> I wonder how to get it working well too...
>
> Skype's problems:
>
> 1.) It tries NAT for too long before falling to proxy (and there's no
> way, as I know, to block the use of NAT).
> 2.) Skype uses ANY ports and MANY IPs (as far as I know, as far as my
> sniffing is right)
> 3.) There's really no official Skype documented support for our cause.
>
> So... I just wonder what should be done to achieve this!?
>
>
> - Mauricio
>
> Janco van der Merwe wrote:
>> Hi,
>>
>> I need to set up Squid with the following:
>>
>> The network has 36 PCs all with Skype - Business needs
>> Skype.....why.....I dont know.
>>
>> Only 6 of the 36 PCs is allowed to use the internet the rest is not but
>> they must be able to access skype. Currently they have a Squid
>> configuration with a transparent proxy with no passwords /
>> authentication. They do not want authentication brought in because they
>> don't want to type passwords.
>>
>> Can anyone assist me on how to set up Squid with the correct ACLs for
>> the above because this is a little bit out of my league and I don't know
>> how I am going to allow Skype but no other http traffic.
>>
>> I'm fine with the setup of the ACL to allow certain computers to the
>> Internet but to block all other Internet traffic but Skype that is where
>> my bug falls of its cork.
>>
AFAICS, Skype requires CONNECT privilege and uses "CONNECT a.b.c.d:p " to
connect out via proxy. You will need to kill any ACL configured to prevent
CONNECT from internal to external IP.
Yes it opens a large loophole for internal infections to get out. This can
be reduced somewhat by still preventing CONNECT by IP to under-1024 ports
that are known for abuse, ie 21, 22, 25, 135-139, 445, 80, etc
(if you are lucky you may know a few standard ports skype tries CONNECT's
to first and allow those)
Amos
Received on Tue Oct 30 2007 - 21:11:16 MDT
This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:02 MDT