Re: can Hopster traffic be blocked?
From: lonely wolf (wolfy_at_nobugconsulting.ro)
Date: Fri, 06 Aug 2004 00:40:32 +0300 To: firstname.lastname@example.org
Prakash Purushotham wrote:
> Current setup:
> RH9 all patches current
> iptables set to deny all direct traffic out except to a select few
> squid with acls to allow only http(s)/ftp,
Guess why is port 80 declared 'universal firewall bypass'
> more acls to allow access to msn/yahoo.
> Some users have installed hopster and are able to connect to messenger
> servers even if they are not listed under the "chat access" acls.
> The following site has some information on hopster and similar software.
> I have tried in vain to block traffic using iptables. I tried INPUT
> filter on traffic coming in from port 1863 (for example), under the
> assumption that the messenger server has to reply to hopster requests. I
> have tried blocking FORWARDs again, based on source port 1863 on the
> external interface.
wrong way. connections are already socks-ified.
> My last resort (administrative) is to invoke the rule that no
> unauthorized software be installed on the systems.
> Any suggestions on how I can block hopster (and other similar socks
> based tunneling applications) from tunnelling out.
I bet all my weekend beers that the only way out is content filtering
done at the proxy level. Maybe squidguard/dansguardian could help. Or
snort. Otherwise .. IBM websense.
You cannot filter based on IP addresses because the users can always
look for open proxy servers to chain with, and replace them more often
then you can hunt them.
-- Manuel Wolfshant linux registered user #131416 IT manager NoBug Consulting Romania http://www.brainbench.com/transcript.jsp?pid=40317