I agree, but if you are running a proxy before your firewall you can use ACLS to block the dst addresses. Therefor only the proxy, and the local dns serveres can access through the firewall. If you are running Checkpoint you also can block traffic on url filters.
eg: acl baddomains dstdomain gateway.messenger.hotmail.com http_access deny baddomains -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 11. mars 2002 20:25 To: [EMAIL PROTECTED] Subject: IM Programs Hello all. After watching this list for a few weeks and following one thread regarding Instant Messengers, I have this to say. I HATE INSTANT MESSENGERS. It is virtually impossible to block them with a firewall. Here is my experience with each thus far. AOL Instant Messenger - Ok, I have been able to block this one with pretty solid results. I had to pretty much block 1 class C's worth of addresses in the 64 region of AOL's address range, but have not heard any complaints thus far. The program is pretty damn smart about getting around rules in your firewall. It will try and use FTP, TELNET, HTTP, FINGER, NETBIOS over IP, APPLETALK over IP, 1080 (SOCKS), 1024, Lotus Notes (TCP 1352) and a few others. I pretty much locked the subnet down but AIM was somehow getting through. I finally figured out that my CheckPoint firewall was allowing DNS traffic outbound in my rule base above rule 1. I had to go to the Properties section and disable the implicit access to DNS (TCP/UDP 53). Once I did that, it killed AIM altogether. Yahoo Instant Messenger - Ok, this program sucks in that they spread out their Authentication servers across multiple machines and subnets. The shotgun aproach to locking down a full subnet backfired when people started to complain about not being able to access Yahoo! web mail or Yahoo Finance. I still have more work to do on this one. MSN - Eegad. This is probably the most difficult to block. From my investigation, if port 1864 is blocked (MSN's Auth port), it will use HTTP and access one of the main MSN pages. So, I have a choice; kill off access to MSN outright or allow MSN to run if people manage to install it. :( ICQ - I have not even played with this one yet, but as I remember, it will also auto-hack to get around firewalls. PROPOSAL: =========== I'd like to compile as complete a list as possible of ALL IP addresses of the hosts that the IM clients will attempt to connect to. Its a lot of work on the firewall, but its the only way I can see to stop the IM traffic and still allow web traffic to remain as unaffected as possible. If you want to mail me your IPs, I'll compile a list and post them on my web site. Thanks, Craig Brauckmiller ------------------------------------------------------------------------ ------------------------------------------------------------------------ --------------------------------------------- PRIVACY & CONFIDENTIALITY NOTICE The information contained in this e-mail is intended for the named recipients only. It may contain privileged and confidential information, and if you are not the addressee or the person responsible for delivering this to the addressee, you may not copy, distribute or take action in reliance on it. If you have received this e-mail in error, please notify us immediately by returning the original message to the sender by e-mail.
