How to block gtalk messenger through squid

[sdabreo]

Dear All

I have squid proxy in our office. I want to block gtalk messenger through squid ACL , I am not using iptable firewall as already cisco asa in place. I want to block gtalk messenger only through ACL.

Can Anyone help me out.

 

[QatQat]

I repeat myself once more, such job is much more suited for iptables or for your cisco firewall but, if you are looking for a shortcut here it is,

create the following ACL in squid.conf

acl block_port port 5223
http_access deny block_port

That should work anyway squid job is not to replace a sound firewalling strategy but to cache internet content.
Here is a more detailed tutorial on blocking ports with squid

http://www.cyberciti.biz/faq/linux-unix-squid-proxy-filtering-particular-port/

I also would like to underline the fact that without iptables nothing stops users from disabling the proxy in their browser and accessing the internet directly.

We can help you on this forum in setting up iptables to stop internet traffic to port 80 and only allow internet access through squid. That's the recommended squid setup.

QatQat

If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!

 

[sdabreo]

tried the same ACL, but still my users are able to login into Gtalk. I tried with the following acl

acl blocked_ports port 5223 5222

http_access deny blocked ports


Can you pls. guide what could be the problem is?

 

[QatQat]

try

acl blocked_ports port 5222-5223

I tried the line myself and it works fine,


QatQat

If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!

 

[sdabreo]

Still I am able to login in google talk messenger.

Pasted my exisiting squid conf. Kindly let me know where i am making mistake.


# And finally deny all other access to this proxy
http_access allow localhost

#acl all src 0.0.0.0/0.0.0.0
acl lan1_blr src 192.168.1.0/255.255.255.0
acl lan2_blr src 192.168.100.0/255.255.255.0
acl msn_hosts src "/etc/squid/msn_hosts"
acl yahoo_hosts src "/etc/squid/yahoo_hosts"
acl allowed_machines src "/etc/squid/allowed_machines"
acl support_staff src "/etc/squid/support_staff"
acl callcenter src "/etc/squid/callcenter"

acl blocked_ports port 5222-5223
acl rejected_urls url_regex "/etc/squid/rejected_urls"
acl allowed_urls dstdomain "/etc/squid/allowed_urls"
acl msn dstdomain "/etc/squid/msn"
acl yahoo dstdomain "/etc/squid/yahoo"

http_access deny blocked_ports
http_access deny rejected_urls
http_access deny !allowed_machines
http_access deny !lan1_blr !lan2_blr
http_access deny yahoo_hosts yahoo
http_access allow msn_hosts msn
http_access allow callcenter allowed_urls allowed_machines
http_access allow support_staff !callcenter
http_access deny all

 

[QatQat]

there is nothing wrong with your .conf file.

Unfortunately I have to tell yo that not all protocols can be proxied so I think that your gtalk traffic is going straight through the gateway.

I did my test using port 8181, which is one of my web servers, and it gets blocked no problem beign http traffic.

In this case you need one of the two

you ASA firewall to block related ports
or
iptables to block related ports.

Again, squid is a proxy server; its job is to proxy content. With time some filtering features have been included but that does not make it a replacement for a firewall.


QatQat


If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!

 

[thedaver]

Oh for heaven's sake, use a firewall like QatQat says.

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[QatQat]

Thanks thedaver,

sdabreo, you guys have spent a couple of bucks on a Cisco ASA. This task is very easily achieved with the ASA management utility.

Once you are in there, block direct access to port 80 and force the users to use a proxy. Now you have a proper configutration.

QatQat

If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!