Saturday, October 15, 2005
Can you block Skype with an RBL?
A random thought I had earlier this evening ... Is it possible to block Skype using a realtime block list?
There are some assumptions that need to be stated before I can explore this.
I assume you run a default to deny firewall. I assume that firewall blocks
most things, including direct access to port 80 and 443. I assume you run
some sort of mandatory caching proxy server. This is the way things work at
Rhodes, which is what started me down this road.
In this environment, just about the only way a Skype client will work is to
connect to a supernode, and about
the only way to do this is via the proxy server. Skype supports
this and makes HTTP CONNECTs out through the proxy. Now in squid, you can get the requested
domain/IP address and you can use this information in an access control list
before the HTTP request is passed on the the client. This is probably true
of other cache software.
This is where the realtime block list idea comes into play. This is based
on another set of assumptions — that most Skype
connections are made to end users, that end users typically use dial-up,
DSL, cable, or some other dynamic IP environment, and that these environment
typically don't host legitimate HTTPS services that you'd want to connect
to.
Enter MAPS dial-up users list (and the
equivalents from SORBS, NAJBL, etc). These contain lists
of dynamic and/or dial-up IP ranges. Thinking about it, NAJBL might be better because it
isn't just dial-up.
So my idea is to get Squid to check the IP addresses in HTTP CONNECTs
against a dynamic IP range RBL. I'm not sure how to do this yet, but I
suspect that it'd conveniently block off a lot of Skype (and probably other
peer-to-peer) clients but probably wouldn't really inconvenience
"legitimate" HTTPS connections.
(Rhodes users shouldn't panic. This is a hypothetical "would it work" type
idea, not a plan ;-)
posted by guy at: 22:01 SAST |
path: /systems |
permanent link
