General discussion


Blocking Chat Programs & Social Networking Sites

By deeaglex ·
We are trying to find a great solution to block all users except for management from Instant Messenger Chat programs like MSN Live Messenger and Yahoo Messenger. We are also looking at blocking all social networking sites like FaceBook, MySpace and Hi5 as most employees seems to be abusing the net during regular working hours.

Our Current Setup:
(1) [ISP] -> [ADSL Modem] -> [Switches] -> [Server 200

(2) [ISP] -> [ADSL Modem] -> [Switches] -> [IP Phones] -> [Workstations]

Any ideas welcome.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Your, "great"

by santeewelding In reply to Blocking Chat Programs & ...

And my, "great", are instantly at odds.

Collapse -

ISA 2006 or GFI web monitor

by alashhar In reply to Blocking Chat Programs & ...

i have installed MS ISA 2006 with GFI web monitor to reach your targets

Collapse -


by santeewelding In reply to ISA 2006 or GFI web monit ...

Given the history of where you say you are.

Collapse -

It all comes down to money

by mafergus In reply to Blocking Chat Programs & ...

There are a variety of ways to get where you want to go. It all depends on the size of your enterprise and How much money you want to spend. even a "cheap"

firewall will get you what you need or you can go up to a high end appliance similar to the bluecoat devices

Or you can go with an online service like webroot

there are a ton of options, but without knowing your environment, hopefully these will get you thinking.

Collapse -


by red-core In reply to Blocking Chat Programs & ...

I?m not sure you can find it in english as well, but check out the It?s a firewall, e-mail server, internet control, fun detect and messengerPOLICY filters that could really help you out.

Sorry guys for the rotten english.

Collapse -

Tell them it's OK and then put in a Smoothwall..

by cmatthews In reply to Blocking Chat Programs & ...

..between the modem and the switch. Setup Smoothwall as CLOSED, turn on IM proxy with Swear-word filtering, transparent proxy, SIP proxy, and enable only these outbound port's required to function:
Web, File transfer, VOIP, Email and News, Yahoo (port 5050), and MSN messenger (1863)

Tell your users that IM is OK, but for emergency family communications only, and that swear-words will be blocked (for the sake of children the mother's and father's talk with) and all messages are logged.

Smoothwall has IMspector (as in Instant Messaging inspector) which will log all conversations. More info here:
and Screen-shots here:

Note: Lawrence Manning is the author of both Smoothwall and IMspector. Although other Linux security releases can and do use his code, IMHO, his product within Smoothwall works best. Support for IMspector here:

One last technical suggestion: Put your modem in bridged-mode or get one that can. In the area of biz support, I have nothing good to say about the free routers included inside these fragile boxes. They have limited CPU, memory, and can easily lock-up when max-tcp-session limits are reached. Do yourself a favor, let a 512meg Smoothwall handle the PPPoE and routing ;-)

Collapse -

Thanks everyone! Anyone tried IPCOP?

by deeaglex In reply to Blocking Chat Programs & ...

A Special Thanks to everyone that replied to my post. While researching we bounced up on a Linux Distribution called IPCOP that can be installed an any old PC and act as a Firewall, Web filter, just name it... We are currently trying it out. You can go to and look it up where you can learn a lot about it.

Collapse -

Install ADVproxy with URLfilter and watch the logs...

by cmatthews In reply to Thanks everyone! Anyone t ...

Not a bad choice, IPcop started as a fork project from Smoothwall-UK (it has grown since) but I worry about accountability, since SW has a corporate product along with certifications for use in schools in the UK.

As an independent project, IPcop can raise flags, since funding comes from nowhere and there's none to report to for success or failure. I have used it before, but since 2004 I've seen stagnation periods on the project for periods of 6-9 months (possible shifts or disinterest at the helm?). Also worthy of note is that since 2004, it's been stuck at version 1.4 - I will surely try it again when version 2.0 reaches RC status.


Without knowing how many stations you are "trying to guide into healthy web usage".. It's hard to say any hardware platform will do (but more RAM is always better). However, to avoid employee animosity, there are some worthwhile pointers:

1) After installing the filter, watch the filter log frequently for the first week and white-list domains that are required for LOB. Some staff may accept the new prohibition and say nothing - they'll just start working shorter hours and take work home where they can get open access (while grumbling about the dictator they work for) :-)

2) There may also be staff willing to quit a job taking a position elsewhere, just "to have their freedom" (for the most-part for this lot, I'd even smile, open the door and wave goodbye..), but these may also hold some special keys to your success.

3) Even after you have watched the filter logs for a while, continue and make a way for users to get sites white-listed (drop-box, email, post-it notes, whatever..)

4) Your original post seemed to focus on IM and not general browsing; so in keeping with that, close all outbound ports except those that are required. Many IM clients will scan up and down port lists to find a way out, when they fail, they will resort to using the gateway-filter on port-80. But if your aim is to stop IM, then Google for IP-drop ranges related to MSN, LIVE, Yahoo, etc..)

5) If required, install another non-proxy'ed NIC and sub-net as some equipment will not operate through a proxy. Inline Proxy's are easy to detect, and some POS and card-swipe devices will not operate due to security concerns. (ask the vendor about port usage, you may be able to open specific ports..)

6) URL-filter uses the term "number of filter processes" - this is really the number of squidGuard redirector processes that listen to URL requests. This is a number to watch on filters with less RAM - too high, and the filter runs slow - too low and user frustration goes up as they watch half pages or timeouts. Today's web browsers pipeline requests and blast up to 6 requests (per domain) at a time - that's why big sites have several domains and sub-domains. If you have enough RAM for the filter, jump this number to 16 or more, but over time, make sure RAM usage never goes beyond 98%. (Linux likes to use all RAM for performance, but beyond that, the SWAP partition will slow things down)

Drop back and note any problems. (IPcop, Endian, IPfire, Smoothwall etc.. they're all quite similar and you'll find aficionados everywhere.) If you have more than a few users, the filter project can take many months to iron-out the creases. Get someone everyday to export the filter-log to see where user frustration may be. (especially if you use a big filter list like the huge one from )

If you want to see other firewall distro's, you could check here:

Related Discussions

Related Forums