Andy Furniss wrote: > > Taylor, Grant wrote: > >> Regarding yahoo messenger, I have not looked at this for a while. As I > >> understood, it used a single outgoing port and if blocked - end of > >> yahoo.... Or has this changed since I last looked? > > > > > > This must have changed as Yahoo will try to connect 4 different servers > > on 8 different ports for basic IM use. If you want to use other > > features like the webcam, file shareing, or voice chat there are > > different servers and different ports that your client will connect to. > > Take a look at > > http://help.yahoo.com/help/us/sbc/messenger/signin/signin-02.html if you > > want to see Yahoo's definition of what the client does. I wrote a RegEx > > of the various host names that Yahoo will connect to, > > "((scs(|a-z)|filetransfer).msg|v(0-99).(vc|vip).sc(a-z|0-99)|webcam).yahoo.com". > > If I could implement a match in DNS for this RegEx I would do so to > > prevent computers on my networks from finding things. > > What fun it must be being a netadmin - what don't you want to block, by > which I mean wouldn't it be easier to block everything and run > squid/mail server. > > Andy. Yes, I too have been reading these things asking myself why one would allow users such open access. One reason, of course, is that it is difficult to allow some http but not other, so if the port is 80, it pretty much has to be OK. So how would squid (or anything else except perhaps Level 7) know that this particular connection is A Bad Thing? I have been successful at limiting the number of FTP connections per user using iptables' connlimit and helper. That's where I'd start. And if three turned out to be too many, I'd reduce connlimit to 2 for HTTP and 1 for FTP. iptables -N HTTP iptables -A HTTP -p tcp -m connlimit --connlimit-above 3 -j DROP iptables -A HTTP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A HTTP -j RETURN iptables -A FORWARD -p tcp --dport 80 -j HTTP iptables -A FORWARD -p tcp --sport 80 -j HTTP iptables -A FORWARD -m helper --helper ftp -j HTTP In conjunction with my ACL (posted here a while back; it limits specific users to specific ports), the above would not be total deny, but it sure would put a dent in abuse. gypsy _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
