Blocking logmein, etc from inside a network using IPFire


These remote control systems use port 80 (or 443) for most of their connections, so it is difficult to block their use inside a network. However, there are people who are misusing them to gain remote access to their workstations while not at the office.

The most effective solution is to publish rules for your employees and not allow the installation. Additionally, not allowing users to install software on their computers would help. However, in the case where neither of these options are available (or if you simply want to add extra security to those steps), do the following. Note: there are ways around this (which I will not discuss here), but this will help with a user who is not technically savvy.

 

  1. Create a DNS server (aka nameserver) someplace. Since many of my clients have Xen running under Linux, it was simple to create a new virtual. This does NOT need much resource; 128M and 4G of disk space is more than it will ever use. I prefer a standard Debian base install with Bind9 set up on it.
  2. Create DNS entries for the domains you want to remove access to. In our case, we created zone files for logmein.com, dyngate.com and teamviewer.com. Set the target for the domain and a www CNAME to some IP (I pointed them to one of Google's addresses)
  3. Set the DNS server up to have a static IP address
  4. Log into your IPFire Router
  5. Go to Network | DNS Forwarding
  6. Create an entry for each domain you want to block. For example, to block logmein.com
    1. Enter logmein.com in the Zone field
    2. Enter the IP address of the name server you built in step 1 in the Nameserver field
    3. Enter a comment if you choose
    4. Place a check in the Enabled field
    5. Click the Add button
  7. At this point, all queries for logmein.com will result in whatever the local DNS. So, in the case I was describing, someone trying to go to http://www.logmein.com will end up at Google's web site. However the user can get around this by simply pointing their DNS (in the network configuration) to any of several publicly available name servers. To get around this, we must disable access to name servers outside of the network (ie, not allow anyone to use a DNS/nameserver other than the router).
    1. Go to Firewall | Outgoing Firewall
    2. Enable if necessary, Mode 2
    3. Click the Add Rule button at top
    4. Under Quick Add, find domain - Domain Name Server - Port 54
    5. Click the pencil with the plus sign next to it.
    6. A new rule will show up at the top with an X showing it is blocked. No one can now use a DNS server outside of your local network (they should use the router as a name server). Obviously, you can edit this rule if you like.

That is all, it is set up.

Last update:
2014-02-11 00:43
Author:
Rod
Revision:
1.0
Average rating:0 (0 Votes)

You cannot comment on this entry

Chuck Norris has counted to infinity. Twice.