QuintusSmit
asked on
Block skype with squid
Hi
I know this question has been asked a lot and I did look at the others and google it.Most of the answers are a few years old but they basically say the same thing. The one with the most details was this one and I followed it.
http://www.riccardoriva.com/archives/275
the sample config for squid from that site:
I need to explain something before I show my config. I use squish to cap users individually. There is a perl script that runs and counts bytes. If above a specified threshold the username is written to a file called squish. Squid is configured to deny connect for all users in the squish file.
Am I doing something wrong here or is skype becoming more clever? Is it block skype possible at all to bock skype with a proxy?
thanx
I know this question has been asked a lot and I did look at the others and google it.Most of the answers are a few years old but they basically say the same thing. The one with the most details was this one and I followed it.
http://www.riccardoriva.com/archives/275
the sample config for squid from that site:
# Declare an ACL to catch ALL
acl all src 0.0.0.0/0.0.0.0
# Define an ACL to define my local network
acl mynetworks src 192.168.1.0/24
# Define an ACL to have some IPs that can connect to SKYPE
acl skype_users src 192.168.1.100-192.168.1.200
# Define a CONNECT acl for the CONNECT method
acl CONNECT method CONNECT
# Define an ACL for the URLs composed only of numbers, not FQDN
acl skype_url url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
# Define an ACL for use URLs composed only of numbers, not FQDN
acl https_url_allowed url_regex -i “/etc/squid/https_url_allowed”
# Allow SKYPE access for the group “skype_users”
http_access allow CONNECT skype_url skype_users
# Allow https access for IP Addresses defined in “/etc/squid/https_url_allowed”
http_access allow CONNECT https_url_allowed
# Deny Access to SKYPE and all other
http_access deny CONNECT skype_url
# Allow Internet access to all “mynetworks”
http_access allow mynetworks
# And finally deny all other access from this proxy
http_access deny allI need to explain something before I show my config. I use squish to cap users individually. There is a perl script that runs and counts bytes. If above a specified threshold the username is written to a file called squish. Squid is configured to deny connect for all users in the squish file.
My config:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.0/8
acl SQUISHED1 proxy_auth -i "/etc/squid/squished"
acl SQUISHLOC dst $hostname
# webconfig: acl_start
acl webconfig_lan src 192.168.100.0/24
acl webconfig_to_lan dst 192.168.100.0/24
# webconfig: acl_end
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl SSL_ports port 81 83 10000
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 81 82 83 10000 # Web-based administration tools
acl skype_url url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl https_url_allowed url_regex -i "/etc/squid/url_whitelist"
acl mynetworks src 192.168.100.0/24
acl CONNECT method CONNECT
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
http_access allow CONNECT https_url_allowed
http_access deny CONNECT skype_url
http_access allow mynetworks
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
deny_info http://localhost/squish/?squished& SQUISHED1
http_access allow SQUISHLOC
http_access deny SQUISHED1
# And finally deny all other access to this proxy
http_access allow localhost password
http_access allow webconfig_to_lan
http_access allow webconfig_lan password
http_access deny allAm I doing something wrong here or is skype becoming more clever? Is it block skype possible at all to bock skype with a proxy?
thanx
http://www.skype.com/intl/en-us/support/user-guides/firewalls/technical/
Your skyp_URL only consists of IP addresses.
you should ad *.skype.com
Note that skype can be configured to use HTTPS.
Do not install the application in the first place.
Limit the rights of the users such that the can not install it.
The other option is to monitor and identify the IPs associtated with skype and then block access to them on the firewall. But you would have to checking periodically in the event new IPs are added.
Your skyp_URL only consists of IP addresses.
you should ad *.skype.com
Note that skype can be configured to use HTTPS.
Do not install the application in the first place.
Limit the rights of the users such that the can not install it.
The other option is to monitor and identify the IPs associtated with skype and then block access to them on the firewall. But you would have to checking periodically in the event new IPs are added.
I guess *.skype.com, would be enough at the squid side, I have done same for youtube. :)
ASKER
Let me try that then
@ Arnold - it is a college and students and part time lecturers bring their own laptops so I have no control over what is installed. We give them an internet usage allowance hence the individual caps. Because we have three campuses in three cities we use skype extensively and it has never been a problem but now students have noticed that skype is not blocked when they are capped and come to campus just to make video calls to their overseas friends which is eating our bandwidth.
@ Arnold - it is a college and students and part time lecturers bring their own laptops so I have no control over what is installed. We give them an internet usage allowance hence the individual caps. Because we have three campuses in three cities we use skype extensively and it has never been a problem but now students have noticed that skype is not blocked when they are capped and come to campus just to make video calls to their overseas friends which is eating our bandwidth.
Do you block outgoing port 80/443 from all with the exception of the proxy servers?
unless you block any and all traffic that you do not want on the firewall, there are ways to bypass the proxy i.e. outgoing VPN connections. One could find an external proxy through which they would be able to access skype.
What happens if a person connects their laptop to your network without configuring their browser for the proxy are they able to access any external website?
unless you block any and all traffic that you do not want on the firewall, there are ways to bypass the proxy i.e. outgoing VPN connections. One could find an external proxy through which they would be able to access skype.
What happens if a person connects their laptop to your network without configuring their browser for the proxy are they able to access any external website?
ASKER
hi. If they dont configure the proxy they cant access any websites. A page pops up asking them to configure the proxy settings first. We use clearOS for our servers
ASKER
hi. If they dont configure the proxy they cant access any websites. A page pops up asking them to configure the proxy settings first. We use clearOS for our servers
Are you limiting the outgoing ports on your firewall outside that range?
i.e. 80, 443, 25, 20/21 configured to go through proxy?
What happens if a user goes o http://www.somesitesomewhere.com:8080 will it be blocked by your firewall with the same message directing the user to configure their proxy?
Is your instructions to the users to setup proxy for all protocols?
What about VPN. Check the squid access log to see what are the URLs that are being accessed for skype and setup the skype url accordingly to restrict access to it.
i.e. 80, 443, 25, 20/21 configured to go through proxy?
What happens if a user goes o http://www.somesitesomewhere.com:8080 will it be blocked by your firewall with the same message directing the user to configure their proxy?
Is your instructions to the users to setup proxy for all protocols?
What about VPN. Check the squid access log to see what are the URLs that are being accessed for skype and setup the skype url accordingly to restrict access to it.
ASKER
@arnold
Thanx - I will check all of that tomorrow when I am back at the office and report back.
Thanx - I will check all of that tomorrow when I am back at the office and report back.
ASKER
Arnold
I checked and all traffic goes trough the proxy. If you don't specify "use for all protocols" in the proxy setup no https websites are accessible.
I just thought of something. Since users have to log in with username and pwd to access the internet would it be possible for squid to block all un-authenticated traffic regardless of protocol?. Surely that will block skype traffic and everything else that does not use a password to connect?
I checked and all traffic goes trough the proxy. If you don't specify "use for all protocols" in the proxy setup no https websites are accessible.
I just thought of something. Since users have to log in with username and pwd to access the internet would it be possible for squid to block all un-authenticated traffic regardless of protocol?. Surely that will block skype traffic and everything else that does not use a password to connect?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi
The question is not abandoned - I am extremely busy and will get back to this issue as soon as things quiet down. Thank you for the help so far.
The question is not abandoned - I am extremely busy and will get back to this issue as soon as things quiet down. Thank you for the help so far.
ASKER
So I finally managed to play around again and I think I found a working solution.
I changed the firewall to block all outgoing except what I specify. Basically only mail, internet and ipsec traffic is allowed out. Skype is then forced to use port 80.
Our squid proxy is set to use authentication. I then installed Squish (http://www.ledge.co.za/software/squint/squish/). This allows me to set a monthly/weekly/daily/time cap for individual users. They have to authenticate to use skype so if that is what they want to spend their cap on it is their choice.
Once capped skype will not connect.
I changed the firewall to block all outgoing except what I specify. Basically only mail, internet and ipsec traffic is allowed out. Skype is then forced to use port 80.
Our squid proxy is set to use authentication. I then installed Squish (http://www.ledge.co.za/software/squint/squish/). This allows me to set a monthly/weekly/daily/time cap for individual users. They have to authenticate to use skype so if that is what they want to spend their cap on it is their choice.
Once capped skype will not connect.
and since Skype using port 443 but has no SSL handshake,
the connection is blocked when the option
enforce-https-official-cer
Note that Squid already makes port 80 unusable for Skype and
your firewall must block direct connections to other
Skype nodes.