Yahoo Messenger


Yahoo Messenger is the instant messaging client from Yahoo. It supports voice, video, and file transfers in addition to standard text instant messaging. It uses several TCP and UDP ports depending upon the services being used. The following page on Yahoo's site documents the ports and servers used by Yahoo Messenger: http://help.yahoo.com/help/us/mesg/twin/twin-15.html.

Connecting to Yahoo Messenger

Yahoo has been by far the least problematic of all the IM services we have tested. It's extremely firewall friendly, even in the case of more complex services such as voice and video.

For login and text messaging connections, Yahoo Messenger will use the following TCP ports:

  • 20 (generally reserved for FTP)

  • 23 (generally reserved for telnet)

  • 25 (generally reserved for SMTP)

  • 80 (generally reserved for HTTP)

  • 119 (generally reserved for NNTP)

  • 5050

  • Video traffic (Webcam) will use TCP port: 5100

  • File Transfers use TCP port: 80 and the HTTP protocol (this is extremely trivial to get through firewalls)

  • Voice communication uses TCP or UDP ports 5000-5010

If you experience difficulty in getting these services to traverse the firewall, the usual suspects would be DROP/REJECT rules on one or more (Yahoo is very difficult to block!) of the ports listed here.

Blocking Yahoo Messenger Traffic

First and foremost, Yahoo has done a fantastic job at making their IM client firewall friendly (in terms of circumventing them, that is!), due to their copious use of "standard" services ports and literally hundreds of servers and IP addresses all over the place. This is by far one of the hardest IM clients to filter out. The most effective method we have used so far is to block the login servers; however, users clever enough to reconfigure their clients to use HTTP proxy servers can circumvent even these rules. As Yahoo changes these servers frequently, the first step is to check http://help.yahoo.com/help/us/mesg/twin/twin-15.html for the latest list of Yahoo servers. At the writing of this book, those were

  • scsa.msg.yahoo.com

  • scsb.msg.yahoo.com

  • scsc.msg.yahoo.com

  • scs.msg.yahoo.com

Example of extrapolating the IP addresses using the "host" command:

  [user@firewall /tmp]$ host scs.msg.yahoo.com scs.msg.yahoo.com (an alias for scs-dcna.msg.yahoo.com)  scs-dcna.msg.yahoo.com has address 216.155.193.128  scs-dcna.msg.yahoo.com has address 216.155.193.129  scs-dcna.msg.yahoo.com has address 216.155.193.130  scs-dcna.msg.yahoo.com has address 216.155.193.131  scs-dcna.msg.yahoo.com has address 216.155.193.132  scs-dcna.msg.yahoo.com has address 216.155.193.133  scs-dcna.msg.yahoo.com has address 216.155.193.134  scs-dcna.msg.yahoo.com has address 216.155.193.135 scsa.msg.yahoo.com (an alias for scs.msg.yahoo.com) [user@firewall /tmp]$ host scsb.msg.yahoo.com scsb.msg.yahoo.com (an alias for scs-fooe.yahoo.com)    scs-fooe.yahoo.com has address 66.163.173.8   scs-fooe.yahoo.com has address 216.136.128.144   scs-fooe.yahoo.com has address 216.136.227.23   scs-fooe.yahoo.com has address 216.136.233.152   scs-fooe.yahoo.com has address 216.136.131.64   scs-fooe.yahoo.com has address 216.136.172.248   scs-fooe.yahoo.com has address 216.136.173.180   scs-fooe.yahoo.com has address 216.136.225.28   scs-fooe.yahoo.com has address 216.136.226.13   scs-fooe.yahoo.com has address 216.136.227.22 [user@firewall /tmp]$ host scsc.msg.yahoo.com scsc.msg.yahoo.com (an alias for scsdcntest-b.msg.yahoo.com.)    scsdcntest-b.msg.yahoo.com has address 216.155.193.147   scsdcntest-b.msg.yahoo.com has address 216.155.193.148   scsdcntest-b.msg.yahoo.com has address 216.155.193.149   scsdcntest-b.msg.yahoo.com has address 216.155.193.150   scsdcntest-b.msg.yahoo.com has address 216.155.193.151   scsdcntest-b.msg.yahoo.com has address 216.155.193.152   scsdcntest-b.msg.yahoo.com has address 216.155.193.153   scsdcntest-b.msg.yahoo.com has address 216.155.193.154   scsdcntest-b.msg.yahoo.com has address 216.155.193.155   scsdcntest-b.msg.yahoo.com has address 216.155.193.156 

As you can see, there are a lot of servers, and they change from time to time. So perhaps a more long-term option would be to use an IDS system, like snort (http://www.snort.org) for example, with Yahoo IM signatures tied into an auto-response system to shun (that is, reconfigure a filter on the firewall in realtime when a signature is fired) or a cron job to check for changes to the list of servers and to update the firewall rules. However, if none of these are an option, and you want to do this the hard way, the following firewall rules can be added to your systembut remember to replace these IPs with the IPs you enumerated using the host commands previously listed:

 $IPTABLES -A FORWARD -d 216.155.193.128 -j DROP $IPTABLES -A FORWARD -d 216.155.193.129 -j DROP $IPTABLES -A FORWARD -d 216.155.193.130 -j DROP $IPTABLES -A FORWARD -d 216.155.193.131 -j DROP $IPTABLES -A FORWARD -d 216.155.193.132 -j DROP $IPTABLES -A FORWARD -d 216.155.193.133 -j DROP $IPTABLES -A FORWARD -d 216.155.193.134 -j DROP $IPTABLES -A FORWARD -d 216.155.193.135 -j DROP $IPTABLES -A FORWARD -d 66.163.173.8 -j DROP $IPTABLES -A FORWARD -d 216.136.128.144 -j DROP $IPTABLES -A FORWARD -d 216.136.227.23 -j DROP $IPTABLES -A FORWARD -d 216.136.233.152 -j DROP $IPTABLES -A FORWARD -d 216.136.131.64 -j DROP $IPTABLES -A FORWARD -d 216.136.172.248 -j DROP $IPTABLES -A FORWARD -d 216.136.173.180 -j DROP $IPTABLES -A FORWARD -d 216.136.225.28 -j DROP $IPTABLES -A FORWARD -d 216.136.226.13 -j DROP $IPTABLES -A FORWARD -d 216.136.227.22 -j DROP $IPTABLES -A FORWARD -d 216.155.193.147 -j DROP $IPTABLES -A FORWARD -d 216.155.193.148 -j DROP $IPTABLES -A FORWARD -d 216.155.193.149 -j DROP $IPTABLES -A FORWARD -d 216.155.193.150 -j DROP $IPTABLES -A FORWARD -d 216.155.193.151 -j DROP $IPTABLES -A FORWARD -d 216.155.193.152 -j DROP $IPTABLES -A FORWARD -d 216.155.193.153 -j DROP $IPTABLES -A FORWARD -d 216.155.193.154 -j DROP $IPTABLES -A FORWARD -d 216.155.193.155 -j DROP $IPTABLES -A FORWARD -d 216.155.193.156 -j DROP 

Note

You might want to replace the -j DROP rule for -j REJECT, as this will return an ICMP error. Some IM clients will honor this ICMP message immediately and stop reconnection attempts.


Obviously, maintaining a big list of firewall rules like the one just listed is a lot of overhead. The following script is for the more adventurous types who want to automate the filter generation:

 #!/bin/sh IPTABLES=/sbin/iptables echo -n > /tmp/hosts for i in scs.msg.yahoo.com scsa.msg.yahoo.com scsb.msg.yahoo.com scsc.msg.yahoo.com; do   host $i |grep address|awk -Faddress '{print $2 }'\         >> /tmp/hosts done for i in `cat /tmp/hosts`; do    $IPTABLES -A FORWARD -d $i -j LOG    $IPTABLES -A FORWARD -d $i -m limit \       --limit 1/second -j LOG --log-level info \       --log-prefix "Policy Violation: Yahoo " $IPTABLES -A FORWARD -d $i -j DROP done 



    Troubleshooting Linux Firewalls
    Troubleshooting Linux Firewalls
    ISBN: 321227239
    EAN: N/A
    Year: 2004
    Pages: 169

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net