|
Yahoo Messenger is the instant messaging client from Yahoo. It supports voice, video, and file transfers in addition to standard text instant messaging. It uses several TCP and UDP ports depending upon the services being used. The following page on Yahoo's site documents the ports and servers used by Yahoo Messenger: http://help.yahoo.com/help/us/mesg/twin/twin-15.html. Connecting to Yahoo MessengerYahoo has been by far the least problematic of all the IM services we have tested. It's extremely firewall friendly, even in the case of more complex services such as voice and video. For login and text messaging connections, Yahoo Messenger will use the following TCP ports:
If you experience difficulty in getting these services to traverse the firewall, the usual suspects would be DROP/REJECT rules on one or more (Yahoo is very difficult to block!) of the ports listed here. Blocking Yahoo Messenger TrafficFirst and foremost, Yahoo has done a fantastic job at making their IM client firewall friendly (in terms of circumventing them, that is!), due to their copious use of "standard" services ports and literally hundreds of servers and IP addresses all over the place. This is by far one of the hardest IM clients to filter out. The most effective method we have used so far is to block the login servers; however, users clever enough to reconfigure their clients to use HTTP proxy servers can circumvent even these rules. As Yahoo changes these servers frequently, the first step is to check http://help.yahoo.com/help/us/mesg/twin/twin-15.html for the latest list of Yahoo servers. At the writing of this book, those were
Example of extrapolating the IP addresses using the "host" command: [user@firewall /tmp]$ host scs.msg.yahoo.com scs.msg.yahoo.com (an alias for scs-dcna.msg.yahoo.com) scs-dcna.msg.yahoo.com has address 216.155.193.128 scs-dcna.msg.yahoo.com has address 216.155.193.129 scs-dcna.msg.yahoo.com has address 216.155.193.130 scs-dcna.msg.yahoo.com has address 216.155.193.131 scs-dcna.msg.yahoo.com has address 216.155.193.132 scs-dcna.msg.yahoo.com has address 216.155.193.133 scs-dcna.msg.yahoo.com has address 216.155.193.134 scs-dcna.msg.yahoo.com has address 216.155.193.135 scsa.msg.yahoo.com (an alias for scs.msg.yahoo.com) [user@firewall /tmp]$ host scsb.msg.yahoo.com scsb.msg.yahoo.com (an alias for scs-fooe.yahoo.com) scs-fooe.yahoo.com has address 66.163.173.8 scs-fooe.yahoo.com has address 216.136.128.144 scs-fooe.yahoo.com has address 216.136.227.23 scs-fooe.yahoo.com has address 216.136.233.152 scs-fooe.yahoo.com has address 216.136.131.64 scs-fooe.yahoo.com has address 216.136.172.248 scs-fooe.yahoo.com has address 216.136.173.180 scs-fooe.yahoo.com has address 216.136.225.28 scs-fooe.yahoo.com has address 216.136.226.13 scs-fooe.yahoo.com has address 216.136.227.22 [user@firewall /tmp]$ host scsc.msg.yahoo.com scsc.msg.yahoo.com (an alias for scsdcntest-b.msg.yahoo.com.) scsdcntest-b.msg.yahoo.com has address 216.155.193.147 scsdcntest-b.msg.yahoo.com has address 216.155.193.148 scsdcntest-b.msg.yahoo.com has address 216.155.193.149 scsdcntest-b.msg.yahoo.com has address 216.155.193.150 scsdcntest-b.msg.yahoo.com has address 216.155.193.151 scsdcntest-b.msg.yahoo.com has address 216.155.193.152 scsdcntest-b.msg.yahoo.com has address 216.155.193.153 scsdcntest-b.msg.yahoo.com has address 216.155.193.154 scsdcntest-b.msg.yahoo.com has address 216.155.193.155 scsdcntest-b.msg.yahoo.com has address 216.155.193.156 As you can see, there are a lot of servers, and they change from time to time. So perhaps a more long-term option would be to use an IDS system, like snort (http://www.snort.org) for example, with Yahoo IM signatures tied into an auto-response system to shun (that is, reconfigure a filter on the firewall in realtime when a signature is fired) or a cron job to check for changes to the list of servers and to update the firewall rules. However, if none of these are an option, and you want to do this the hard way, the following firewall rules can be added to your systembut remember to replace these IPs with the IPs you enumerated using the host commands previously listed: $IPTABLES -A FORWARD -d 216.155.193.128 -j DROP $IPTABLES -A FORWARD -d 216.155.193.129 -j DROP $IPTABLES -A FORWARD -d 216.155.193.130 -j DROP $IPTABLES -A FORWARD -d 216.155.193.131 -j DROP $IPTABLES -A FORWARD -d 216.155.193.132 -j DROP $IPTABLES -A FORWARD -d 216.155.193.133 -j DROP $IPTABLES -A FORWARD -d 216.155.193.134 -j DROP $IPTABLES -A FORWARD -d 216.155.193.135 -j DROP $IPTABLES -A FORWARD -d 66.163.173.8 -j DROP $IPTABLES -A FORWARD -d 216.136.128.144 -j DROP $IPTABLES -A FORWARD -d 216.136.227.23 -j DROP $IPTABLES -A FORWARD -d 216.136.233.152 -j DROP $IPTABLES -A FORWARD -d 216.136.131.64 -j DROP $IPTABLES -A FORWARD -d 216.136.172.248 -j DROP $IPTABLES -A FORWARD -d 216.136.173.180 -j DROP $IPTABLES -A FORWARD -d 216.136.225.28 -j DROP $IPTABLES -A FORWARD -d 216.136.226.13 -j DROP $IPTABLES -A FORWARD -d 216.136.227.22 -j DROP $IPTABLES -A FORWARD -d 216.155.193.147 -j DROP $IPTABLES -A FORWARD -d 216.155.193.148 -j DROP $IPTABLES -A FORWARD -d 216.155.193.149 -j DROP $IPTABLES -A FORWARD -d 216.155.193.150 -j DROP $IPTABLES -A FORWARD -d 216.155.193.151 -j DROP $IPTABLES -A FORWARD -d 216.155.193.152 -j DROP $IPTABLES -A FORWARD -d 216.155.193.153 -j DROP $IPTABLES -A FORWARD -d 216.155.193.154 -j DROP $IPTABLES -A FORWARD -d 216.155.193.155 -j DROP $IPTABLES -A FORWARD -d 216.155.193.156 -j DROP Note You might want to replace the -j DROP rule for -j REJECT, as this will return an ICMP error. Some IM clients will honor this ICMP message immediately and stop reconnection attempts. Obviously, maintaining a big list of firewall rules like the one just listed is a lot of overhead. The following script is for the more adventurous types who want to automate the filter generation: #!/bin/sh IPTABLES=/sbin/iptables echo -n > /tmp/hosts for i in scs.msg.yahoo.com scsa.msg.yahoo.com scsb.msg.yahoo.com scsc.msg.yahoo.com; do host $i |grep address|awk -Faddress '{print $2 }'\ >> /tmp/hosts done for i in `cat /tmp/hosts`; do $IPTABLES -A FORWARD -d $i -j LOG $IPTABLES -A FORWARD -d $i -m limit \ --limit 1/second -j LOG --log-level info \ --log-prefix "Policy Violation: Yahoo " $IPTABLES -A FORWARD -d $i -j DROP done |
|