entire 17.x.x.x subnet which Apple own.) That is not an option as we still need push notifications for other apps and also wish to use iCloud which also relies on this.

    My question is, Facetime and iMessage send over 443 to apple encrypted. Can a Layer 7 protocol definition be made up to encompass this and if so does anyone happen to have one lying about ? :) As im afraid I dont believe I am advanced enough to write one.

    Thanks in advance for any pointers

  • I've been posting for blocking ares and btt. What the group has adviced me is better to create some low priorities queues to channel the "bad" protocols, all this due to I found L7 can't block encrypted apps. I'm afraid that is not possible by L7. I hope I'm wrong.

    Hope this helps

  • if your mobile devcices are in an extra subnet than it could be perhaps possible to make these devices use a proxy and then filter/block access to the URLs with squidGuard. this must be a NON-transparent proxy so that you can filter httpS.

  • The devices are iPads and we dont wish to use a proxy. iPad apps dont all work nicely with proxies, especially if that proxy requires authentication. So we have a seperate web filter that operates as a transparent bridge which does web filter, but not SSL intercepting. Then we have pfSense box on the other end of that as our main WAN router. One single subnet for our whole internal network, so pfSense is just being used for pure firewall and NAT type stuff.

    Had hoped the L7 stuff was the answer, as there doesnt appear to be any other way to do it.

    Guess we just have to live with iMessage and FaceTime on our net :(

Log in to reply