# Deny Windows Live Messeger on IPFW



## cybercoke (Aug 12, 2011)

Hi Guys,

I have a box with FreeBsd 8.0-Release, runnig ipfw as firewall.

So, i have some rules to block "WLM" on squid and it's working good, but, on the ipfw there 
are some problems. I will tell you how was my network config:

Interfaces
-----------------------------------------------
if external = rl1
if internal = rl0

They are defined on ipfw script as ife and ifi.


|-Rules
||-Defining WLM Servers ip's and free ip's from my network that can connect to them


```
WLMServers="64.4.0.0/16,65.55.72.0/24"
```


```
freeWLM="192.168.x.x,192.168.x.y,192.168.x.z"
```
...
Rule #09320

```
${fwcmd} add set 13 allow log all from ${freeWLM} to any dst-port 1863 out via ${ife} setup keep-state
```

Rule #09420

```
${fwcmd} add set 13 allow log all from ${freeWLM} to ${WLMServers} dst-port 80,443 out via ${ife} setup keep-state
```
...

|-Allowing all from ipfw external ip to any

Rule #14720

```
${fwcmd} add set 23 allow log tcp from me to any out via ${ife} setup keep-state
```

Well, when i try to connect from any ip from my network, ipfw Deny the connection if the ip are not defined in the variable "freeWLM" on the rule #09320, but next it Allows the connection from external interface of firewall to the port 1863 using the rule #14720 and then the ip that initiate the connection of WLM get's ON-LINE.

If i remove the rule #14720, no one of the ip's in my network, include those on the freeWLM variable can connect to the WLM servers, as show the log security:


```
Aug 12 11:14:48 neoproxy kernel: ipfw: 9320 Accept TCP 192.168.Y.X:49751 65.54.52.254:1863 in via rl0
Aug 12 11:14:48 neoproxy kernel: ipfw: 65534 Deny TCP 192.168.A.B:49751 65.54.52.254:1863 out via rl1
```

The rule #65534 is:


```
${fwcmd} add 65534 set 24 deny log logamount 50000 all from any to any
```

Thank you for help me out.


----------



## qsecofr (Aug 12, 2011)

You post didn't say if you're using NAT.

The following worked for me:

```
$ipfw -q add allow tcp from any to not me 1863 out setup keep-state
$ipfw -q add allow tcp from any to not me 1863 in not via $oif setup keep-state
$ipfw -q add allow tcp from not me 1863 to any established in
```

I use NAT.  Variable $oif is the external interface.  Reserved word "me" is the host running ipfw & NAT.  It's a bit more permissive in that IP addresses are not hard-coded.

YMMV with the established rule.

HTH


----------

