Blocking Yahoo!Messenger
A simple policy within the company that caused many sleepless night… One day the CEO said…. “We shall not allow chatting”…. O boy… 
this is a bother… as much as i enjoy Yahoo!Messenger I have to comply….
To achieve this goal first I blocked all outgoing ports… then I had to hand pick some TCP and UDP ports allowed for default services… After that I had to create rules to and from branch offices connecting over VPN… Then I had SquidGuard, in my case URLFilter, screen the http port to disallow chat…
Looking at the logs… turns out that Yahoo Messenger is capable of communicating through the default services i allowed earlier… like a virus Yahoo!Messenger scans the network to identify opened ports and it was successfull with ports 20,21,23,25 and 443… is this legal?… anyway… I limit access of ports 20-25 only to my servers… but 443… Blocking it means no https… I thought SquidGuard could help me but… turns out that https or secure http cannot be proxied transparently…
From http://www.shorewall.net/Shorewall_Squid_Usage.html
…instructions for transparent proxying of HTTP. HTTPS (normally TCP port 443) cannot be proxied transparently (stop and think about it for a minute; if HTTPS could be transparently proxied, then how secure would it be?).
Temporary solution is to allow only a few people access to https… and bad users must live without webmail, web bank and online shopping…
Update : since IPCop can access port 443 and proxy is on 800, someone who manually enters the firewall as proxy can access https sites…
milisdad:
weh mesak ke tenan too…
11 January 2008, 5:34 pmnek wong IT mosok ra entuk ceting?
isih ono cara kok nek arep ceting lewat tunnel ssh ae
Wisu Suntoyo:
hehehe… emang sih… akeh cara…
Yang ditangkap managemen iku… ternyata terlalu banyak waktu terbuang karena staff pada ceting..
11 January 2008, 8:39 pmmilisdad:
gawe jabber server ae jd paling gak komunikasi internal ae.
14 January 2008, 8:24 amning gon ku yo ngono okeh sing podo ceting akhir e digawe ceting internal.
walo pun akhir e ra efektif. paling gak meminimalisir ceting kr pihak njobo.
slashdotfx:
sudah pernah coba l7-filter.sf.net?
19 January 2008, 12:40 amudienz:
wwah bener juga yah… chatting adalah dua sisi mata uang…
eh tapi kalo pake meebo kkan bisa om?
19 January 2008, 7:15 pmWisu Suntoyo:
@slashdotfx -> implementasi layer7 di IPCop bisa menggunakan QoS addon… http://en.wikibooks.org/wiki/Advanced_QoS_for_IPCop/HFSC#Rules_.E2.80.93_Layer-7 kebetulan saya sudah mencoba addon ini… dan ternyata butuh terlalu banyak resource CPU dari Firewall ber processor PIII milik saya… sebenarnya budget untuk upgrade mesin sudah ada… tetapi resource yang mengerjakan belum teralokasikan… eh sori jawabannya nyasar…
@udienz -> seninya menggunakan list SquidGuard shalla.de adalah adanya klasifikasi chat di blacklistnya… jadi situs chatting web based seperti http://www.meeebo.com bisa saya block dengan SquidGuard…
Update terbaru, setelah sedikit negosiasi sama CEO, akhirnya saya berhasil memperjuangkan keiinginan staff dengan diijinkannya web based chatting di jam makan siang dan diluar jam kantor… dan ini sangat mudah saya lakukan dengan URLFilter… tinggal setup time constraints…
19 January 2008, 7:57 pmsufehmi:
Thanks tipsnya
Satu cara lagi untuk blokir yahoo messenger di IPcop / squid dibahas disini :
2 April 2008, 12:51 pmhttp://www.linuxsolved.com/linux-forums/other-devices/blocking-yahoo-messenger-on-transparent-proxy-t1363.0.html;msg4789#msg4789