FAQ how do I block instant messengers

From PFSenseDocs

Contents 1 Summary 2 Details 2.1 MSN 2.2 Yahoo 2.3 Google Talk 2.3.1 General Information 2.3.2 Additional Information

Summary

pfSense is a firewall that works on layer 3 and layer 4, so it can handle ip addresses and port numbers really well. IM vendors are now actively trying to bypass firewalls so they change their server IP addresses, use many IP addresses and also disguise their traffic as HTTP. This presents us with a major problem because it is difficult to differentiate between IM HTTP traffic and a legitimate web page when using layers 3 and 4. You need to get into the layer 7 stuff and start inspecting URLs and the HTTP protocols. This is best done using the SQUID package, but if you are not using that then the workaround is to stop the traffic using DNS and firewall rules and is detailed below.

Details

First you need to identify the IM authentication servers and then give them the IP address 127.0.0.1 in the pfSense DNS forwarder. You also need to ensure that the clients use the pfSense machine as their DNS server and that no other DNS traffic is allowed out of the network.

MSN

MSN servers that should be blocked using firewall rules and the DNS forwarder:

• webmessenger.msn.com
• messenger.hotmail.com
• gateway.messenger.hotmail.com

You should also use firewall rules to block ports 1863, 901 and 6891-6900 to block MSN Messenger.

Yahoo

Yahoo servers that should be blocked using firewall rules and the DNS forwarder:

• login.yahoo.com
• msg.edit.yahoo.com
• edit.messenger.yahoo.com
• csa.yahoo.com
• csb.yahoo.com
• csc.yahoo.com

Google Talk

General Information

Googletalk servers that should be blocked:

• talk.google.com (NOTE: that this is the same as www.google.com so should only be redirected on dns and not blocked using firewall rules unless you want to block google search).

You should also use firewall rules to block port 5222 to block Google Talk.

Additional Information

From: Google Team <talk-feedback_at_google.com>

Hello,
   Thank you for contacting the Google Talk Team. We understand that it is
   sometimes necessary to disable instant messaging services on a network. If
   you need to disable Google Talk on your network, we suggest blocking DNS
   lookups to talk.google.com, by returning 127.0.0.1.
   If we can be of further assistance, please respond to this message and a
   member of the Google Talk Team will respond to you shortly.
   Sincerely,
   The Google Team