# How to block MSN with Shorewall?

## petrjanda

I run Shorewall as my server firewall and I dont want clients to be able to connect to the msn chat network. I blocked all ports execpt port 80 for http trafic, but the smart thing uses it instead to connect to the network.

----------

## nielchiano

find out what IP the server runs as, then deny access to that IP

----------

## barlad

I think you can track packets according to the Layer 7 protocol with recent kernel patches, cannot you? I believe iptable might have some rules to do that. Otherwise there is a project somewhere on sourceforge to do some layer 7 filtering.

----------

## zeek

 *petrjanda wrote:*   

> I run Shorewall as my server firewall and I dont want clients to be able to connect to the msn chat network. I blocked all ports execpt port 80 for http trafic, but the smart thing uses it instead to connect to the network.

 

Gah.  There are few things more annoying than some sysadmin abusing his power forcing his views on others.  The foundation of the GNU project is against people like you.

As Stallman said about a similar case:

 *RMS wrote:*   

> I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.

 

Read the section on the wheel group at the bottom of the page:

http://www.gnu.org/software/coreutils/manual/html_chapter/coreutils_22.html

Can't believe I'm on the same side as Stallman...

----------

## Chris W

 *zeek wrote:*   

> Gah.  There are few things more annoying than some sysadmin abusing his power forcing his views on others. 

 

Yes: employees who think it's a right to use the employers resources to maintain their personal lives are one of them.  Being permitted to use the Internet connection, paid for by someone else, for non-work related activity is a privilege.

In short, their are perfectly good reasons for wanting to block activity of this nature which, let's face it, is unlikely to be work related.  This is not abuse unless you have a contract that says otherwise.

----------

## complich8

I think it's anecdote time!

I admin a smallish lab with winxp, win2k, gentoo, and redhat systems.  We've got a policy saying "No chat or IM while at work" and "No surfing unless work related" -- we do research and development of simulation software so we've got a lot of work-related stuff going on.  Firewall's running gentoo (as is one of our most used servers, and everything that I've installed linux on since I got my job a year or so ago).  

Our policies have always been kind of lax, and relied on the honor system for enforcement, because we're small and because people are humans and have social lives.  I have made it a personal goal to make sure users are safe in their usage and are given a functional productive environment, and that they aren't made inconvenienced by the measures I have in place.

So a couple days ago my boss noticed one of the coders spending a large amount of time (>2 hours) chatting on msn exclusively instead of doing productive things.  She asked me to block msn in the lab.  My answer was "it'd be pretty annoying to block it at the firewall, how about you talk to him and tell him not to do that, and I'll just disable it on the machine he uses".  Since he's the only user for the machine he's on, it worked well -- my other users who know how to keep their habits in check (there's 3 or 4 other people in here who use MSN messenger from time to time) don't suffer the consequences of one user who doesn't, and (better) it took a single registry key and a reboot or two to resolve the problem.  I even set the registry key remotely, so all I had to do was fire off a reboot when he left and the problem was gone.  My boss's interests (not paying him to do nothing) are protected.  My other users' interests (being able to use the service when they need it) are protected.  I'm happy, they're happy, the only person who isn't happy is the guy who got told he actually has a job to do and needs to be doing it.  But that's not feasible if everyone's not in the same room like we are.

Adding a firewall rule or setting up layer 7 filtering may be an obvious solution, but it's not always the easiest or best one. Messaging can be work related, it's just that it often isn't.  Filtering an entire (potentially useful) protocol is often a case of throwing the baby out with the bathwater, but in a larger environment than the one I'm in it may be a necessary evil.

Sys and net admins (at least the conscientious ones) are often charged with a conflicting set of tasks.  They have to make both their users and their bosses relatively happy.  RMS suggests that the choice is clear: support the users, not the people who pay you and own the systems you maintain.  But what good is it when you get fired for protecting the interests of your users over the interests of your bosses, and someone else comes in and strips them of things you could have successfully protected?

If you've got a reasonable (but maybe not ultra-technical) boss (like mine) asking for a shotgun blast when all you need is a poke with the tip of a pencil, you'd probably look for other solutions.  But the original poster didn't post the details of why and what.  All he said was "how do you do it" not "how do you do it so I can screw my jackass lusers who totally shouldn't be able to chat with anyone even though there's no valid reason not to allow it".  Isn't it a bit hypocritical to say "don't force your views on others" when you're trying to do the same?

----------

## zeek

 *Chris W wrote:*   

> In short, their are perfectly good reasons for wanting to block activity of this nature which, let's face it, is unlikely to be work related.  This is not abuse unless you have a contract that says otherwise.

 

Work related -- so what? (nobody said it was work related either)  

The GNU beliefs are about Freedom which, lets face it, contradict to your authoritarian views.  You should install AIX or HPUX -- that is where you will find yourself in like minded company...  well maybe not.   :Smile: 

But seriously, your statement above is in direct opposition to what the GNU foundation is about.  It's all about Freedom...

----------

## nielchiano

work related, not work related, whatever

other situation: my sister is addicted to MSN, but my mom wants het to go to sleep at 10pm. So she asks me (the "network admin") to make sure she can't MSN anymore after 10pm...

Sure I restrict her freedom, but since all other means (talking, etc) didn't work... it's the only option left to have her sleep at time.

----------

## toddles13

 *nielchiano wrote:*   

> 
> 
> other situation: my sister is addicted to MSN, but my mom wants het to go to sleep at 10pm. So she asks me (the "network admin") to make sure she can't MSN anymore after 10pm...

 

How bout block everything apart from the proxy (such as squid). Then put in time based ACL's

Just a thought.

Sorry can't help with the original question.

----------

## toddles13

 *nielchiano wrote:*   

> 
> 
> other situation: my sister is addicted to MSN, but my mom wants het to go to sleep at 10pm. So she asks me (the "network admin") to make sure she can't MSN anymore after 10pm...

 

How bout block everything apart from the proxy (such as squid). Then put in time based ACL's

Just a thought.Last edited by toddles13 on Thu Jun 10, 2004 11:25 am; edited 1 time in total

----------

## zeek

The original question is irrelevant.

I'm only taking this as an opportunity to try to educate some people about the GNU manifesto by pointing out what they are saying is *directly* in opposition to what GNU stands for.

It is obvious by the posters in this thread that they don't understand what GNU is about and what the aims are that it is trying to achieve.  A free OS that you can use on your computer isn't the main goal of GNU.

http://www.gnu.org/gnu/manifesto.html

Note I'm not a big GNU supporter.  At one of their parties (free beer! miller lite or budweiser!! seriously!) I painted FreeBSD all over this big community mural they were making.

Peace.

----------

## lunarg

 *zeek wrote:*   

> The original question is irrelevant.
> 
> I'm only taking this as an opportunity to try to educate some people about the GNU manifesto by pointing out what they are saying is *directly* in opposition to what GNU stands for.
> 
> 

 

And *why* is the original question irrelevant? If you want to educate people, open your own thread in Gentoo Chat, rather than judging us, and making it more difficult for us to actually get it to work!  :Rolling Eyes: 

I'm looking for a solution for that problem (on which this thread is actually about) as well, but so far no luck. What makes things more complex is that we have two separate internet connections: one for hosting for our clients, and one for plain internet usage. However, right now, if a certain protocol is blocked, it automatically switches to the other internet connection (which is necessary because we need to be online 24/7), and forcing restrictions for MSN on both connections doesn't seem to be very succesful.

If anyone knows a solution, post it here. I'm sure there are other sysadmins who want to know the answer.

----------

## nobspangle

the solution is to disable MSN through group policy for the entire domain, but that has nothing to do with shorewall or linux.

----------

## nielchiano

 *nobspangle wrote:*   

> the solution is to disable MSN through group policy for the entire domain, but that has nothing to do with shorewall or linux.

 

which will leave GAIM and other clients untouched

----------

## lunarg

 *nielchiano wrote:*   

> which will leave GAIM and other clients untouched

 

Exactly, we have both Windows and Linux clients in our network. So not only MSN Messenger is used, but also things like Kopete and Gaim. Moreover, we don't have a domain controller in our network, because we are a small company, and also, we believe in "freedom" (as long as it's not abused by internships, which is why I'm asking around).

----------

## KShots

REJECT loc net:ip.of.msn.server all ports_used

That ought to do the trick. If you have zones defined for both outgoing connections, just do the same with the other zone.

----------

## nielchiano

as I said in the very first reply

 *nielchiano wrote:*   

> find out what IP the server runs as, then deny access to that IP

 

----------

## zeek

 *lunarg wrote:*   

> If anyone knows a solution, post it here. I'm sure there are other sysadmins who want to know the answer.

 

A solution was already posted.

`shorewall status` will show where the connections to the MSN server are going if you're having trouble figuring out the IP of the MSN servers.

----------

## revertex

another solution to block msn in windoze machines is install a personal firewall that block applications like "kerio personal firewall".

just set a admin password, then block msnmessenger.

These kind of windoze firewall are extremely handy in that situations.

i like kerio firewall to block messenger , kazaa, outlock express and internet explorer, this way users are forced to browse using firefox  :Twisted Evil:   :Twisted Evil:   :Twisted Evil: 

----------

## nielchiano

 *revertex wrote:*   

> i like kerio firewall to block messenger , kazaa, outlock express and internet explorer, this way users are forced to browse using firefox   

 

everyone should... even the dept. of homeland security recommends NOT to use IE: http://slashdot.org/article.pl?sid=04/07/02/1441242&mode=thread&tid=103&tid=113&tid=126&tid=172&tid=95&tid=99

----------

## vonhelmet

 *zeek wrote:*   

> The original question is irrelevant.
> 
> I'm only taking this as an opportunity to try to educate some people about the GNU manifesto by pointing out what they are saying is *directly* in opposition to what GNU stands for.
> 
> It is obvious by the posters in this thread that they don't understand what GNU is about and what the aims are that it is trying to achieve.  A free OS that you can use on your computer isn't the main goal of GNU.
> ...

 

I think you're smoking crack...

Please show me where exactly the GNU manifesto gives the impression that it's OK for employees to abuse their employers time and money by spending their whole working days IMing people?

It's not about freedom. When you take a job with someone there is a contract between the two of you that you will work and they will pay you for it. If your work does not involve IMing, you shouldn't be doing it.

----------

## revertex

--off topic--

what's the difference between free phone call for all employees and free msn messenger? phone costs? 

for me it's the same.

freedom and abuse is not the same.

chatting all day disrupts concentration, decrease productivity and expose your lan to unwanted security risks, because some morons accept all kind of file transfers.

attached messages in email isn't enough to spread viruses and turn a sysadmin life in a nightmare?

every employee that abuses im deserve be boiled in hot oil.

messenger is a awesome application, voice chat, video, file transfer, easy to use, annoying advertisements, privacy intrusion, but very misused.

	--off topic--

petrjanda, messenger uses port 1863, 6891-6901, plus a wide range of dinamic ports.

you can find more info here

http://www.chebucto.ns.ca/~rakerman/port-table.html#Table

you can nuke msn messenger changing some registry keys or using gpedit (take care to don't shoot your leg), but i dunno how long it could be efective, just do a winblows update and all your setting gone.

windows is a beast that nobody can control, nor M$.

----------

## zeek

 *vonhelmet wrote:*   

> It's not about freedom.

 

Wrong, GNU software is about freedom.  This is the GNU take on it:

 *GNU wrote:*   

> Free software is a matter of freedom: people should be free to use software in all the ways that are socially useful.

 

Full page: http://www.gnu.org/philosophy/philosophy.html

So surf over to ftp.clue.org and look for a file named a.bz2!

----------

## Banjer

 *zeek wrote:*   

>  *vonhelmet wrote:*   It's not about freedom. 
> 
> Wrong, GNU software is about freedom.  This is the GNU take on it:
> 
>  *GNU wrote:*   Free software is a matter of freedom: people should be free to use software in all the ways that are socially useful. 
> ...

 

So an admin has the freedom to use his GNU software to block whatever he wants..

----------

## vonhelmet

 *zeek wrote:*   

>  *vonhelmet wrote:*   It's not about freedom. 
> 
> Wrong, GNU software is about freedom.  This is the GNU take on it:
> 
>  *GNU wrote:*   Free software is a matter of freedom: people should be free to use software in all the ways that are socially useful. 
> ...

 

Yes, on your own computer and with your own bandwidth when you are not being paid to work.

Socially useful? It would arguably be more socially useful to get on with your work than fanny about on MSN messenger all day.

You are not free to breach the terms of your contract with your employer, regardless of what the GNU manifesto says. I'd like to see you sue your employer for unfair dismissal on the basis that you were using MSN and don't see the problem with it because it's in the GNU manifesto. See how far that gets you.

Also, you take my quote about "It's not about freedom" totally out of context. GNU is about freedom to produce and distribute and use software freely. That I agree with. My point was that when you are at work, your freedom is limited by your employer. So in this case, the GNU manifesto's take on freedom is rather overridden.

----------

## thomasa88

 *revertex wrote:*   

> 
> 
> petrjanda, messenger uses port 1863, 6891-6901, plus a wide range of dinamic ports.
> 
> you can find more info here
> ...

 

Thx dude, nice list!  :Very Happy: 

(but why didnt I check the log when I couldnt connect to msn  :Embarassed: )

----------

