Re: Block MSN Messenger by router rules (Netgear DG834)

From: Charles Newman (charlesnewman1_at_comcast.net.spammers.will.be.shot.on.sight)
Date: 02/09/05 

Date: Wed, 9 Feb 2005 09:50:26 -0800

"Mick" <scull252-focus@yahoo.co.uk> wrote in message
news:hq3i019dipbplkbnps26p2ckirahl0t27h@4ax.com...

> As per subject line.....Am trying to "control" usage at home. Common
> sense approach with daughter has failed miserably, so I want to be
> able to restrict it to reasonable periods.
> I have 2 PC's connected to a Netgear DG834 router.
> Searching on Google has turned little up. I understand MSN Messenger
> uses port 1863 outbound, but if this is blocked, it will revert back
> to port 80. I don't want to block that as that's normal http traffic.
> I can't see an application blocking within Netgear, so am at a loss.
> Looking for port 1863 outbound in my traffic logs, I found a "common"
> IP address...in the range 207.46.xxx.xxx.
> I did a traceback on this, the "ARIN who is" came back with an address
> range of 207.46.0.0 to 207.46.255.255 as valid for MSN.

   If you are serious about blocking messenger, you
are going to have to dump your hardware appliance,
number one. Second, you are going to have to
spend $1000+ on more equipment. You will need'
to have a NAT box, running either ICS, AllegroSurf,
or some other NAT proxy. Next, you will be a
personal firewall on the NAT Box, such as Tiny,
that can block by application, plus all the switches
and cables to put it all together. For a PC doing
NAT, I recommend at LEAST 640 megs of RAM.
Also, with a NAT box, you can do a LOT more.
You can put a second hard disk in, and use that as
a central storage point for all files, that can be accessed
from any PC on your network. You can restrict files
by user, if you install Windows XP professional on the
NAT Box. A PC running NAT can do a LOT more
than a hardware appliance.
     Becuase Tiny is more flexiable than a hardware
appliance, it can block things that hardware appliances
cannot.
    Once your NAT box is setup, configure it to restrict
all connections through either HTTP or Socks proxy.
Then you tell Tiny to not allow the Socks proxy to
get out on 80 or 1863 (though I would recommend
blocking ports 80, and 1000-5300 to block Kazaa
as well). Some people might call my setup a "toy
firewall", but I can say it is the ONLY thing that will
block MSN Messenger, if you are really serious
about blocking it.
     The real sticking point is port 80, and you cannot
block this, without blocking all HTTP as well. That is
why my setup, with an ICS box and Tiny, is the only
thing that will work. You simply have two different
programs for HTTP and Socks proxy, and tell Tiny
to block the program handling the Socks proxy not
to allow access to the ports that MSN Messenger
uses.
     Also, throw in some filtering software (CyBlock is
good, but the $799/year fee would be rather expensive
for home use) on the NAT box, and you can block
anything else that comes your way, that you dont want
her to access.
      For a Socks proxy, I recommend AllegroSurf, for
an HTTP proxy, CyBlock is a filter and HTTP proxy
in one. A word of caution, though with CyBlock, it
opens quite security hole, and you will need to have
Tiny installed and configured to restrict it. CyBlock,
if you use it, needs to be restricted to outgoing ports
80 and 443, and incoming traffic needs to be restricted
to your local network. I found this out when I checked
the logs and discovered someone from China tunelling
through the proxy in CyBlock to go to an SMTP
server at Yahoo on port 25. It is becuase of this
security hole that CyBlock must be restricted to using
ports 80 and 443 for outgoing traffic.

Relevant Pages

  • Re: Not able to connect
    ... The ntp.conf file I appended was installed by the Fedora Core 5 installation except for the NIST servers which were added by the system date/time s/w under Fedora Core 5. ... The port number on your system is arbitrary, and is usually chosen at random by your system each time the client program prepares to make a request for the time. ... How can I tell if ntpd is working and keeping the clock synched? ... You may wish to restrict the pool to your geographic area. ...
    (comp.protocols.time.ntp)
  • Re: Custom Sharepoint (Companyweb) permissions
    ... If it was using a standard port and you were using ISA server - you ... companyweb uses the non-standard 444, ISA is using a server publishing rule ... which doesn't give you the option to restrict by user. ... > CompanyWeb but only a few people have RWW access. ...
    (microsoft.public.windows.server.sbs)
  • Re: different ssh settings for different users
    ... =>connect through the port 3309 and if there is a user mary she can ... ListenAddress 3309 ... =>Moreover is it possible to restrict some users to login only from few ... =>machines for example I want to restrict user tom that he can only ...
    (Fedora)
  • Re: Controlling access to MSTSC.exe
    ... programs where I will need the ability to restrict by domain ... > at your firewall. ... > to an RDP port other than 3389, ... >> level policy (i.e. who can connect via remote desktop to the servers). ...
    (microsoft.public.windowsxp.setup_deployment)