Re: [fw-wiz] Blocking Google Talk

Hash: SHA1


I prefer not to statically block ip addresses. I prefer to mitigate
network traffic based on network service and content.

Google Talk uses transport layer security for login (TCP 443) and XMPP
for XML Jabber communication (TCP port 5222) prior to clients talking
over RTP (typically UDP 8000+ but will vary). Google Talk does not use
SIP (TCP 5060).

Your solution should depend on your network.

1. With your network I would block all UDP that is not DNS and all
outbound TCP port 5222. You can't block TLS to google unless you want
your user's to log in to their mail accounts clear-text.


2. Block all inbound network traffic and most outbound traffic except to
a handful of services (ssh, smtp, pop3, http, https, etc...)

Typically I reccomend solution #2. If I wanted to allow google talk on
my network I would add these rules to my /etc/pf.conf file (assuming
youre using openBSD and not a commercial solution):

rtp_udp = "{ 8000><65535 }" # Adjust to google talk ports

pass out log quick on $EXT_NIC proto TCP from any to any port 5222
flags $SYN_ONLY keep state

pass out log quick on $EXT_NIC proto UDP from any to any port $rtp_udp
keep state

Also, I would make sure to encrypt jabber:



Paul D. Robertson wrote:
On Thu, 15 Jun 2006, Mike Powell wrote:

Does anyone have any ideas for blocking Google's new Google Talk client
without blocking the Google web site? The IP addresses that the Talk

As usual, it's always good to start at the source...

From: Google Team <talk-feedback@xxxxxxxxxx>


Thank you for contacting the Google Talk Team. We understand that it is
sometimes necessary to disable instant messaging services on a network. If
you need to disable Google Talk on your network, we suggest blocking DNS
lookups to, by returning

If we can be of further assistance, please respond to this message and a
member of the Google Talk Team will respond to you shortly.


The Google Team

Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact." Infosec discussion boards

firewall-wizards mailing list

Version: GnuPG v1.4.2.1 (GNU/Linux)
Comment: Using GnuPG with Fedora -

firewall-wizards mailing list