Re: [fw-wiz] Blocking we browsing completely and allowing only Skype out to the Internet



While I don't know why you'd want to do this (the web is a very
useful business tool), it's pretty easy.

Here goes:

First, Permit access to the skype website. At last check this is:

www.skype.com canonical name = web1.skype.com.
Name: web1.skype.com
Address: 204.9.163.136
Name: web1.skype.com
Address: 198.173.5.35

So, on a Cisco, that's:

access-list 101 permit tcp any host 204.9.163.136 eq 80
access-list 101 permit tcp any host 204.9.163.136 eq 443
access-list 101 permit tcp any host 198.173.5.35 eq 80
access-list 101 permit tcp any host 198.173.5.35 eq 443

# Then block HTTP ports 80,443,8080, etc..
access-list 101 deny tcp any any eq 80
access-list 101 deny tcp any any eq 443
access-list 101 deny tcp any any eq 8080

# And as a last rule, permit traffic to the internet...
access-list 101 permit ip any any

The skype port is 36013, and that should pass with the above ruleset,
although skype does use 80 and 443 to get around firewalls. This
might cause some trouble communicating with some clients. I recommend
that you don't do this at all.

If you're interested in restricting web usage, why not look at
products like Bluecoat or other transparent (WCCP) web proxies?

-j



On Oct 23, 2007, at 1:28 PM, Siju George wrote:

Hi,

Is anybody doing Something like this on any of their firewalls?

i.e blocking all web browsing and at the same time allowing only skype
to the outside world?

Could you please let me know how you do that?

Thank you so much

Kind Regards

Siju
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • 3640 some sites slow....
    ... ip nat inside source static udp 192.168.10.24 21000 interface Dialer1 ... permit ip 172.25.0.0 0.0.255.255 any ... permit tcp any eq ftp-data any ...
    (comp.dcom.sys.cisco)
  • Re: 3640 some sites slow....
    ... for the Internet connection that's doing NAT and VPN) A 2821 should work ... ip nat inside source static udp 192.168.10.24 21000 interface Dialer1 ... permit ip 172.25.0.0 0.0.255.255 any ... permit tcp any eq ftp-data any ...
    (comp.dcom.sys.cisco)
  • Re: 3640 some sites slow....
    ... ip nat inside source static udp 192.168.10.24 21000 interface Dialer1 ... permit ip 172.25.0.0 0.0.255.255 any ... permit tcp any eq ftp-data any ...
    (comp.dcom.sys.cisco)
  • RE: ACL router problem
    ... now I need to enable all the lan to connect tho this host 192.168.1.15 so I ... access-list 111 permit ip host 192.168.8.139 192.168.1.15 ... access-list 111 permit tcp host 192.168.8.139 any access-list 111 ... Securing Apache Web Server with thawte Digital Certificate In this guide we ...
    (Security-Basics)
  • having a hard time with pix515
    ... access-list outside permit icmp any any time-exceeded ... access-list outside permit tcp any host xx.xx.239.14 eq smtp ... access-list outside permit tcp host prodmail host 66.37.239.14 eq pop3 ... access-group outside in interface outside ...
    (comp.security.firewalls)