Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
4
Helpful
5
Replies

Block MSN&Yahoo Messenger

azharmd
Level 1
Level 1

‎11-03-2003 04:09 AM - edited ‎03-09-2019 05:22 AM

Hi ,

How can i block the yahoo and MSN messenger on PIX firewall , what are the ports and procedure if any..

Thanks

Labels:
0 Helpful
5 Replies 5

jmia
Level 7
Level 7

‎11-03-2003 04:37 AM

Hi -

To block MSN Messenger try the following:

· TCP Port 1863

· IP Range 64.4.13.0/24

So on the PIX that would equate to:

> access-list outbound deny tcp any any eq 1863

> access-list outbound deny ip any 64.4.13.0 255.255.255.0

> access-list outbound permit ip any any

> access-group outbound in interface inside

For Yahoo:

Blocking Yahoo Messenger is not as easy as blocking other pieces of software. You see, Yahoo has their servers seperated out across various IPs, and you can't just do a range block, for risk of making parts of Yahoo disappear from your users browsers. So, to block Yahoo Messenger, you must block these 2servers by DNS address, not range,

DNS names:

cs.yahoo.com

scsa.yahoo.com

Regards - Jay.

0 Helpful

bfl1
Level 1
Level 1
In response to jmia

‎11-03-2003 06:04 AM

This will help block several of the IM's:

AOL Instant Messenger

Prevet File Transfers:

TCP 5190

IM images TCP 4443

Disable all together

block login.oscar.aol.com on ALL ports.

MSN

Prevent File Transfers, disable incoming/outgoing TCP 6891

Prevent Audio/Video conferencing, block UDP 13324 and 13325

Prevent Applicaiton sharing block TCP 1503

Disable altogether deny access to hosts in the msgr.hotmail.com subdomain and block TCP 1863

ICQ

Prevent file transfers, block TCP 3574

Disable file sharing images, block TCP 7320

Disable ICQ completely, deny access to loign.icq.com on TCP 5190

0 Helpful

jackson.lancaster
Level 1
Level 1
In response to jmia

‎11-13-2003 07:40 AM

You say that you need to block yahoo messenger by dns name. You imply this can be done on a PIX. If you know the secret of setting up a PIX acl based on host/domain name please let me know. We are evaluating PIX vs. Sidewinders now and this is the ONE feature the Sidewinder has over the PIX that may keep us from switching.

0 Helpful

bfl1
Level 1
Level 1
In response to jackson.lancaster

‎11-14-2003 08:30 PM

You would nslookup the dns name and use the IP. You can't use DNS to resolve names - you can only create "host" entries with the "name" command. From a security point of view, not using dns resolution on the PIX is a good thing, IMHO.

rshedlow
Level 1
Level 1
In response to jackson.lancaster

‎11-20-2003 11:38 AM

You're correct in that the PIX cannot restrict based on domain name. An alternative would be to blackhole IM domains/hosts e.g., login.oscar.aol.com, by having internal/dmz dns entries for them which direct traffic to a null0 interface somewhere.

0 Helpful
Customers Also Viewed These Support Documents