Block MSN Messenger by router rules (Netgear DG834)

As per subject line.....Am trying to "control" usage at home. Common sense approach with daughter has failed miserably, so I want to be able to restrict it to reasonable periods. I have 2 PC's connected to a Netgear DG834 router. Searching on Google has turned little up. I understand MSN Messenger uses port 1863 outbound, but if this is blocked, it will revert back to port 80. I don't want to block that as that's normal http traffic. I can't see an application blocking within Netgear, so am at a loss. Looking for port 1863 outbound in my traffic logs, I found a "common" IP address...in the range 207.46.xxx.xxx. I did a traceback on this, the "ARIN who is" came back with an address range of 207.46.0.0 to 207.46.255.255 as valid for MSN. Went back into the admin of my Netgear router and tried to create a rule around the IP address range 207.46.0.0 to 207.46.255.255, (TCP) This didn't work as I got an error message returned saying it was an "invalid finish IP" and then an "illegal IP range" I tried various combinations but non seemed to work. Only thing I could think of was...my access to the Netgear admin menu is via IE. Could this possibly be preventing me from blocking this range somehow?? I tried single IP addresses and still get the same error. I even tried

216.239.59.147 (Google.co.uk) which worked fine, so I know that what I'm doing on the router will work on some addresses.

Help/guidance appreciated please

Mick

Reply to
Mick
Loading thread data ...

As per subject line.....Am trying to "control" usage at home. Common sense approach with daughter has failed miserably, so I want to be able to restrict it to reasonable periods. I have 2 PC's connected to a Netgear DG834 router. Searching on Google has turned little up. I understand MSN Messenger uses port 1863 outbound, but if this is blocked, it will revert back to port 80. I don't want to block that as that's normal http traffic. I can't see an application blocking within Netgear, so am at a loss. Looking for port 1863 outbound in my traffic logs, I found a "common" IP address...in the range 207.46.xxx.xxx. I did a traceback on this, the "ARIN who is" came back with an address range of 207.46.0.0 to 207.46.255.255 as valid for MSN. Went back into the admin of my Netgear router and tried to create a rule around the IP address range 207.46.0.0 to 207.46.255.255, (TCP) This didn't work as I got an error message returned saying it was an "invalid finish IP" and then an "illegal IP range" I tried various combinations but non seemed to work. Only thing I could think of was...my access to the Netgear admin menu is via IE. Could this possibly be preventing me from blocking this range somehow?? I tried single IP addresses and still get the same error. I even tried

216.239.59.147 (Google.co.uk) which worked fine, so I know that what I'm doing on the router will work on some addresses.

Help/guidance appreciated please

Mick

Reply to
Mick

I don't have any simple answer to this but have you read through the information here

formatting link
Jason

Reply to
Jason Edwards

Yep been there over the past few days...Experts Exchange require subscription to see the answer....all other search replies give no real solution that I can see. There are a couple of proggies out there, shareware at best.. no freebies. Surely someone has managed to block this on a router. I could put a personal firewall on the machine in question, but was looking for a router solution so as I could remotely administer.

Mick

Reply to
Mick

Scroll down, and down, but it probably doesn't tell you anything you don't already know.

Jason

Reply to
Jason Edwards

"Mick" wrote in message news: snipped-for-privacy@4ax.com...

If you are serious about blocking messenger, you are going to have to dump your hardware appliance, number one. Second, you are going to have to spend $1000+ on more equipment. You will need' to have a NAT box, running either ICS, AllegroSurf, or some other NAT proxy. Next, you will be a personal firewall on the NAT Box, such as Tiny, that can block by application, plus all the switches and cables to put it all together. For a PC doing NAT, I recommend at LEAST 640 megs of RAM. Also, with a NAT box, you can do a LOT more. You can put a second hard disk in, and use that as a central storage point for all files, that can be accessed from any PC on your network. You can restrict files by user, if you install Windows XP professional on the NAT Box. A PC running NAT can do a LOT more than a hardware appliance. Becuase Tiny is more flexiable than a hardware appliance, it can block things that hardware appliances cannot. Once your NAT box is setup, configure it to restrict all connections through either HTTP or Socks proxy. Then you tell Tiny to not allow the Socks proxy to get out on 80 or 1863 (though I would recommend blocking ports 80, and 1000-5300 to block Kazaa as well). Some people might call my setup a "toy firewall", but I can say it is the ONLY thing that will block MSN Messenger, if you are really serious about blocking it. The real sticking point is port 80, and you cannot block this, without blocking all HTTP as well. That is why my setup, with an ICS box and Tiny, is the only thing that will work. You simply have two different programs for HTTP and Socks proxy, and tell Tiny to block the program handling the Socks proxy not to allow access to the ports that MSN Messenger uses. Also, throw in some filtering software (CyBlock is good, but the $799/year fee would be rather expensive for home use) on the NAT box, and you can block anything else that comes your way, that you dont want her to access. For a Socks proxy, I recommend AllegroSurf, for an HTTP proxy, CyBlock is a filter and HTTP proxy in one. A word of caution, though with CyBlock, it opens quite security hole, and you will need to have Tiny installed and configured to restrict it. CyBlock, if you use it, needs to be restricted to outgoing ports

80 and 443, and incoming traffic needs to be restricted to your local network. I found this out when I checked the logs and discovered someone from China tunelling through the proxy in CyBlock to go to an SMTP server at Yahoo on port 25. It is becuase of this security hole that CyBlock must be restricted to using ports 80 and 443 for outgoing traffic.
Reply to
Charles Newman
[snip]

Also, another way to do it is to uninstall Messenger. You can tweek a few files which will make Messenger show in the Add/Remove programs list, and you can uninstall that way. Information is availabe at

formatting link
the "Super Tweaks" page.

Reply to
Charles Newman

Personal firewall is the ONLY way to do it. See my other post on the subject, you are going to have to spend a LOT of money, to get what you need to block MSN Messenger, on both hardware and software. And a PFW solution will HAVE to be on a NAT box, on a home LAN.

Reply to
Charles Newman

Like I say, you going to have to spend a LOT of money if you want to block it. What you need to to is DUMP your hardwware appliance and replace it with a PC handling the job using either ICS, AllegroSurf, or one of numerous NAT programs on the Market. Take your PFW solution, put it on the ICS box, configure it to ONLY allow access through Socks and HTTP proxies. With AllegroSurf, you can tell your PFW not to allow alleegrosurf to go out on ports 80 and 1863, then you find another program to handle HTTP. With Tiny or Kerio, you can block your Socks proxy from getting to port 80, while allowing your HTTP proxy to get out on port 80 for Web browsing. I am sorry to say that if you want to block Messenger, you have to spend a LOT of money to do it. With the setup I have, MSN Messenger will NOT get out any from any of the client machines. Tiny firewall, on an NAT/ICS box can block things that hardware appliances CANNOT BLOCK. You will need to replace your hardware appliance with:

another PC a network hub second NIC card for the NAT/ICS box all neccessary cables

It will cost you a lot money, but if you are SERIOUS about blocking Messenger, be pepared to do so.

Reply to
Charles Newman

We block 207.46.245.214, 207.46.245.222 and 207.46.104.20 to stop MSMessenger.

Reply to
Not-My-Real-Name

Thanks for the info. I am using Sygate PFW free on the main machine behind the router, more as a check on any nasties trying to phone home. I thought of adding this to the daughters PC, but it doesn't offer remote admin access from another PC. Kerio PFW, also free, does have a remote access, where I could switch/alter the rule at will. Both these block on a per application basis, so would fit the bill. I was just hoping I could get a solution via the NAT router. I've now managed to block all access to IP range 207.46.0.1 to

207.46.255.254 and 64.4.0.1 to 64.4.255.254 and still MSN Messeger gets out......

Mick

Reply to
Mick

I just downloaded it on to the PC I'm sitting at. I then installed it and used a login I got some hundred years ago in case I needed one for test purposes. It logged in fine. I then made an adjustment to an internal DNS server and flushed the DNS cache on this PC. When I try logging in again it says this "We could not sign you in to MSN messenger because your Internet Explorer browser cannot connect to the Internet. Please check your browser's ability to connect, and then try signing in to messenger again. 0x81000363" This message is interesting for a few reasons, one of them being I don't use Internet Explorer unless I have to. Another being that Internet Explorer _can_ connect to Google and anywhere else I want to go. It looks to me like a personal firewall is not the only way to do it, but I'm not saying your methods won't work. One possible issue with this method is that it may not kill an existing session.

Jason

Reply to
Jason Edwards

In your case it will first try to connect to msn.co.uk If that fails it will go for msn.com Blocking access to msn.co.uk msn.com and *.passport.com clobbers it completely as far as I can tell.

Jason

Reply to
Jason Edwards

I would try m0n0Wall

formatting link
on an old PC lying around.

2 nics and your in business!

Don't be afraid of it, it is MUCH more powerful than your router, but has configuration requirements (knowledge) only slightly above what the router would require. Not to mention it is FREE! It has a WONDERFUL web based GUI for management!

Block the following and you should be good to go:

TCP/UDP msn * 216.178.160.34/24 * 216.178.160.34 TCP/UDP msn * 213.249.102.94/24 * 213.249.102.94 TCP/UDP msn * 213.199.154.54/24 * 213.199.154.54 TCP/UDP msn * 213.199.154.11/24 * 213.199.154.11 TCP/UDP msn * 207.68.178.239/24 * 207.68.178.239 TCP/UDP msn * 207.46.110.254/24 * 207.46.110.254 TCP/UDP msn * 207.46.110.48/24 * 207.46.110.48 TCP/UDP msn * 207.46.107.33/24 * 207.46.107.33 TCP/UDP msn * 207.46.106.28/24 * 207.46.106.28 TCP/UDP msn * 195.33.103.52/24 * 195.33.103.52 TCP/UDP msn * 194.130.106.132/24 * 194.130.106.132

Hope this helps!

Smooter

Reply to
smooter

Smoothwall with Guardian should be able to block it,may have to tweek the Snort rules a bit

formatting link

John

Reply to
John Mason Jr

However, port 80 is the problem here. You cannot block port 80, without blocking all Web access. The makers of the Messenger services, along with P2P companies know this, and they designed their software to make most attempts to block it fail. My so-called "toy firewall" can block things that hardware appliances cannot block. Call it a toy if you like, buy my setup can block MSN, Yahoo, and AOL messenger services, plus the P2P services that hardware appliances cannot do. If more people adopted the type of system I have, it would put companies like Netgear, Cisco and other makers of hardware appliances out of business.

Reply to
Charles Newman

anything Snort can see guardian can block, and the blocks age off automatically, if there was a Snort rule for the traffic a block on the remote IP would be placed in firewall rules.

John

Reply to
John Mason Jr

Charles, you are sounding exactly like the fool with the all powerful (and fake) figure skating service.

Just because you don't know how to configure a piece of hardware doesn't mean no one else in the world can't do the job using a tenth of their brain. You are also totally clueless about how firewalls work, mainly because you have never been able to learn anything about how the Internet actually works. You really should take a class or two - or even just buy a book on the subject - Stevens 'TCP/IP Illustrated Volume 1' (Addison Wesley, ISBN

0-201-63346-9) would be a good start. Notice that you should NOT try to read Zwicky's "Building Internet Firewalls" until you get the basic network concepts into your head.

This also proves you know nothing about networks. You have ZERO knowledge of their product lines, and you probably haven't even heard who their primary competitors are.

Old guy

Reply to
Moe Trin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.