Re: [fw-wiz] Blocking we browsing completely and allowing only Skype out to the Internet



While I don't know why you'd want to do this (the web is a very
useful business tool), it's pretty easy.

Here goes:

First, Permit access to the skype website. At last check this is:

www.skype.com canonical name = web1.skype.com.
Name: web1.skype.com
Address: 204.9.163.136
Name: web1.skype.com
Address: 198.173.5.35

So, on a Cisco, that's:

access-list 101 permit tcp any host 204.9.163.136 eq 80
access-list 101 permit tcp any host 204.9.163.136 eq 443
access-list 101 permit tcp any host 198.173.5.35 eq 80
access-list 101 permit tcp any host 198.173.5.35 eq 443

# Then block HTTP ports 80,443,8080, etc..
access-list 101 deny tcp any any eq 80
access-list 101 deny tcp any any eq 443
access-list 101 deny tcp any any eq 8080

# And as a last rule, permit traffic to the internet...
access-list 101 permit ip any any

The skype port is 36013, and that should pass with the above ruleset,
although skype does use 80 and 443 to get around firewalls. This
might cause some trouble communicating with some clients. I recommend
that you don't do this at all.

If you're interested in restricting web usage, why not look at
products like Bluecoat or other transparent (WCCP) web proxies?

-j



On Oct 23, 2007, at 1:28 PM, Siju George wrote:

Hi,

Is anybody doing Something like this on any of their firewalls?

i.e blocking all web browsing and at the same time allowing only skype
to the outside world?

Could you please let me know how you do that?

Thank you so much

Kind Regards

Siju
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards