Re: [fw-wiz] Blocking we browsing completely and allowing only
While I don't know why you'd want to do this (the web is a very
useful business tool), it's pretty easy.
First, Permit access to the skype website. At last check this is:
[url]www.skype.com[/url] canonical name = web1.skype.com.
So, on a Cisco, that's:
access-list 101 permit tcp any host 220.127.116.11 eq 80
access-list 101 permit tcp any host 18.104.22.168 eq 443
access-list 101 permit tcp any host 22.214.171.124 eq 80
access-list 101 permit tcp any host 126.96.36.199 eq 443
# Then block HTTP ports 80,443,8080, etc..
access-list 101 deny tcp any any eq 80
access-list 101 deny tcp any any eq 443
access-list 101 deny tcp any any eq 8080
# And as a last rule, permit traffic to the internet...
access-list 101 permit ip any any
The skype port is 36013, and that should pass with the above ruleset,
although skype does use 80 and 443 to get around firewalls. This
might cause some trouble communicating with some clients. I recommend
that you don't do this at all.
If you're interested in restricting web usage, why not look at
products like Bluecoat or other transparent (WCCP) web proxies?
On Oct 23, 2007, at 1:28 PM, Siju George wrote:
> Is anybody doing Something like this on any of their firewalls?
> i.e blocking all web browsing and at the same time allowing only skype
> to the outside world?
> Could you please let me know how you do that?
> Thank you so much
> Kind Regards
> firewall-wizards mailing list
firewall-wizards mailing list