Re: Blocking of MSN and Yahoo Messanger Services

rmujeeb81 · ‎04-01-2006

I have a 506E PIX Firewall with 6.3(4) version. I want to block MSN and Yahoo messanger services for LAN users. For this I applied an access list at inside interface ,

access-list 111 deny tcp host 10.0.0.x any eq 1863 ( MSN port )

and for Yahoo 5050.

access-list 111 permit ip host 10.0.0.x any ( Permit all other traffic for this host )

After that access list hit counts shows that condition is matched but user is still able connect MSN & Yahoo.

Regards,

Mujeeb

m.sir · ‎04-01-2006

There is problem, that if those messangers are not able to use their default ports they move to tcp 80 and this is opened for most networks

So you need block messangers (destination) servers

1) object groups with ports for MSN:

object-group service MSN_Messenger_tcp tcp

description MSN Messenger tries to use these ports

port-object eq www

port-object eq 1863

port-object eq 7001

2) object group for MSN servers

object-group network MSN_Messenger_hosts

description hosts that MSN Messenger lives on

network-object 65.54.195.0 255.255.255.0

network-object 65.54.225.0 255.255.255.0

network-object 65.54.226.0 255.255.254.0

network-object 65.54.228.0 255.255.254.0

network-object host 65.54.240.61

network-object host 65.54.240.62

network-object 207.46.104.0 255.255.252.0

network-object 207.46.108.0 255.255.255.0

network-object 207.68.171.0 255.255.255.0

3)Accees-list block microsoft messenger with those object group

access-list acl-inside deny tcp any object-group MSN_Messenger_hosts object-group MSN_Messenger_tcp

4) Block Yahoo instant messenger servers

access-list acl-inside deny ip any host 64.58.78.228

access-list acl-inside deny ip any host 66.163.172.50

access-list acl-inside deny ip any host 66.163.172.51

access-list acl-inside deny ip any host 216.136.232.154

access-list acl-inside deny ip any host 64.58.78.227

NOTE:

Maybe servers list is not up to date so if messangers still works try to check firewall for logs where you can find some new servers

M.

Hope that helps, rate if it does

rezaul.karim · ‎04-01-2006

Hi

I have been facing same kinds of msn block problem.

Put configurations as per your mentioned.But i cannot able to browse any site.

access-list outbound permit icmp any any

access-list outbound deny tcp any object-group MSN_Messenger_hosts object-group

MSN_Messenger_tcp

access-list outbound permit tcp any eq www any

access-list outbound permit tcp any eq smtp any

access-list outbound permit tcp any eq pop3 any

access-list outbound permit tcp any eq ftp any

access-list outbound permit tcp any eq pptp any

access-list outbound permit tcp any eq 1701 any

access-list outbound permit tcp any eq 1247 any

access-list outbound permit udp any eq 1723 any

access-list outbound permit udp any eq 1247 any

Whenever put the ACL:

access-list outbound permit ip any any

Then i can browse and also able to connect MSN service

Pls provide your suggestion

Patrick Laidlaw · ‎04-01-2006

Hello

Looks like your missing DNS for your outbound ACL and your ACL looks backwards. Did you try to convert a conduit statement. ACLs are formatted as follows

access-list (name of acl) (permit or deny) (protocol) (source ip or network) (source port optional) (destination ip) (destination port optional)

access-list outbound permit tcp any any eq www

access-list outbound permit tcp any any eq smtp

access-list outbound permit tcp any any eq pop3

access-list outbound permit tcp any any eq ftp

access-list outbound permit tcp any any eq pptp

access-list outbound permit tcp any any eq 1701

access-list outbound permit tcp any any eq 1247

access-list outbound permit udp any any eq 1723

access-list outbound permit udp any any eq 1247

access-list outbound permit udp any any eq 53

Hope this helps.

Patrick

rezaul.karim · ‎04-02-2006

Patrick

Thanks for your suggestion

I have put the configuration what you have mentioned.

Now i can able to browse and also block the MSN service.

But one problem is that could not access the mail of Yahoo, hotmail,gmail after put the user name and password.

Log on screen was displayed.

Pls provide your valuable suggestion

Thanks

Reza

akin.oyelakin · ‎04-02-2006

Hi guys,

I have had better success with using ordinary router and nbar. nbar recognises this application because it goes beyond the network layer. you can use MQC (modular quality of service command-line) to match and drop these traffic.

Patrick Laidlaw · ‎04-02-2006

That is true its a bit more not simple but effective with that approch. Although with some of the ASA enhancements its suppose to look deeper and be able block on messenger protocols.

Patrick

rezaul.karim · ‎04-02-2006

Can you pls provide the commands of MQC for pix 515e for blocking MSN service

Thanks

Reza

Patrick Laidlaw · ‎04-03-2006

MQC doesn't work on a pix its Modular

QOS Commands for a router.

As for your question about haveing problems with connecting out with the access-list I didn't really see anything in your config unless some of the msn messenger servers overlap with the hotmail servers.

Are you being blocked completly to the hotmail sites or does it partially load?

Patrick

rezaul.karim · ‎04-03-2006

I just want to block only MSN messenger for some internal user

Thanks

Reza

Patrick Laidlaw · ‎04-04-2006

Reza,

Here is what you can do add a deny any any at the end of you access-list setup a logging server with Kiwi Syslog. Send your sylog messages to your server from there it should show you what is being blocked going to MSN. Replace x.x.x.x with the ip of your logging server.

logging on

logging monitor debugging

logging host inside x.x.x.x

and I can't remember if you need this if you logging to the syslog to monitor you acl.

debug access-list all

I'm travelling so I don't have access to my lab equipment.

Hope this helps

Patrick

Patrick Laidlaw · ‎04-04-2006

Reza,

I was thinking another thing you could do is open your connection to hotmail and while doing it issue the command "show conn" to see what ports your using at that time. Of course you'll need that permit any any at that point to make sure it's allowing the connections to be opened.

Patrick

Patrick Laidlaw · ‎04-04-2006

You could also set your PIX syslog server to send traps every time your computer connected out on the internet.

access-list outbound permit icmp any any

access-list outbound deny tcp any object-group MSN_Messenger_hosts object-group MSN_Messenger_tcp

access-list outbound permit tcp any any eq www

access-list outbound permit tcp any any eq smtp

access-list outbound permit tcp any any eq pop3

access-list outbound permit tcp any any eq ftp

access-list outbound permit tcp any any eq pptp

access-list outbound permit tcp any any eq 1701

access-list outbound permit tcp any any eq 1247

access-list outbound permit udp any any eq 1723

access-list outbound permit udp any any eq 1247

access-list outbound permit udp any any eq domain

access-list outbound permit tcp any any eq domain

access-list outboung permit ip z.z.z.z any log informational interval 120 !substitue z.z.z.z with the ip address of your client going to hotmail.

logging host inside x.x.x.x !put your logging server in here

logging trap info

Patrick

rezaul.karim · ‎04-05-2006

Patrick

Thanks for your suggestion.

configured the syslog which shown the port no. is 80 for yahoo mail.

I can check mail and MSN service whenever put permit ip host x.x.x.x any

Otherwise not

Another suggestion pls

Thanks

Reza

rezaul.karim · ‎04-05-2006

Hi

Still i have been facing the following problem from pix515E:

1. Can not able to check mail of yahoo, hotmai, gmail

but logon screen is displayed.

Whenever put " access-list outbound permit ip any any" then everything is open including MSN

So want to block Only MSN

Any one help pls

Thanks

Reza

following is the configurations:

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol domain 53

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1701

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

object-group service MSN_Messenger_tcp tcp

description MSN Messenger tries to use these ports

port-object eq www

port-object eq 1863

port-object eq 7001

object-group network MSN_Messenger_hosts

description hosts that MSN Messenger lives on

network-object 65.54.195.0 255.255.255.0

network-object 65.54.225.0 255.255.255.0

network-object 65.54.226.0 255.255.254.0

network-object 65.54.228.0 255.255.254.0

network-object host 65.54.240.61

network-object host 65.54.240.62

network-object 207.46.104.0 255.255.252.0

network-object 207.46.108.0 255.255.255.0

network-object 207.68.171.0 255.255.255.0

access-list 102 permit icmp any any

access-list 102 permit tcp any host 172.16.3.10 eq pptp

access-list 102 permit udp any host 172.16.3.10 eq isakmp

access-list 102 permit udp any host 172.16.3.10 eq 1701

access-list 102 permit udp any host 172.16.3.10 eq 1723

access-list 102 permit tcp any host 172.16.3.10 eq ftp

access-list 102 permit tcp any host 172.16.3.10 eq www

access-list 102 permit gre any host 172.16.3.10

access-list 102 permit udp any host 172.16.3.10 eq 1247

access-list outbound permit icmp any any

access-list outbound deny tcp any object-group MSN_Messenger_hosts object-group

MSN_Messenger_tcp

access-list outbound permit tcp any any eq www

access-list outbound permit tcp any any eq smtp

access-list outbound permit tcp any any eq pop3

access-list outbound permit tcp any any eq ftp

access-list outbound permit tcp any any eq pptp

access-list outbound permit tcp any any eq 1701

access-list outbound permit tcp any any eq 1247

access-list outbound permit udp any any eq 1723

access-list outbound permit udp any any eq 1247

access-list outbound permit udp any any eq domain

access-list outbound permit tcp any any eq domain

pager lines 24

logging on

logging timestamp

logging standby

logging monitor notifications

logging buffered debugging

logging trap debugging

logging facility 23

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 172.16.3.10 255.255.255.0

ip address inside 172.20.1.65 255.255.0.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 102 in interface outside

access-group outbound in interface inside

route outside 0.0.0.0 0.0.0.0 172.16.3.1 1