Block MSN Messenger with Squid

While instant messaging has changed the way many people communicate, it also creates new problems for network administrators. For various reasons, many companies may choose to block instant messaging communications. Unless an internal messaging service is available, or at the very least a commercial logging mechanism, instant messaging can be a rogue channel for information to flow in and out of your networks.

By far the most popular instant messenger is MSN messenger (or the native XP client Windows Messenger). Without an expensive (and unnecessary) gateway appliance like Microsoft ISA server or the Barracuda IM Firewall blocking MSN messenger can prove to be quite a pain. Blocking the ports MSN uses to transfer data is not enough as the messenger can tunnel all of its communications over HTTP. Blocking port 80 is obviously not an option. If you try to block based on IP then you will find yourself not only blocking Messenger but also access to Microsoft's range of Web sites and Windows Update!

Surely there must be an easier way? There is...

I've been looking for a simple and reliable way of blocking MSN Messenger without stopping Windows Update from doing its job. After trying to refine blocking based on both IP address and hostname, I decided that the only way to reliably block it is using the mime type tag and HTTP gateway using Squid. I found reference to the tag application/x-msn-messenger while reading a Microsoft KB article that describes blocking MSN Messenger with ISA Server 2000. Squid gives the ability to block based on MIME type and request content using access control lists (acls).

If you're already running all of your Web traffic through a Squid proxy server, then updating your configuration to block Messenger is as simple as adding four lines to the Squid.conf file:

acl msnmime req_mime_type ^application/x-msn-messenger
acl msngw url_regex -i gateway.dll
http_access deny msnmime
http_access deny msngw

Don't forget that you will still need to block outgoing connections on port 1863; if you don't do this, then Messenger will connect using its standard TCP port rather than tunnelling via HTTP.

I didn't have a Squid proxy service running on my OpenBSD gateway so I had to install it. A package can be found in the Packages directory of OpenBSD's FTP/HTTP repositories. Several versions of the Squid package are available -- I chose the transparent build.

Installing an OpenBSD package is simple:

# pkg_add squidpackage.tgz

If there are any missing dependencies then the package manager will tell you; I didn't have any problems with this one.

Now that Squid is installed we need to create a simple config. I prefer to strip out all of the comments so that I can see all of the non-default directives more clearly. I used the following basic config:

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin ?
no_cache deny QUERY
cache_mem 64 MB
maximum_object_size_in_memory 32 KB
ipcache_size 2048
cache_dir ufs /var/squid/cache 1024 16 256
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern .        0    20%    4320
refresh_pattern*\.(cab|dll|exe) 4320 100% 43200 reload-into-ims
refresh_pattern*\.(cab|dll|exe) 4320 100% 43200 reload-into-ims
refresh_pattern*\.(cab|dll|exe) 4320 100% 43200 reload-into-ims
acl all src
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl SSL_ports port 443 563
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443 563    # https, snews
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl msnmime req_mime_type ^application/x-msn-messenger$
acl msngw url_regex -i gateway.dll
http_access deny msnmime
http_access deny msngw
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_reply_access allow all
icp_access allow all
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/squid/cache

In order to direct outgoing HTTP traffic via Squid, a few rules need to be added to /etc/pf.conf:

# rdr outgoing www requests to squid proxy
# rdr on $int_if proto tcp from any to any port www -> port 3128
# pass incoming ports for squid proxy
# pass in on $int_if inet proto tcp from any to port 3128 keep state
# pass out on $ext_if inet proto tcp from any to any port www keep state

# MSN tcp block
# block out on $int_if proto tcp from any port 1863 to any

Then reload the PF rules:

# pfctl -f /etc/pf.conf

If we want Squid to be started automatically at boot then add this to /etc/rc.conf:

if [ -x /usr/local/sbin/squid ]; then
        echo -n ' squid';       /usr/local/sbin/squid

The final step before starting Squid is to create the cache folders:

# squid -z

And now launch with:

# squid

Users running through this gateway should now be unable to use MSN Messenger while retaining access to Microsoft Web sites and Windows Update.

Have you found easier alternatives to blocking MSN Messenger?