Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 28 subscribers
  • Views 22127 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't seem to block IRC chat

Gary Parr

Hi all,

 

XG Home user here, trying to setup some policies before I give my kid her first laptop. I wanted to see if I could block chat services at first, and one of the built-in chat clients on the Linux Mint install I used was HexChat, an IRC client. So, I've created a firewall rule that uses her laptop MAC address as the source device from LAN to WAN.  I then added to this firewall rule a custom web policy which blocks online chat. I then added a custom application filter that blocks, among other things, the IRC network service.

Imagine my surprise when I fire up HexChat on her laptop and it just connects to irc.spotchat.org on the default IRC port 6667 like a happy little camper with no issues.

I'm 99% sure her laptop is hitting this rule. If I disable logging on every other rule and only log on this one, I can see real-time logs of traffic from her IP.  The IRC network traffic shows up in the XG "Live Connections" tab as "other applications" rather than IRC.

Does this mean that XG doesn't recognize IRC chat or is there something I'm overlooking?

Thanks!



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to lferrara

    That is quite interesting, about the MAC address.  I added SSH blocking to my application filter and was instantly blocked. The filter is attached to a single firewall rule which is limited to only the single MAC host for my daughters laptop.  It would seem that this restriction has been corrected in some update? I'm running SFOS 16.05.7 MR-7.

    I simplified everything to verify that the IRC application filter is being ignored. I attached a single client to my guest network and added a single IRC filter to the one rule which allows that guest network out to the WAN.  No IP matching, no MAC matching, no known users... just a single rule to allow guest > WAN with an application filter that blocked both SSH and IRC.  The SSH traffic was stopped dead, the IRC traffic went through just fine.

    Unless I'm mistaken, this would be a bug and XG is not recognizing the IRC network protocol.

  • 0 in reply to Gary Parr

    So, some interesting follow-up.

    I created a new rule above the other that I had been testing with.  I set this to reject for Guest -> WAN, where destination service was IRC.  The pertinent details of the IRC service definition found here is TCP with a destination port 6660:6669.  When I applied this rule, IRC traffic on port 6667 was blocked. However, IRC over TLS/SSL (default port of 6697) was still missed because the port range was too small.

    Regardless, the IRC service definition found in the Firewall section of XG is NOT the same as the network protocol definition found in the Application section of XG. I'm basing this on the fact that no IRC traffic was blocked by the IRC application filter. It would be easy to verify this if there was some way to see what the actual IRC application definition was.

  • 0 in reply to lferrara

    Luk, MAC Addresses can be used to Allow/Block the traffic through Rules.

    Thanks

  • 0 in reply to sachingurung

    Good to know. It has been fixed in some MR because before firewall rules based on MAC-ADDRESSES were not working.

    Thanks