Allow Skype in a very restrictive network



  • Hello!

    I have a reverse requirement scenario compared to what most people usually face.

    I have very restrictive outbound rules where only required ports are allowed for access from LAN to Internet. Even the proxy rules are strict, and selectively allow destinations with default rule as deny all.

    I need to allow skype access from this network. Skype's support suggests:

    1. TCP/UDP access to all the ports between 1025 and 65535 to ANY
    2. HTTP/HTTPS access to all on proxy

    Since skype tries to connect to random IPs ( a very large selection of networks, changing with every request ) which is impossible to selectively allow in proxy or firewall. Layer 7 seems to be the way to go, but I am unable to visualise the configuration for this.

    Could someone please help giving pointers to solve the problem.

    Thanks in advance.



  • Hi, in my company i did a firewall rule allowing tcp port 33033 to some IP, work well.



  • But that is for incoming connection after Skype is able to connect. In my case, Skype is not able to establish connection for Login due to firewall rules.

    Here there are around 20 users with IPs assigned by DHCP. So, forwarding a port for incoming connection to individual IP and configuring their skype for using that port every time their IP changes would be difficult.



  • @codemarauder:

    Skype's support suggests:
    1. TCP/UDP access to all the ports between 1025 and 65535 to ANY
    2. HTTP/HTTPS access to all on proxy

    skype support with these rules, suggested you to disable/allow all/do not use firewall…

    @codemarauder:

    Layer 7 seems to be the way to go

    to use l7 rules with skype, you will need to intercept https traffic using men-in-the-middle technique.

    dansguardians 2.12 has this feature but until now, browser reject's forged certificate.



  • Thanks marcello.

    It is not possible for me to disable rule to deny all. I can not do ALLOW ALL at any cost :) I am not considering using proxy for skype access. I want to do it with the firewall itself.

    Snort is able to identify skype user agent, so layer 7 should also be able to identify it without MITM. I am looking for the configuration rules on the firewall assuming that Layer 7 signature is able to identify skype and DENY ALL is the default firewall rule.

    Any help with firewall rules will be gratefully appreciated.


  • Rebel Alliance Developer Netgate

    Layer7 rules can only be used to block or traffic shape, they cannot make a "pass" decision. Mostly this is because you cannot inspect the traffic to see what's inside it unless it's been passed. You can't tell one connection from another on the same port until the data is flowing so it can be inspected.

    Even so, the Skype L7 pattern is known to have issues, I'm not sure if anyone has come up with a new pattern to match it yet.



  • @jimp:

    Layer7 rules can only be used to block or traffic shape, they cannot make a "pass" decision. Mostly this is because you cannot inspect the traffic to see what's inside it unless it's been passed. You can't tell one connection from another on the same port until the data is flowing so it can be inspected.

    Thanks for your reply jimp.

    My understanding is that Floating rules are checked before interface specific rules and the last rule matched on "floating" is applied unless quick is checked which prevents further processing for that packet.

    So, if I create a floating rule that queues the traffic identified by Layer 7 and enable "quick" match, would it be able to push the packets to a queue without matching the "DENY ALL" rule? I can create a separate queue for the matched traffic.

    @jimp:

    Even so, the Skype L7 pattern is known to have issues, I'm not sure if anyone has come up with a new pattern to match it yet.

    I had seen some update on Skype L7 pattern in the forum. I will search again and post. Nevertheless, it will be great to learn the logic for using any random Layer 7 (say gtalk for that matter) rule in a scenario like mine.


  • Rebel Alliance Developer Netgate

    That would not work. You must pass the packets to the L7 inspection, then the L7 inspection chooses to deny them or not based on the pattern.

    If any rule blocked the traffic it could never establish an actual connection, so it wouldn't pass any data, so L7 couldn't match it.

    You can't do DPI unless you have P's to I!



  • @jimp:

    That would not work. You must pass the packets to the L7 inspection, then the L7 inspection chooses to deny them or not based on the pattern.

    If any rule blocked the traffic it could never establish an actual connection, so it wouldn't pass any data, so L7 couldn't match it.

    You can't do DPI unless you have P's to I!

    Thanks Jim for explaining it in such a precise and easy to understand manner.

    That means, in order to allow skype, I would need to do an "ALLOW ALL" for TCP/UDP ports 1025:65535 and use L7 rules to block unwanted traffic. That would create a large L7 filter list and some performance issues might come up.

    Other solution was Snort, but we can't run it inline here AFAIK.

    I must say, Skype is a pain for both - those who want to allow and those who want to block it.



  • I have never had any luck with the Skype L7 rules and afaik from looking at many posts here, nobody else has either.
    What did work for me was Squid/Squidguard in non-transparent mode with an ACL with the "no ip addresses in URL" tickbox checked.
    Selective Skype access/deny  could be done via client ip in the group ACL



  • @codemarauder:

    I am not considering using proxy for skype access. I want to do it with the firewall itself.

    I had to resort to a web proxy to be able to login on Facebook, as nobody could came up with a workable solution….good luck to you



  • @codemarauder:

    I am not considering using proxy for skype access. I want to do it with the firewall itself.

    The way it could work is to allow https for an internal clients host alias applied to a lan rule.
    It will allow access to any https site too but skype will work.

    @EOC2611P:

    I had to resort to a web proxy to be able to login on Facebook, as nobody could came up with a workable solution….good luck to you

    web proxy is a workable solution.  ;)



  • @marcelloc:

    @EOC2611P:

    I had to resort to a web proxy to be able to login on Facebook, as nobody could came up with a workable solution….good luck to you

    web proxy is a workable solution.  ;)

    Yes it is, but i guess the end-users would expect it to work in a different way, maybe for developers is different.
    I mean, if you buy a car to go for shopping, once you start your engine, there should not be a need to also call a taxi to towing you to the shop and back  :D



  • @marcelloc:

    The way it could work is to allow https for an internal clients host alias applied to a lan rule.
    It will allow access to any https site too but skype will work.

    web proxy is a workable solution.  ;)

    Actually, I also have web proxy configured which doesn't allow access by IP addresses and only handful of sites are allowed. Default rule for each group on squidguard being "DENY", which is not skype friendly. And I can't befriend skype inviting ALL friends and foes together.

    I had studied skype's web-access logs and it works in multiple stages connecting to servers/hosts in a tiered manner as described on this wikipedia article http://en.wikipedia.org/wiki/Skype_protocol. I tried to allow network ranges in the proxy as well (converting them to individual IPs, there were hundreds IPs in hundreds of ranges), which doesn't work reliably. Randomly clients were able to connect but most of the time could not because they tried to connect to some IPs which were not in the whitelist. This method was like a never ending wild goose chase. Add to that, the network ranges of Microsoft that Skype connects to since when MS has bought it.

    When compared, I like GoToMyPC's documentation perfect for Network Administrators. They have provided all the IP ranges that you can use to selectively allow in your proxy or firewall.



  • @codemarauder:

    Actually, I also have web proxy configured which doesn't allow access by IP addresses and only handful of sites are allowed. D

    Try to just disable squidguard option to do not allow direct ip access in url.



  • Some time ago, I posted some info about L7 and Skype at http://forum.pfsense.org/index.php?topic=40558.0



  • @marcelloc:

    Try to just disable squidguard option to do not allow direct ip access in url.

    That is disabled Marcello. As I had mentioned earlier, only selective domains and URLs are allowed from my network. I do not want to do "ALLOW ALL", but only want to allow Skype to connect.

    I understand that it is not possible anyhow, so I am considering this thread as closed.



  • Thanks Dhatz.

    @dhatz:

    Some time ago, I posted some info about L7 and Skype at http://forum.pfsense.org/index.php?topic=40558.0

    But this is not going to be of any help in my scenario, where I want to selectively allow Skype, POP3S, IMAPS, SMTPS, FTP, SSH, Jabber, HTTP/S but block everything else.



  • codemarauder,

    I was with the same issue as yours and I solved It by doing this:

    1- I've created a layer 7 rule that blocks http traffic.

    2- Then I've granted access through ports 80 and 443 but applying the layer 7 filter created on step 1.

    3- Note that I've placed the 7 layared rules at the end of the rules so it doesn't block other http "Pass" rules.

    4- The last rule is a "Block" all traffic.

    Hope it helps… let me know.



  • You've created a allow rule on port 80 blocking all http traffic? why?  ???

    This l7 rule is able to filter ssl connections on 443?



  • marcelloc,

    All of my HTTP traffic must go through proxy (3128) and I'm not using transparent proxy.

    HTTPS through 443 was an concern, but it seams that the http layer 7 filter is blocking HTTPS as well.

    My network is very restrictive and all out traffic must be allowed if It is the case.



  • ok, Entendi  :)



  • Hi, I've been using this solution as well, but 3 weeks ago, it stoped working. The PCs can't connect to Skype, it times out. Does anyone knows if the Skype Protocol was changed lately? Is there another way to allow Skype but block HTTP/HTTPS?

    Thanks!



  • I have the same problem, with only 80 and 443 outbound open Skype doesn't work..
    How did you solve?



  • For anyone that has the problem: you need to open also 33033 TCP outbound that is need for first time authentication


Log in to reply