Wednesday, August 29, 2007

blocking yahoo chat messenger

A very old tip and trick on blocking yahoo chat messenger from connecting to internet, as per request.

Considering an approved management policies, there are several ways to block yahoo chat messenger from connecting to internet coming from inside your network, depending on what equipment and boxes you have on ground.

If you happen to have an approved global policy to totally block yahoo messenger from any internal systems, you can implement a network-wide blocking of yahoo chat messenger at the router level.

But if you happen not to have core routers from your network and your current connection is just being shared and NATted via your linux proxy box, blocking yahoo chat messenger is easy and possible by implementing it proxy-wide or individually per IP using linux proxy and firewall.

Firewall comes in many names in linux. With Fedora, the name of the firewall is called iptables by default, a successor long after ipchains reigned with RedHats.

If you are going to block yahoo chat messenger or any software from connecting to the web, basically, gathering port numbers and protocols being used by yahoo chat messenger or by that specific software needs to be established and listed out first.

Here are the known yahoo chat messenger (YM) ports
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
TCP Port 5050
TCP Port 5000-5001
UDP Port 5000-5010
TCP Port 5100 (webcam)
TCP Port 5101 (p2p)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Blocking all yahoo chat servers is not advisable as some company IT infrastructures make use of clustered servers with round-robin and/or load-balancing approach for these ports and/or web services requests from end users, thus new servers would not be blocked until you informed yourself immediately.


USING IPTABLES FIREWALL from Fedora
-----------------------------------

Following the port numbers and protocols mentioned above, you can append these line into your /etc/sysconfig/iptables to block YM from connectin to web via linux iptables like so

Additional lines for /etc/sysconfig/iptables
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5000:5001 -j DROP
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5050 -j DROP
-A RH-Firewall-1-INPUT -p udp -m udp --dport 5000:5010 -j DROP
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5100:5101 -j DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


USING SQUID from Fedora
-----------------------------------

An entry of Squid installation and setup would be done separately on another entry sooner or later. But, the above mentioned iptables YM block rules can also be defined and implemeneted into Squid access list.

If the clients are all using Squid for transparent connection, additinally the next Squid access list can also be added to /etc/squid/squid.conf. There is not further changes needed from the client PC.

Additional lines for /etc/squid/squid.conf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
acl YM_ports port 5100
acl YM_ports port 5101
acl YM_ports port 5050
acl YM_ports port 5000-5010
http_access deny YM_ports
http_access deny CONNECT YM_ports
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

After doing changes with your conf files, make sure you restart the said service like so

# service iptables restart
# service squid reload


USING Access List from Cisco Routers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From router level, blocking YM can also be done using Cisco access list. Blocking by IP address, port numbers, destination and more are all possible with Cisco ACLs. Unfortunately, my apology for not listing it out here as that would not be linux related. :(


OTHER WAYS
~~~~~~~~~~~

Blocking Yahoo Chat messenger can also be done with different linux softwares like IPChains, IPCop, SquidGuard, Dansguardian and more. Additionally, this can also be done with all bandwidth control and monitoring appliances around the web.

Generally speaking, blocking YM takes TCP port numbers and protocol types. Doing it is a rule of thumb on blocking softwares from connecting to WWW.

Hope this fires up a starting point from your box, balu.

PS
Better to have this late blog reply than never, goodluck then.

Related Posts:


How To See Invisible YM Users
How To Setup Chikka SMS Messenger using Kopete Messenger
How to Install and Setup Google Chat Messenger
How To Setup Chikka SMS Messenger using GAIM Pidgin
How To Install GAIM Pidgin Messenger
How To Install KDE Kopete Messenger
How To Install AMSN Messenger
How To Setup and Install PSI Chat Messenger

0 comments:

Sign up for PayPal and start accepting credit card payments instantly.
ILoveTux - howtos and news | About | Contact | TOS | Policy