A simple policy within the company that caused many sleepless night. One day the CEO said.. “We shall not allow chatting”.. O boy. πŸ™ this is a bother. as much as i enjoy Yahoo!Messenger I have to comply..

To achieve this goal first I blocked all outgoing ports. then I had to hand pick some TCP and UDP ports allowed for default services. After that I had to create rules to and from branch offices connecting over VPN. Then I had SquidGuard, in my case URLFilter, screen the http port to disallow chat.

Looking at the logs. turns out that Yahoo Messenger is capable of communicating through the default services i allowed earlier. like a virus Yahoo!Messenger scans the network to identify opened ports and it was successfull with ports 20,21,23,25 and 443. is this legal?. anyway. I limit access of ports 20-25 only to my servers. but 443. Blocking it means no https. I thought SquidGuard could help me but. turns out that https or secure http cannot be proxied transparently.

From http://www.shorewall.net/Shorewall_Squid_Usage.html

.instructions for transparent proxying of HTTP. HTTPS (normally TCP port 443) cannot be proxied transparently (stop and think about it for a minute; if HTTPS could be transparently proxied, then how secure would it be?).

Temporary solution is to allow only a few people access to https. and bad users must live without webmail, web bank and online shopping.

Update : since IPCop can access port 443 and proxy is on 800, someone who manually enters the firewall as proxy can access https sites.