Re: rules for skype

Re: rules for skype

[Daniel Lopes]

Seferovic Edvin schrieb:
> I think that you can stop ALL https connections with squid.. if you want of
> course... but then, I dont know if there is such way as you described it. A
> very good ACL implementation is squidGuard.
> 
> But hey.. why do you want to stop skype?
> 
> Regards,
> 
> Edvin Seferovic
> 
I can also block https by blocking port 443 that´s not the point. The 
point is to block "bad" 443 port traffic and let "good" traffic pass.

Re: rules for skype

[Taylor, Grant]

> I can also block https by blocking port 443 that´s not the point. The 
> point is to block "bad" 443 port traffic and let "good" traffic pass.

One thing that might be able to be done is to limit on the amount of traffic that can pass through any given HTTPS (443) connection.  Namely if an HTTPS connection is on going and has carried a meg of data or more (any thing that would be more than any legitimate HTTPS web submit would be) you could probably know that the traffic was not standard HTTPS traffic and thus safe to shut down.  This might trap some STunnel (?) (SSL tunneling) but then you would know the IP of the other end and you could explicitly allow ongoing HTTPS connections to that IP.  This amount of data match could possibly be matched via the "connbyes" match extension from Patch - O - Matic Extra Repository.



Grant. . . .

Re: rules for skype

[Taylor, Grant]

> What about for example online browsing the Netfilter Mailinglist? It 
> uses https too and the meg of data could fast be reached.

Hmm.  Maybe filtering would have to be done based on duration.  Hmm, the more that I look at it the more that I think that you would have to limit the number of times that the rule did natch.  You would probably want to set a limit (limit, dstlimit, connlimit, hashlimit, etc) on on the number times (per some duration) that a person is allowed to have an HTTPS connection that is larger than 1 MB.



Grant. . . .

Re: rules for skype

[Deepak Seshadri]

Hi Grant,

My company requires me to block Skype too. There are 3 ways I have found 
after a lot of research:

- Block the authentication servers' IPs. The last I knew there were only 2 
servers for authentication. Their IPs are given in that pdf document. I am 
not aware if they have added new servers now.
- Use Layer-7 pattern. Again, the layer-7 pattern has worked for some and 
not worked for many. It has worked for me.
My network scenario: The network I manage has private addresses throughout. 
I think it has something to do with NAT and private addressing because in my 
case when the client tries to authenticate with the server the hex-pattern 
of those UDP packets stays the same throughout every session. This has not 
been true in every case. You can give it a shot.
- Use *tc* to choke the skype traffic. I have a list of apps to allow 
through the network. The rest go into a default pipe of 2 Kbps. This 
deteriorates the performance of the application. I think text chatting will 
still go through but voice chatting, file sharing and all gets choked.
NOTE: I have had better success not blocking its default ports. That way I 
can keep it away from the standard Internet ports and thus easily classify 
it into the default pipe.

Now given the nature of this application, some things might work for you and 
some might not. I thought I would share my knowledge on this ....

Good luck,
Deepak


----- Original Message ----- 
From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: <netfilter@lists.netfilter.org>
Sent: Monday, May 02, 2005 11:58 AM
Subject: Re: rules for skype


> I can also block https by blocking port 443 that´s not the point. The 
> point is to block "bad" 443 port traffic and let "good" traffic pass.

One thing that might be able to be done is to limit on the amount of traffic 
that can pass through any given HTTPS (443) connection.  Namely if an HTTPS 
connection is on going and has carried a meg of data or more (any thing that 
would be more than any legitimate HTTPS web submit would be) you could 
probably know that the traffic was not standard HTTPS traffic and thus safe 
to shut down.  This might trap some STunnel (?) (SSL tunneling) but then you 
would know the IP of the other end and you could explicitly allow ongoing 
HTTPS connections to that IP.  This amount of data match could possibly be 
matched via the "connbyes" match extension from Patch - O - Matic Extra 
Repository.



Grant. . . .

Re: [SPAM] Re: rules for skype

[Taylor, Grant]

> - Block the authentication servers' IPs. The last I knew there were only 
> 2 servers for authentication. Their IPs are given in that pdf document. 
> I am not aware if they have added new servers now.

*nod*  I had thought of this one as well.  Though I don't know how long lived this will be before Skype gets around this too.

> - Use Layer-7 pattern. Again, the layer-7 pattern has worked for some 
> and not worked for many. It has worked for me.
> My network scenario: The network I manage has private addresses 
> throughout. I think it has something to do with NAT and private 
> addressing because in my case when the client tries to authenticate with 
> the server the hex-pattern of those UDP packets stays the same 
> throughout every session. This has not been true in every case. You can 
> give it a shot.

Is there any way that you could share with us the layer 7 filters that you use?

> - Use *tc* to choke the skype traffic. I have a list of apps to allow 
> through the network. The rest go into a default pipe of 2 Kbps. This 
> deteriorates the performance of the application. I think text chatting 
> will still go through but voice chatting, file sharing and all gets choked.
> NOTE: I have had better success not blocking its default ports. That way 
> I can keep it away from the standard Internet ports and thus easily 
> classify it into the default pipe.

Interesting.  I would not have thought of allowing just enough of the traffic so that you could identify it and sort of attempt to control it.  However this would not be acceptable to some of my clients.  I'll keep that in mind as a technique to deal with vicious protocols in the future.  Thanks.  :)

> Now given the nature of this application, some things might work for you 
> and some might not. I thought I would share my knowledge on this ....

*nod*  This is unfortunately the very nature of these troublesome protocols.  I'd also appreciate seeing your config if you could show it to us.



Grant. . . .

Re: rules for skype

[Deepak Seshadri]

>> - Block the authentication servers' IPs. The last I knew there were only 
>> 2 servers for authentication. Their IPs are given in that pdf document. I 
>> am not aware if they have added new servers now.
>
> *nod*  I had thought of this one as well.  Though I don't know how long 
> lived this will be before Skype gets around this too.
>
>> - Use Layer-7 pattern. Again, the layer-7 pattern has worked for some and 
>> not worked for many. It has worked for me.
>> My network scenario: The network I manage has private addresses 
>> throughout. I think it has something to do with NAT and private 
>> addressing because in my case when the client tries to authenticate with 
>> the server the hex-pattern of those UDP packets stays the same throughout 
>> every session. This has not been true in every case. You can give it a 
>> shot.
>
> Is there any way that you could share with us the layer 7 filters that you 
> use?

For the layer-7 patterns to work with iptables, you have to patch iptables. 
Here is the layer7 project URL:
http://l7-filter.sf.net

Note: They have a skype pattern matching only the voice traffic. For some 
reason they don't have the one that matches the authentication packets.

Here is the one I use:
------- begin-----
skype
^\x16\x03\x01$|^\x17\x03\x01$
-------end-------

Copy-paste the section between begin & end to a file named skype.pat.
Follow the instructions provided on the layer-7 filter webpage on how to use 
the pattern in your rule-set.

>
>> - Use *tc* to choke the skype traffic. I have a list of apps to allow 
>> through the network. The rest go into a default pipe of 2 Kbps. This 
>> deteriorates the performance of the application. I think text chatting 
>> will still go through but voice chatting, file sharing and all gets 
>> choked.
>> NOTE: I have had better success not blocking its default ports. That way 
>> I can keep it away from the standard Internet ports and thus easily 
>> classify it into the default pipe.
>
> Interesting.  I would not have thought of allowing just enough of the 
> traffic so that you could identify it and sort of attempt to control it. 
> However this would not be acceptable to some of my clients.  I'll keep 
> that in mind as a technique to deal with vicious protocols in the future. 
> Thanks.  :)
>
>> Now given the nature of this application, some things might work for you 
>> and some might not. I thought I would share my knowledge on this ....
>
> *nod*  This is unfortunately the very nature of these troublesome 
> protocols.  I'd also appreciate seeing your config if you could show it to 
> us.

Sorry. Could you please tell me what config you are talking about?

>
>
> Grant. . . .

Deepak 

Re: [SPAM] Re: rules for skype

[Taylor, Grant]

> For the layer-7 patterns to work with iptables, you have to patch 
> iptables. Here is the layer7 project URL:
> http://l7-filter.sf.net

*nod*  I've played with layer 7 pattern matching before on my test router at home and was very impressed with it.  :)

> Note: They have a skype pattern matching only the voice traffic. For 
> some reason they don't have the one that matches the authentication 
> packets.

Interesting...

> Here is the one I use:
> ------- begin-----
> skype
> ^\x16\x03\x01$|^\x17\x03\x01$
> -------end-------

Thanks.

>> *nod*  This is unfortunately the very nature of these troublesome 
>> protocols.  I'd also appreciate seeing your config if you could show 
>> it to us.
> 
> Sorry. Could you please tell me what config you are talking about?

As Curly from the Three Stooges would say "Soytenly!"

I'm interested in your iptables script (iptables-save) and tc script to see how you are doing things.  This is more personal interest to see how others are doing things to see if I can gain any pointers.



Grant. . . .

Re: rules for skype

[Victor Yeo]

> - Use *tc* to choke the skype traffic. I have a list of apps to allow
> through the network. The rest go into a default pipe of 2 Kbps. This
> deteriorates the performance of the application. I think text chatting
will
> still go through but voice chatting, file sharing and all gets choked.
> NOTE: I have had better success not blocking its default ports. That way I
> can keep it away from the standard Internet ports and thus easily classify
> it into the default pipe.

Where can i find more information on *tc* ? thanks for any reply.

Rgds,
Victor

----- Original Message ----- 
From: "Deepak Seshadri" <d_s123@hotmail.com>
To: "Taylor, Grant" <gtaylor@riverviewtech.net>;
<netfilter@lists.netfilter.org>
Sent: Tuesday, May 03, 2005 1:01 AM
Subject: Re: rules for skype


> Hi Grant,
>
> My company requires me to block Skype too. There are 3 ways I have found
> after a lot of research:
>
> - Block the authentication servers' IPs. The last I knew there were only 2
> servers for authentication. Their IPs are given in that pdf document. I am
> not aware if they have added new servers now.
> - Use Layer-7 pattern. Again, the layer-7 pattern has worked for some and
> not worked for many. It has worked for me.
> My network scenario: The network I manage has private addresses
throughout.
> I think it has something to do with NAT and private addressing because in
my
> case when the client tries to authenticate with the server the hex-pattern
> of those UDP packets stays the same throughout every session. This has not
> been true in every case. You can give it a shot.
> - Use *tc* to choke the skype traffic. I have a list of apps to allow
> through the network. The rest go into a default pipe of 2 Kbps. This
> deteriorates the performance of the application. I think text chatting
will
> still go through but voice chatting, file sharing and all gets choked.
> NOTE: I have had better success not blocking its default ports. That way I
> can keep it away from the standard Internet ports and thus easily classify
> it into the default pipe.
>
> Now given the nature of this application, some things might work for you
and
> some might not. I thought I would share my knowledge on this ....
>
> Good luck,
> Deepak
>

Re: rules for skype

[John A. Sullivan III]

On Tue, 2005-05-03 at 15:17 +0800, Victor Yeo wrote:
> > - Use *tc* to choke the skype traffic. I have a list of apps to allow
> > through the network. The rest go into a default pipe of 2 Kbps. This
> > deteriorates the performance of the application. I think text chatting
> will
> > still go through but voice chatting, file sharing and all gets choked.
> > NOTE: I have had better success not blocking its default ports. That way I
> > can keep it away from the standard Internet ports and thus easily classify
> > it into the default pipe.
> 
> Where can i find more information on *tc* ? thanks for any reply.
> 
> Rgds,
> Victor
> 
<snip>
You can try 'man tc' and take a look at
http://lartc.org/howto/index.html

Good luck - John

-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

Re: rules for skype

[Fajar Priyanto]

On Tuesday 03 May 2005 14:50, John A. Sullivan III wrote:
> On Tue, 2005-05-03 at 15:17 +0800, Victor Yeo wrote:
> > > - Use *tc* to choke the skype traffic. I have a list of apps to allow
> > > through the network. The rest go into a default pipe of 2 Kbps. This
> > > deteriorates the performance of the application. I think text chatting

I've blocked tcp 443, but it seems that skype can go through tcp 80?
http://www.skype.com/help/guides/firewall.html

This is really annoying an unethical, don't you think?
-- 
Fajar Priyanto | Reg'd Linux User #327841 | http://linux2.arinet.org
Ubuntu Hoary 5.0.4
public key: https://www.arinet.org/fajar-pub.key

Re: rules for skype

[Daniel Lopes]

Fajar Priyanto schrieb:
> On Tuesday 03 May 2005 14:50, John A. Sullivan III wrote:
> 
>>On Tue, 2005-05-03 at 15:17 +0800, Victor Yeo wrote:
>>
>>>>- Use *tc* to choke the skype traffic. I have a list of apps to allow
>>>>through the network. The rest go into a default pipe of 2 Kbps. This
>>>>deteriorates the performance of the application. I think text chatting
> 
> 
> I've blocked tcp 443, but it seems that skype can go through tcp 80?
> http://www.skype.com/help/guides/firewall.html
> 
> This is really annoying an unethical, don't you think?


You can send all port 80 traffic through a proxy like Squid this should 
prevent Skype from getting through port 80.