A simple policy within the company that caused many sleepless night. One day the CEO said.. “We shall not allow chatting”.. O boy. 🙁 this is a bother. as much as i enjoy Yahoo!Messenger I have to comply..
To achieve this goal first I blocked all outgoing ports. then I had to hand pick some TCP and UDP ports allowed for default services. After that I had to create rules to and from branch offices connecting over VPN. Then I had SquidGuard, in my case URLFilter, screen the http port to disallow chat.
Looking at the logs. turns out that Yahoo Messenger is capable of communicating through the default services i allowed earlier. like a virus Yahoo!Messenger scans the network to identify opened ports and it was successfull with ports 20,21,23,25 and 443. is this legal?. anyway. I limit access of ports 20-25 only to my servers. but 443. Blocking it means no https. I thought SquidGuard could help me but. turns out that https or secure http cannot be proxied transparently.
.instructions for transparent proxying of HTTP. HTTPS (normally TCP port 443) cannot be proxied transparently (stop and think about it for a minute; if HTTPS could be transparently proxied, then how secure would it be?).
Temporary solution is to allow only a few people access to https. and bad users must live without webmail, web bank and online shopping.
Update : since IPCop can access port 443 and proxy is on 800, someone who manually enters the firewall as proxy can access https sites.