From owner-freebsd-questions Tue Jan 21 15: 3:14 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4763E37B405 for ; Tue, 21 Jan 2003 15:03:13 -0800 (PST) Received: from galilee.polands.org (new-24-208-57-240.new.rr.com [24.208.57.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id EFD0A43F5B for ; Tue, 21 Jan 2003 15:03:11 -0800 (PST) (envelope-from djp@polands.org) Received: from babylon.polands.org (babylon.polands.org [172.16.1.16]) by galilee.polands.org (8.12.6/8.12.6) with ESMTP id h0LN3AIl079581; Tue, 21 Jan 2003 17:03:10 -0600 (CST) (envelope-from djp@galilee.polands.org) Received: from babylon.polands.org (localhost.polands.org [127.0.0.1]) by babylon.polands.org (8.12.6/8.12.6) with ESMTP id h0LN3ALw089188; Tue, 21 Jan 2003 17:03:10 -0600 (CST) (envelope-from djp@babylon.polands.org) Received: (from djp@localhost) by babylon.polands.org (8.12.6/8.12.6/Submit) id h0LN39BG089187; Tue, 21 Jan 2003 17:03:09 -0600 (CST) Date: Tue, 21 Jan 2003 17:03:09 -0600 From: Doug Poland To: Kirk Strauser Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPFW, blocking IM servers Message-ID: <20030121230308.GA89143@babylon.polands.org> References: <34651.63.104.35.130.1043185192.squirrel@email.polands.org> <87hec2jggs.fsf@pooh.honeypot.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87hec2jggs.fsf@pooh.honeypot.net> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jan 21, 2003 at 04:17:07PM -0600, Kirk Strauser wrote: > > At 2003-01-21T21:39:52Z, "Doug Poland" writes: > > > Sorry for this slightly off-topic post... Is there a comprehensive list > > of IM servers (names, IPs) available? I'd like to block IM servers from > > certain users on my network. > > No, nor will there be one. Anyone with a server can set up Jabber on any > port they want. > I'm concerned about the big 3, AOL, MSN, and Yahoo. They must have a limited IP range they use. > > From what I've gathered on google, the only effective stragegy is to use > > firewall (in my case, IPFW) rules to block IP's, names. > > OK, first, this is really more of an administrative issue than a technical > one. Tell your employees that if they IM for non-work issues (and that IM > is logged, whether it is or not), then they are fired. Get your boss to > back you. Then, it's not *your* problem if people are wasting their time at > work. > This is my boss's idea! Also there are also a number of volunteers who cannot be fired. > Second, the only reasonable way to do this is to block *everything* except > traffic you want to allow. No client machine needs direct Internet access > to send email - make them use a smarthost. Force all machines to surf the > web via a Squid proxy, and only let that machine connect out on port 80. > I'm doing that now, however, I know the Yahoo client will use any open port it can find and tunnel through that. > Either way is going to piss off a lot of people, so decide in advance which > one you can live with. :) > Actually, this is to head of the problem before it starts. Thanks for you input and point of view Kirk. -- Regards, Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message