Netgate SG-1000 microFirewall

Author Topic: Willing to pay for a tutorial  (Read 5709 times)

0 Members and 1 Guest are viewing this topic.

Offline busyguy

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Willing to pay for a tutorial
« on: June 16, 2012, 04:32:57 am »
Hi guys,

Few days ago I got a new job and I was hit by pfsense. Never touch it before. So I'm in the darkness. The bosses from here want to block all the possible messengers (YM, AOL, MSN, Skype, facebook, etc) by Monday afternoon. My personal life is like a living hell right now so I don't have time to dig for a solution.  Pls help! I don't know either how much this will cost so I cannot propose a fair price. Anyway, the money will be transferred by Money Gram or Western Union.
The topology is basic: 1 wan 1 internal lan. I just don't know how to fit the rules in the firewall. Many thx in advance!

Offline dhatz

  • Hero Member
  • *****
  • Posts: 1000
  • Karma: +5/-0
    • View Profile
Re: Willing to pay for a tutorial
« Reply #1 on: June 16, 2012, 10:47:33 am »
Well, this is a non-trivial task... and some would argue that “you're looking for a technical solution to a social problem”

Anyway, you can try using a combination of DNS, L3 and L7 filtering, take a look at a related entry in Juniper's knowledge base:

SUMMARY: How to block AIM, Yahoo, MSN Messenger, MS Windows Live Messenger, Skype, and other chat applications.
PROBLEM OR GOAL: AIM, Yahoo, Windows Live Messenger, MSN Messenger, Skype and other chat application vendors use their own application port numbers, but will also try going out port 80, if their own application port is not open.  This makes it tough to block IM, since port 80 is the same port number as HTTP.
SOLUTION: Chat vendors use P2P technology, which is similar to Bit Torrent, Kazaa, and Napster. In order to block Chat applications via Deep Inspection, you will need to use a Juniper  IDP device to block those signatures. Deep Inspection on the firewall device does not support blocking of Chat signatures.

Even if you manage to block all IM applications, people will still move to web-based IM, like MSN Webmessenger or Yahoo Webmessenger. Less functionality, but still IM.

Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2889
  • Karma: +29/-1
    • View Profile
Re: Willing to pay for a tutorial
« Reply #2 on: June 16, 2012, 01:51:25 pm »
If you are using pfsense 2.0.1 you can try this:

Create an "Host" Alias called "Messengers"
In this host alias you put all the known domains for the messengers, e.g.:

Then you go and create a firewall rules on your LAN interface and as destination the "Messenger" alias. To use a messenger you mostly need an authentication server and if this server is a domain you listed above then it will be blocked.
But if you have in the alias ist will not block You have to enter this domain, too.

Another possibility would be to install squid2 and squidguard and block all http websites you don't want.
Blocking httpS traffic will need further work - your client's browser needs to be configured for this proxy.

The last thing you could try is a Layer 7 filter in "Traffic shaper" and try if the one or other filter will work against the messengers.

But getting this to work in such a short time isn't really easy and we need more information about the network.
The other way could be to block everything to outside and just allow the neccessary pages.

Good luck!

Offline iFloris

  • Full Member
  • ***
  • Posts: 172
  • Karma: +1/-0
  • one layer of information removed
    • View Profile
    • Small personal site
Re: Willing to pay for a tutorial
« Reply #3 on: June 27, 2012, 02:42:09 am »
How about you start by showing your bosses that you can block one IM protocol.
This proves that you have the ability to fulfill the request. Explain the difficulties in blocking such a service outright because of the different ports, different protocols, web-based chat and so on. Then, you can request more time to accomplish the block in order to avoid interfering with legitimate traffic.
Also explain to them how this would be difficult to do on any platform.
Honesty tends to go a long way in any situation.

Lastly, you could make a nice presentation to go with this. Make screenshots showing settings, protocol filters, use IMspector to show your bosses that you can see 'into' the messaging protocols and so on.
You will be fine.
one layer of information

Offline pkwong

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +1/-0
    • View Profile
    • Swimming in thought
Re: Willing to pay for a tutorial
« Reply #4 on: July 24, 2012, 08:02:19 am »
Contact me and I'll be more than happy to work with you. :)
When all else fails, don't blame the machine.  Blame your architecture.