Re: [LARTC] IP2P & Skype question

From: gypsy <gypsy@iswest.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] IP2P & Skype question
Date: Wed, 27 Apr 2005 04:29:19 +0000	[thread overview]
Message-ID: <426F151F.69CBE9E3@iswest.com> (raw)
In-Reply-To: <426CEBC7.9050505@pbltd.net>

Andy Furniss wrote:
> 
> Taylor, Grant wrote:
> >> Regarding yahoo messenger, I have not looked at this for a while. As I
> >> understood, it used a single outgoing port and if blocked - end of
> >> yahoo....  Or has this changed since I last looked?
> >
> >
> > This must have changed as Yahoo will try to connect 4 different servers
> > on 8 different ports for basic IM use.  If you want to use other
> > features like the webcam, file shareing, or voice chat there are
> > different servers and different ports that your client will connect to.
> > Take a look at
> > http://help.yahoo.com/help/us/sbc/messenger/signin/signin-02.html if you
> > want to see Yahoo's definition of what the client does.  I wrote a RegEx
> > of the various host names that Yahoo will connect to,
> > "((scs(|a-z)|filetransfer).msg|v(0-99).(vc|vip).sc(a-z|0-99)|webcam).yahoo.com".
> > If I could implement a match in DNS for this RegEx I would do so to
> > prevent computers on my networks from finding things.
> 
> What fun it must be being a netadmin - what don't you want to block, by
> which I mean wouldn't it be easier to block everything and run
> squid/mail server.
> 
> Andy.

Yes, I too have been reading these things asking myself why one would
allow users such open access.  One reason, of course, is that it is
difficult to allow some http but not other, so if the port is 80, it
pretty much has to be OK.  So how would squid (or anything else except
perhaps Level 7) know that this particular connection is A Bad Thing?

I have been successful at limiting the number of FTP connections per
user using iptables' connlimit and helper.  That's where I'd start.  And
if three turned out to be too many, I'd reduce connlimit to 2 for HTTP
and 1 for FTP.
iptables -N HTTP
iptables -A HTTP -p tcp -m connlimit --connlimit-above 3 -j DROP
iptables -A HTTP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A HTTP -j RETURN

iptables -A FORWARD -p tcp --dport 80 -j HTTP
iptables -A FORWARD -p tcp --sport 80 -j HTTP
iptables -A FORWARD -m helper --helper ftp -j HTTP

In conjunction with my ACL (posted here a while back; it limits specific
users to specific ports), the above would not be total deny, but it sure
would put a dent in abuse.

gypsy
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc