'Re: Block Windows Media Player'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Block Windows Media Player
From:       "Heiko Glessmann" <heiko () spinfish ! com>
Date:       2004-09-15 16:06:07
Message-ID: 20040915165011.M32025 () spinfish ! com
[Download RAW message or body]

Hello,

One solution is to proxy all outbound traffic, and set up the proxy to filter
based on the criterias that you need.

What you are trying to do is to proxy on the application protocol level and I
think it would be cleaner to try and do that on the proxy level, rather than
trying to get your firewall understand protocols such as HTTP.

Simplified a solution could look like this:

 - Set up a machine as your proxy (use something like Apache or Squid).
   (The proxy should be located in a spot where it is accessible form your
clients and has connectivity to the outside world.)
 - Have all your clients connect through the proxy to get to the outside world
   (You should be able to use ipfilter to do transparent proxying.)
 - Once that all works configure your proxy to only let through what you want  
   (i.e. filter on HTTP header fields.)

One thought on security here: If the proxy is smart enough to tell the
difference between "real HTTP traffic" and junk you prevent some viruses, etc.
from communicate with the outside world on port 80. I.e. if you get some
trojan virus that tries to connect to some outside server on port 80 but
doesn't talk HTTP it would get far. (Granted that smarter people that write
such viruses will be aware of that and write them in a way that they do talk
HTTP - but yet, you may catch a few silly people doing weird stuff).

Hope this is useful?! 

------------------------------------------------------------------------
Heiko Glessmann
Beeliner Surveys
http://www.beelinersurveys.com/

Email: heiko@beelinersurveys.com
Phone: 617 576 0082 ext7101

@ Spinfish Web/ROG, Inc.


---------- Original Message -----------
From: "Matthew K. Lee" <mattl@rycan.com>
To: <ipfilter@coombs.anu.edu.au>
Sent: Wed, 15 Sep 2004 10:22:59 -0500
Subject: Block Windows Media Player

> To all,
> 
> Is there a way to block just windows media player traffic across port
> 80?
> 
> I noticed that the checkpoint firewall solutions are picking it up based
> on the user-agent string when windows media player initiates a
> connection.  Is there a simple rule I could add like:
> 
> block out quick on fxp0 proto tcp from any to any
> user-agent="Windows-media-player/"
> 
> OR
> 
> block in quick on fxp0 proto tcp from any to any with user-agent
> Windows-media-player/"
> 
> OR
> 
> block in quick on fxp0 proto tcp from any to any with
> http-header-contains=" Windows-media-player/"
> 
> Thanks,
> 
> Matthew Lee
> mattl@rycan.com
> http://www.rycan.com
------- End of Original Message -------

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic