A simple policy within the company that caused many sleepless night… One day the CEO said…. “We shall not allow chatting”…. O boy… 🙁 this is a bother… as much as i enjoy Yahoo!Messenger I have to comply….

To achieve this goal first I blocked all outgoing ports… then I had to hand pick some TCP and UDP ports allowed for default services… After that I had to create rules to and from branch offices connecting over VPN… Then I had SquidGuard, in my case URLFilter, screen the http port to disallow chat…

Looking at the logs… turns out that Yahoo Messenger is capable of communicating through the default services i allowed earlier… like a virus Yahoo!Messenger scans the network to identify opened ports and it was successfull with ports 20,21,23,25 and 443… is this legal?… anyway… I limit access of ports 20-25 only to my servers… but 443… Blocking it means no https… I thought SquidGuard could help me but… turns out that https or secure http cannot be proxied transparently…

From http://www.shorewall.net/Shorewall_Squid_Usage.html

…instructions for transparent proxying of HTTP. HTTPS (normally TCP port 443) cannot be proxied transparently (stop and think about it for a minute; if HTTPS could be transparently proxied, then how secure would it be?).

Temporary solution is to allow only a few people access to https… and bad users must live without webmail, web bank and online shopping…

Update : since IPCop can access port 443 and proxy is on 800, someone who manually enters the firewall as proxy can access https sites…