连涛的Blog - Jesse’s Blog » Blog Archive » Block msn traffic using CISCO policy-map

1. Using ACL block relavent port to msn, such tcp/udp 1836, etc.
2. But, as we all know, msn 7.5 can use http(tcp 80 port) go through firewall. There are some sample of msn http header
Here is the first request and response in a notification server session:

POST http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com HTTP/1.1\r\n Accept: */*\r\n Accept-Language: en-us\r\n Accept-Encoding: gzip, deflate\r\n User-Agent: MSMSGS\r\n Host: gateway.messenger.hotmail.com\r\n Proxy-Connection: Keep-Alive\r\n Connection: Keep-Alive\r\n Pragma: no-cache\r\n Content-Type: application/x-msn-messenger\r\n Content-Length: 18\r\n \r\n VER 5 MSNP8 CVR0\r\n

HTTP/1.0 200 OK\r\n Server: Microsoft-IIS/5.0\r\n Date: Tue, 18 Mar 2003 07:39:53 GMT\r\n X-MSN-Messenger: SessionID=954547325.13160; GW-IP=207.46.110.18\r\n Content-Length: 18\r\n Content-Type: application/x-msn-messenger\r\n Age: 0\r\n Via: HTTP/1.1 ntl_site (Traffic-Server/5.2.0-R [c sSf ])\r\n X-Cache: MISS from nautilus.localdomain\r\n X-Cache-Lookup: MISS from nautilus.localdomain:80\r\n Proxy-Connection: keep-alive\r\n \r\n VER 5 MSNP8 CVR0\r\n

Here is the first request in a switchboard server session:

POST http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=SB&IP=207.46.108.13 HTTP/1.1\r\n Accept: */*\r\n Accept-Language: en-us\r\n Accept-Encoding: gzip, deflate\r\n User-Agent: MSMSGS\r\n Host: gateway.messenger.hotmail.com\r\n Proxy-Connection: Keep-Alive\r\n Connection: Keep-Alive\r\n Pragma: no-cache\r\n Content-Type: application/x-msn-messenger\r\n Content-Length: 55\r\n \r\n USR 3 phil_sayers@hotmail.com 214963.1047973248.28908\r\n

Here is a message polling the server for queued messages, and finding none:

POST http://207.46.110.18/gateway/gateway.dll?Action=poll&SessionID=954547325.32498 HTTP/1.1\r\n Accept: */*\r\n Accept-Language: en-us\r\n Accept-Encoding: gzip, deflate\r\n User-Agent: MSMSGS\r\n Host: 207.46.110.18\r\n Proxy-Connection: Keep-Alive\r\n Connection: Keep-Alive\r\n Pragma: no-cache\r\n Content-Type: application/x-msn-messenger\r\n Content-Length: 0\r\n \r\n

HTTP/1.0 200 OK\r\n Server: Microsoft-IIS/5.0\r\n Date: Tue, 18 Mar 2003 07:39:56 GMT\r\n X-MSN-Messenger: SessionID=954547325.6942; GW-IP=207.46.110.18\r\n Content-Length: 0\r\n Content-Type: application/x-msn-messenger\r\n Age: 1\r\n Via: HTTP/1.1 ntl_site (Traffic-Server/5.2.0-R [c sSf ])\r\n X-Cache: MISS from nautilus.localdomain\r\n X-Cache-Lookup: MISS from nautilus.localdomain:80\r\n Proxy-Connection: keep-alive\r\n \r\n

Here is a message closing the session from the client side:

POST http://207.46.110.18/gateway/gateway.dll?SessionID=954547325.3500 HTTP/1.1\r\n Accept: */*\r\n Accept-Language: en-us\r\n Accept-Encoding: gzip, deflate\r\n User-Agent: MSMSGS\r\n Host: 207.46.110.18\r\n Proxy-Connection: Keep-Alive\r\n Connection: Keep-Alive\r\n Pragma: no-cache\r\n Content-Type: application/x-msn-messenger\r\n Content-Length: 5\r\n \r\n OUT\r\n HTTP/1.0 200 OK\r\n Server: Microsoft-IIS/5.0\r\n Date: Tue, 18 Mar 2003 07:41:39 GMT\r\n X-MSN-Messenger: SessionID=954547325.1484; GW-IP=207.46.110.18; Session=close\r\n Content-Length: 0\r\n Content-Type: application/x-msn-messenger\r\n Age: 0\r\n Via: HTTP/1.1 ntl_site (Traffic-Server/5.2.0-R [c sSf ])\r\n X-Cache: MISS from nautilus.localdomain\r\n X-Cache-Lookup: MISS from nautilus.localdomain:80\r\n Proxy-Connection: keep-alive\r\n \r\n

3. define class-map
class-map match-any im
match protocol http s-header-field “MSMSGS”
match protocol http c-header-field “MSMSGS”
match protocol http url “*gateway.messenger.hotmail.com*”
match protocol http url “*messenger.hotmail.com*”
match protocol http url “*messenger.msn.com*”

this class-map trys to find the package with “MSMSGS” in the header and the packages contains gateway.messenger.hotmail.com, messenger.hotmail.com, messenger.msn.com

4. create policy-map to drop the package with above attributes
policy-map block-p2p
class im
drop

5. then apply it on either in or out, or both
interface FastEthernet0/1
service-policy input block-p2p
service-policy output block-p2p

THIS IS ONLY AN EXPERIENTAL, THERE IS NO ANY KIND OF GURANTEE ON IT