Blocking AIM, ICQ and Yahoo! Messenger with ipf

"Just because you're paranoid,
that doesn't mean they're not after you."
-- Ed Nonymous

Blocking AIM, ICQ and Yahoo! Messenger

Or, New Ways To Annoy your Users

Computers are a waste of time.

Okay, at least for my users they're a waste of time. It seems sometimes all they do is browse the web and download corny screen savers that send their email address and shoe size to every spammer in APNIC.

Worse, they chat all day on AIM. It's like gabbing with your friends all day, 'cept it looks like you're working.

So, my boss comes to me one day and asks me to block ICQ. I'm sneaky though, and I know my boss uses AIM, and it ain't fair to target certain users. So, I go to the firewall and lock down ports 4000 (old ICQ) and 5190 (New ICQ and AIM).

Problem is, I notice a bunch of odd connections on odd ports going through the firewall. (It's not often a finger connection stays open for hours.) Turns out, if AIM can't connect on port 5190, it tries a bunch of other ports to try to get through. Little-used ports like ftp, http, nntp, etc.

Rat bastards.

So, I blocked the whole damned AOL netblock. That'll show 'em. Until the boss emails me complaining that he can't browse AOL's web site.

Damn. Now what do I do?

Ah, got it. I'm already using Squid on the firewall in forward-only mode for http requests so I can log all the porn sites, using rdr. So, I can deny the whole netblock, but still let web requests through.

See here:

#######################
# Block ICQ/AIM traffic
block out log quick from any to any port = 5190
block in  log quick from any to any port = 5190

# It appears that AIM will use 13, 23, 80, 113, etc.
# But let the DNS server see AOL's DNS first
pass  out     quick from <Internal DNS>/32 to 205.188.0.0/16 port = 53

#Try to send web through squid, but block AIM
block out log quick from any to 64.12.0.0/16 port != 80
block out log quick from any to 205.188.0.0/16 port != 80        
#######################

Works pretty well. Note that there's no way for https traffic to get through. I let the DNS server out so my logs have human-readable names for the AOL servers. Yay, no more AIM.

Yahoo! Messenger I'm still working on. I have a similar ruleset:

#######################
# Block Yahoo Pager too
# Let web traffic through on 80, Squid should stop non-http traffic
block out log quick from any to any port = 5050
block in  log quick from any to any port = 5050
block out log quick from any to 216.136.128.0/17 port != 80
#######################

This ain't perfect, though. Apparently Yahoo! Messenger is able to use http to communicate with the servers. Well, nuts. Hey, at least it gets logged.