1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Blocking Aol Aim?

Discussion in 'Sveasoft Firmware' started by tmushy, Aug 12, 2004.

  1. tmushy

    tmushy Network Guru Member

    Is it possible to Block AIM from being used on one computer. I know you can block certain ports but there is also an option to block services. What service would aim/msn messenger fall on? please help thanks!
  2. tmushy

    tmushy Network Guru Member

  3. pkitester

    pkitester Network Guru Member

    I don't think you are going to get the answer you are looking for.

    You can certainly try blocking the ports, but I've found that AIM is pretty viral in nature. What I mean by that is, if you block the standard ports it uses to authenticate on, it will just use others. It has the ability to do its authentication over http and even ftp ports. This makes it near impossible to tell AIM traffic vs. legitimate http/ftp use.

    What it means is the only partial way to prevent the client it to prevent access to those servers that host the AIM servers. This means setting up more complex firewall rules in the router. I.E. For AOL you need to block login.oscar.aol.com, but this resolves to a number of IP addresses.

    Why did I say partial? Even after you've done all that, users on your LAN can still get to AIM. All they have to do is run AIMExpress. Which is the web based AIM client. Again you could try the blocking game, I think this version uses my.screenname.aol.com to do the authentication, and aimexpress.aim.com for the client pages.

    Basically it is a losing battle. You need to go after the root of the problem. I am just guessing, but it is probably your kids. :) So unless you block all internet access, they will manage to get IM to work. It might be AIM,YIM,MSMSGR,ICQ,IRC, or even web chat. It is just not worth trying soak up a river with a sponge.
  4. Samioul

    Samioul Network Guru Member

    Not so much.
    Actually, there is a layer-7 filtering application included in Satori stable release which is really useful.
    This is called "Linux layer 7 packet classifier" and allows to enter layer-7 rules (for blocking / filtering services instead of just ports or addresses) in iptables.
    You can check this URL to learn more about it : http://sourceforge.net/projects/l7-filter/

    There's already a post concerning this application where you could gather useful information on Sveasoft forum at this URL :

    I personnaly use it to block EDonkey traffic and it works like a charm. I just had to add this rule in iptables :
    iptables -I FORWARD -p tcp -m layer7 --l7dir /etc/l7protocols/weakpatterns/ --l7proto edonkey -j DROP

    The AIM protocol pattern has been implemented in this application and it's said to work well (I haven't personnally tried), so try by yourself and let us know whether it works or not. You should type that command :
    iptables -I FORWARD -p tcp -m layer7 --l7dir /etc/l7protocols/protocols/ --l7proto aim -j DROP

    You can add as many rules you want to block / filter P2P, messengers application, etc... and a lot of others protocols that we can't rely on port number or address to fully identify.

    Hope it will be useful to you !!!
  5. pkitester

    pkitester Network Guru Member


    I didn't know that was built into the Satori release. But it still has a number of problems.

    It is going to hurt performance, although most people might be able to live with that.

    It is still non-trivial to set up. You need to have defined patterns for all of the filters you want to implement. Luckily, many of the common one have been defined. But you need to enter command similar the ones you have for every program you want to block.

    In the end it will most likely still not stop the web based versions of the clients. So I stand by my comment that it is a losing battle. Even if you were smart enough to come up with patterns that work 100% of the time for all protocols you want to block, I'd just have to launch my web based IM client via SSL. Now the patterns pretty much fall apart since they can't see into the traffic.

    So you can play the cat and mouse game, it will be a matter of who gets tired first.

Share This Page