On Thu, May 10, 2007 at 04:02:04AM -0400, Cristian Rodriguez R. wrote: > Divan Santana escribió: > > Hello everybody! > > > > I love shorewall! > > > > One thing I would really like to know how to get right is how to block > > skype > > exactly? > > > > I understand it uses port 443 etc but is their anyway of doing this? > > Surely other people have tried this? > > > > Thta will be pretty hard , skype is designed to bypass firewalls and > work Ok with NAT, it uses multiple ports and when it does not find any.. > it goes via port 80 or any other commonly opened port. good luck ;-)
Skype is indeed designed to make firewalling impossible, by disguising itself as HTTPS traffic. However, you can filter it with a proxy (in current versions, at least): Prohibit all outbound connections and require everybody to use squid for web access. Any other outbound protocols must be proxied or otherwise passed through secure hosts (such as site DNS and mail servers). Include these rules in the squid config: acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ acl connect method CONNECT http access deny connect numerics_IPs all Real HTTPS connects to hostname URLs (because that's what the certificates contain), skype uses IP addresses. Other non-HTTPS proxy attempts are also likely to be blocked by this. There is not much you can do about that. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
