Willing to pay for a tutorial
Few days ago I got a new job and I was hit by pfsense. Never touch it before. So I'm in the darkness. The bosses from here want to block all the possible messengers (YM, AOL, MSN, Skype, facebook, etc) by Monday afternoon. My personal life is like a living hell right now so I don't have time to dig for a solution. Pls help! I don't know either how much this will cost so I cannot propose a fair price. Anyway, the money will be transferred by Money Gram or Western Union.
The topology is basic: 1 wan 1 internal lan. I just don't know how to fit the rules in the firewall. Many thx in advance!
Well, this is a non-trivial task… and some would argue that “you're looking for a technical solution to a social problem”
Anyway, you can try using a combination of DNS, L3 and L7 filtering, take a look at a related entry in Juniper's knowledge base:
SUMMARY: How to block AIM, Yahoo, MSN Messenger, MS Windows Live Messenger, Skype, and other chat applications.
PROBLEM OR GOAL: AIM, Yahoo, Windows Live Messenger, MSN Messenger, Skype and other chat application vendors use their own application port numbers, but will also try going out port 80, if their own application port is not open. This makes it tough to block IM, since port 80 is the same port number as HTTP.
SOLUTION: Chat vendors use P2P technology, which is similar to Bit Torrent, Kazaa, and Napster. In order to block Chat applications via Deep Inspection, you will need to use a Juniper IDP device to block those signatures. Deep Inspection on the firewall device does not support blocking of Chat signatures.
Even if you manage to block all IM applications, people will still move to web-based IM, like MSN Webmessenger or Yahoo Webmessenger. Less functionality, but still IM.
If you are using pfsense 2.0.1 you can try this:
Then you go and create a firewall rules on your LAN interface and as destination the "Messenger" alias. To use a messenger you mostly need an authentication server and if this server is a domain you listed above then it will be blocked.
But if you have facebook.com in the alias ist will not block bla.facebook.com. You have to enter this domain, too.
Another possibility would be to install squid2 and squidguard and block all http websites you don't want.
Blocking httpS traffic will need further work - your client's browser needs to be configured for this proxy.
The last thing you could try is a Layer 7 filter in "Traffic shaper" and try if the one or other filter will work against the messengers.
But getting this to work in such a short time isn't really easy and we need more information about the network.
The other way could be to block everything to outside and just allow the neccessary pages.
How about you start by showing your bosses that you can block one IM protocol.
This proves that you have the ability to fulfill the request. Explain the difficulties in blocking such a service outright because of the different ports, different protocols, web-based chat and so on. Then, you can request more time to accomplish the block in order to avoid interfering with legitimate traffic.
Also explain to them how this would be difficult to do on any platform.
Honesty tends to go a long way in any situation.
Lastly, you could make a nice presentation to go with this. Make screenshots showing settings, protocol filters, use IMspector to show your bosses that you can see 'into' the messaging protocols and so on.
You will be fine.
Contact me and I'll be more than happy to work with you. :)