Shulou(Shulou.com)06/01 Report--

Juniper netscreen Firewall prohibits QQ and MSN

At present, many companies are not allowed to use qq and msn, if there is an AOS device, it is much easier, directly disable qq and msn programs on the line, but aos equipment is more expensive, small companies are equivalent to using cannons to hit mosquitoes, big talent is trivial. The firewall using netscreen can also achieve the functions disabled by qq and msn programs through some configurations.

Disable the port of qq

Udp src-port 0-65535 dst-port 8000-8001

Src-port 0-65535 dst-port 8000-8001

Tcp src-port 0-65535 dst-port 1863-1863

Udp src-port 0-65535 dst-port 1863-1863

Tcp src-port 0-65535 dst-port 2000-2000

Udp src-port 0-65535 dst-port 2000-2000

Disable the server address of qq

Sz.tencent.com

Sz2.tencent.com

Sz3.tencent.com

Sz4.tencent.com

Sz5.tencent.com

Sz6.tencent.com

Sz7.tencent.com

Sz8.tencent.com

Sz9.tencent.com

Tcpconn.tencent.com

Tcpconn2.tencent.com

Tcpconn3.tencent.com

Tcpconn4.tencent.com

Tcpconn5.tencent.com

Tcpconn6.tencent.com

There are three kinds of qq login methods: tcp login, udp login and vip login (login settings can be found in qq)

It should be said that any way to log in has to go through a certain ip and port. I find that tcp login usually uses the following addresses and ports: 219.133.49.206218.95.153 ip 80218.17.209.23 ip 80, but I think they all log in through port 80 of tcp. As long as the 80 port of tcp is prohibited, the login of tcp can be prohibited, but we should pay attention to the fact that port 80 of tcp is also the default port for browsing the website, ah, blocking it is unable to browse the web on the Internet, so we can only seal the ip address of the login.

Udp login has: 219.133.49.171Magne61.144.238.145VZ 8000202.104.129.254 (253): 8000, there may be a lot of ip login, but I think it should be through udp port 8000 landing, as long as the prohibition of udp port 8000 can prohibit udp landing.

Vip login has (member login): 58.60.9.58 Magazine 21817.209.42 ssl port), this is also the use of tcp login, there may be a lot of ip login, but I think it should be through tcp port 443 login, as long as the prohibition of tcp port 443 can prohibit members of the tcp login.

Disable the port of msn

Netscreen Firewall has predefined msn service ports TCP src port 0-65535, dst port:1863

Disable the server address of msn:

Messenger.hotmail.com

Gateway.messenger.hotmail.com

207.46.107.113

207.46.113.221

65.54.239.211

65.54.239.80

65.54.225.254

65.54.226.254

65.54.228.244

65.54.228.253

65.54.229.248

65.54.229.253

65.54.225.241

65.54.226.247

If you disable the above ports and server addresses in policy (deny), you can basically use qq and msn, but the server addresses of qq and msn will change, and you can only constantly increase the disabled ip addresses and find one to seal one by one. in addition, if users use qq or msn on the proxy, there is nothing netscreen Firewall can do at present, which can only deny access to commonly used proxy ports, such as TCP 8080and1080and3128.

If you disable the above ip and ports and find that you can still log in to qq or msn, you can use the netstat-an command in the dos interface to check the current connection status, and find the ip address of qq or msn to add to the firewall's forbidden access list.

The above methods have been tested on netscreen 5gt-108 and proved to be effective.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.