Actually, I was just using AOL Instant Messenger as an example. Another example is that I might want to block and log cvsup (tcp 5999) traffic from going outbound. If I don't have it in my allowed tcp_ports it should be blocked and not allowed out. I tried to cvsup out and it works (allowed out) and is not logged. Why is this? I would like to know how to block and log outbound traffic to the ports that are not specified in tcp_ports or udp_ports. Let me know how I can do this. Thanks.
On Fri, 12 Nov 2004 11:41:10 -0600, Kevin <[EMAIL PROTECTED]> wrote: > On Fri, 12 Nov 2004 10:31:13 -0600, Phusion <[EMAIL PROTECTED]> wrote: > > I'm having a problem because when I tried > > AOL Instant Messenger, it should have been blocked, logged and not > > been able to connect because it makes an outbound connection to tcp > > port 5190 which isn't allowed, but it still works. > > AOL Instant Messenger (AIM) is one of the most effective 'firewall > evasive" applications I have seen in my career. The software can make > it out through just about any packet filter and even most application > proxy firewalls. It is very difficult to block successfully. > > AIM will try to tunnel out via just about any TCP port you might have > open for default route to the Internet, including FTP and SNTP. AIM > can also work via a HTTP proxy, though this may require manual > configuration in the AIM client setup screen. > > While a strong deep-protocol-inspection product like the IntruShield > *might* detect the protocol anomoly, the only effective way for a > stateful packet inspection device to block AIM is to refuse ALL > traffic towards the IP addresses which host the "login.oscar.aol.com" > service (there are approximately fifty such servers under aol.com and > icq.com). > > > Kevin Kadow >