Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Let's shut off Instant Messanger 1

Status
Not open for further replies.

stevenriz

IS-IT--Management
May 21, 2001
1,069
Thought I would take a chance with this forum. Does anyone know the ports used for all those instant messanger programs? We have a certain few individuals that are on it constantly for pleasure and although it can be a good work tool, I wish to shut it down for a while to see who complains and who doesn't. I know I konw.... sneaky.... Thanks!!
Steve
 
Block it by blocking the range of IPs these service uses. This list is a few months old but should get you started in the right direction. I did this at one place and it was interesting to hear who whinned and how loud.

"ahh... Tim.. is there a problem with the internet?"
"why? are you have a problem?"
"errr... no.. I was just wondering"

AOL IM
152.163.0.0 /16 255.255.0.0
205.188.0.0 /16
64.12.0.0 /16

MSN Messenger
64.4.0.0 /18 255.255.192.0

Yahoo Messenger
216.136.224.0 /22 255.255.252.0


THis list comes from a PIX and blocks alot of the ICQ crap.

access-list inside deny tcp any any eq 1863
access-list inside deny tcp any any eq 5000
access-list inside deny tcp any any eq 5001
access-list inside deny tcp any any eq 5050
access-list inside deny tcp any any eq 5100
access-list inside deny tcp any any eq 1214
access-list inside deny tcp any any range 6665 6669
access-list inside deny udp any any eq 5000
access-list inside deny udp any any eq 5001
access-list inside deny udp any any eq 5050
access-list inside deny udp any any eq 5100
access-list inside deny udp any any eq 1214
access-list inside deny ip any host 64.12.161.153
access-list inside deny ip any 206.142.53.0 255.255.255.0
access-list inside deny ip any 64.245.58.0 255.255.254.0
access-list inside deny ip any 213.248.107.0 255.255.255.0
access-list inside deny ip any host 205.188.179.233

MikeS
Find me at
"The trouble with giving up civil rights is that you never get them back"
 
Great this is awsome. I look forward to heating those complaints. I cab hear it now.... Thanks!
 
AIM is a very VERY sneaky culprit - it will use ANY port that it can find available. Blocking huge ranges of IP addresses may lead to unforeseen problems with other internet based applications.
 
Great post!


Can you block AOL AIM without blocking the website AOL.com

I seem to block AOL.com when I added the following lines to my PIX 515

access-list acl_in deny ip any 152.163.0.0 255.255.0.0
access-list acl_in deny ip any 205.188.0.0 255.255.0.0
access-list acl_in deny ip any 64.12.0.0 255.255.0.0

Hey but it did keep people from using AIM.


Thanks

Charles
 
The reason that you cannot see AOL.COM is because AOL.COM is currently registered with ARIN as IP address 64.12.187.25, and you have blocked ALL IP traffic from that address with the access list line :

access-list acl_in deny ip any 64.12.0.0 255.255.0.0


I do not believe that AIM can use PORT 80 (HTTP) or PORT 443 (HTTPS) - (please let me know if this is false!). Therefore, if you allow ONLY TCP eq 80 on those IP address ranges, rather than just blocking IP, you should be able to see the site AOL.COM. Also remember, that AOL.COM also uses HTTPS, which is normally TCP Port 443, so you may want to allow that as well if you wish your employees the ability to access their mail account from the AOL web site.

I have not done this - (we actually trust our people here lol), but in the access list, allow TCP 80 and TCP 443 for the IP address of AOL.COM. Then, at the end, deny the rest. Let me know if this, or a configuration like this, works.

access-list acl_in permit tcp any 64.12.0.0 255.255.0.0 eq 80
access-list acl_in permit tcp any 64.12.0.0 255.255.0.0 eq 443
access-list acl_in deny ip any 64.12.0.0 255.255.0.0
 
Hi

Just wanted to bring this one back too light! I'm still trying too block msn and have done the above with no joy. Any one got any ideas??

Thanks in advance!!

 
Hi,
I'm not fully aware of your setup so please disgrard this if it does not apply... when I set up firewalls for my remote sites I block all inbound and outbound access. I punt people through a proxy server for web access and allow that through the firewall, if they need additional services on the net I tend to stick them through a proper socks server. Very few to no people in the company I work at has direct access to the Internet. Hence they cannot do anything they shouldn't be. Admittedly this involes a bit more cash and it not *totally* fool proof, but deters mos t of the users.

-Stephen
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top