# How to block IM clients?



## overmind (Sep 3, 2009)

Hello,

Do you know a proper way in FreeBSD to block IM clients/traffic, so users from LAN to not be able to use Yahoo Messenger, MSN, Skype or AOL?

For example with Yahoo Messenger if I block destionation port 5050, it will use https and still it will work. I assume other IM clients works the same way.

Any idea/tip from where should I start.
(blocking multiple subnets for IM servers is not a good way sice those are changing)

thank you and best regards


----------



## graudeejs (Sep 3, 2009)

two words: packet filter


----------



## overmind (Sep 3, 2009)

I need to do Layer7 filtering ?


----------



## graudeejs (Sep 3, 2009)

you can block ports/IP's used to connect to servers


----------



## Alt (Sep 3, 2009)

Haha Layer3 filtering ftw


----------



## overmind (Sep 3, 2009)

A client IM will use https if destination port is blocked. So Layer3 will not work, if I block https i broke functionality of https for LAN clients and some use https.


----------



## DutchDaemon (Sep 3, 2009)

Even if you manage to block all IM applications, people will still move to web-based IM, like MSN Webmessenger, Yahoo Webmessenger and ICQ2GO. Less functionality maybe, but still IM.


----------



## Alt (Sep 3, 2009)

You can divert them to squid so this "non-really-https" will drop.
Or you can install proxy and forbid direct connects..
Maybe it is possible at L7 with PF but i dunno...


----------



## DutchDaemon (Sep 3, 2009)

Intercepting https will break _all_ https ..


----------



## overmind (Sep 3, 2009)

@DutchDaemon - For web based IM I intend to use some content filter (like dans guardian).

Is still not clear to me how to do it on Layer7, but I'm doing some research and I'll post the results. I think it might be possible with ipfw+snort but I am not sure.


----------



## SirDice (Sep 4, 2009)

Alt said:
			
		

> Or you can install proxy and forbid direct connects..


This would be the solution. Don't use a SOCKS proxy as you can pretty much proxy everything over it. Use a HTTP proxy. Forbid any workstation from accessing the Internet directly, force all of them through the proxy. Filter on the proxy based on URL.


----------



## hydra (Sep 4, 2009)

- block the IM ports on the firewall
- force the users to use a proxy and filter out the most used chat webs (like meebo)

Not a 100% solution, however it blocks the most users.


----------

