Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 28 subscribers
  • Views 22119 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't seem to block IRC chat

Gary Parr

Hi all,

 

XG Home user here, trying to setup some policies before I give my kid her first laptop. I wanted to see if I could block chat services at first, and one of the built-in chat clients on the Linux Mint install I used was HexChat, an IRC client. So, I've created a firewall rule that uses her laptop MAC address as the source device from LAN to WAN.  I then added to this firewall rule a custom web policy which blocks online chat. I then added a custom application filter that blocks, among other things, the IRC network service.

Imagine my surprise when I fire up HexChat on her laptop and it just connects to irc.spotchat.org on the default IRC port 6667 like a happy little camper with no issues.

I'm 99% sure her laptop is hitting this rule. If I disable logging on every other rule and only log on this one, I can see real-time logs of traffic from her IP.  The IRC network traffic shows up in the XG "Live Connections" tab as "other applications" rather than IRC.

Does this mean that XG doesn't recognize IRC chat or is there something I'm overlooking?

Thanks!



This thread was automatically locked due to age.
  • 0

    Hi,

    I would suspect that the site you are accessing is not classified in the XG as an IRC site. There is an ongoing discussion about classifications. For home users we can only post failures like this on the forum and hope that one of the mods picks up the details.

    Ian

  • 0 in reply to rfcat_vk

    Interesting. The domain itself is recognized as "online chat" when using the URL Category Lookup on the diagnostics, and is correctly blocked if I use a browser. The IRC client however, has no problem getting through.

    I thought IRC blocking through the Application Filter was based on identifying the actual network packets passing through XG rather than by host matching. Unless I'm completely wrong about how XG works, I'd assume that any IRC traffic should be blocked regardless of what the target URL was.

    Thanks,

    Gary

  • 0 in reply to Gary Parr

    No, the blocking only works on web pages, you would have to create a firewall rule that blocked that port or port range.

    Ian

  • 0

    Gary,

    MAC-ADDRESSES cannot be used on Firewall rule (even if it is allowed at the moment). Set a static IP on the PC and try with source Ip.

    Regards

  • 0 in reply to rfcat_vk

    Ian, I believe we are confusing the Web Policy and Application Control. The first is only for URL over HTTP(S) while the latter should be URL agnostic.  As an example, I can enable a single application filter to block the SSH protocol. When this filter is applied on a firewall rule, it blocks all SSH traffic caught by that rule regardless of destination URL. It is this application filter I'm attempting to use. IRC is identified as a network protocol, just like SSH, and as such any IRC traffic should be stopped when the rule is engaged.

  • 0 in reply to lferrara

    That is quite interesting, about the MAC address.  I added SSH blocking to my application filter and was instantly blocked. The filter is attached to a single firewall rule which is limited to only the single MAC host for my daughters laptop.  It would seem that this restriction has been corrected in some update? I'm running SFOS 16.05.7 MR-7.

    I simplified everything to verify that the IRC application filter is being ignored. I attached a single client to my guest network and added a single IRC filter to the one rule which allows that guest network out to the WAN.  No IP matching, no MAC matching, no known users... just a single rule to allow guest > WAN with an application filter that blocked both SSH and IRC.  The SSH traffic was stopped dead, the IRC traffic went through just fine.

    Unless I'm mistaken, this would be a bug and XG is not recognizing the IRC network protocol.

  • 0 in reply to Gary Parr

    So, some interesting follow-up.

    I created a new rule above the other that I had been testing with.  I set this to reject for Guest -> WAN, where destination service was IRC.  The pertinent details of the IRC service definition found here is TCP with a destination port 6660:6669.  When I applied this rule, IRC traffic on port 6667 was blocked. However, IRC over TLS/SSL (default port of 6697) was still missed because the port range was too small.

    Regardless, the IRC service definition found in the Firewall section of XG is NOT the same as the network protocol definition found in the Application section of XG. I'm basing this on the fact that no IRC traffic was blocked by the IRC application filter. It would be easy to verify this if there was some way to see what the actual IRC application definition was.

  • 0

    Hi Gary,

    I don't see a signature inside the List of Matching Applications, you need to raise this as a feature request on Sophos Ideas. Alongside, I would genuinely like to add here, parenting shouldn't be dependent on technology. XG can potentially block the access to a certain level within a range of premises but, a warm friendly discussion with kids could help both ends, forever.

    Thanks

  • 0 in reply to lferrara

    Luk, MAC Addresses can be used to Allow/Block the traffic through Rules.

    Thanks