How to block AOL Instant Messenger communication using BorderManager 3.x
(Last modified: 21Aug2002)
This document (10061334) is provided subject to the disclaimer at the end of this document.
goal
How to block AOL Instant Messenger communication using BorderManager 3.x
fact
Novell NetWare 5
Novell NetWare 5.1
Novell BorderManager 3.5
Novell BorderManager 3.6
AOL Instant Messenger 4.x
American Online Instant Messenger 4.x
AIM 4.x
fix
This solution requires TCP/IP filtering support. Verify filter support is enabled by loading INETCFG from the server console, selecting 'Protocols', 'TCP/IP', and verify 'Filter Support' is set to 'Enabled'. NetWare supports Packet Forwarding Filters and Routing Information Filters. You can configure these filters through FILTCFG.NLM.
Once you have verified TCP/IP filtering support is enabled, load the Filter Configuration NetWare Loadable Module at the server console, by executing the following command-line:
LOAD FILTCFG
Select 'Configure TCP/IP Filters' then 'Packet Forwarding Filters'. Verify the 'Status' is 'Enabled'.
If the 'Action' is set to 'Deny Packets in Filter List', press enter on 'Filters' containing the highlighted text '(List of Denied Packets)'. Displayed will be a list of the currently configured TCP/IP Forwarding Filters, in DENY mode. Press the INSERT key to define a new DENY filter for AIM. Modify the 'Dest Addr Type' field, selecting 'Host' instead of 'Any Address'. Select the 'Dest IP Address' field. Enter '152.163.241.128' in the 'Address' field, press the ESC key to keep changes. You may optionally enter a reference to AIM in the comment field. Press the ESC key, and choose 'Yes' to save the DENY filter. Create three more DENY filters for the following host addresses: 152.163.242.24, 152.163.242.28, 152.163.241.120.
NOTE: The default port used by AIM is 5190, which may fall into an existing exception filter that allows dynamic/TCP (ports 1024-65535) which takes precedence over the deny filters created above. If this is the case the AIM service will NOT be blocked. TCP/IP Packet Forwarding Filters "Action:" set to "Permit Packets in Filter List" is preferred, because EXCEPTION filters can be made that would always block communication to AIM services taking precedence over the permitted filters (which then could include dynamic/TCP).
If the 'Action' is set to 'Permit Packets in the Filter List', press enter on 'Exceptions' containing the highlighted text '(List of Packets Always Denied)'. Displayed will be a list of the currently configured EXCEPTIONS to the TCP/IP Forwarding Filters. Press the INSERT key to define a new EXCEPTION filter for AIM. Modify the 'Dest Addr Type' field, selecting 'Host' instead of 'Any Address'. Select the 'Dest IP Address' field. Enter '152.163.241.128' in the 'Address' field, press the ESC key to keep changes. You may optionally enter a reference to AIM in the comment field. Press the ESC key, and choose 'Yes' to save the EXCEPTION filter. Create three more EXCEPTION filters for the following host addresses: 152.163.242.24, 152.163.242.28, 152.163.241.120.
The default Internet address of the AOL Instant Messenger (SM) service is login.oscar.aol.com, this address is used by AIM for authentication purposes. This default host address is valid at the time of this writing and is subject to change at any time.
The default authentication server is obtain by loading the AOL Instant Messenger client and left-clicking the 'Setup' button, left-click 'Connection' tab, left-click 'Reset', and viewing the 'Host:' input box. If AIM is loaded and the user is authenticated, the default connection server is obtained by left-clicking 'My AIM', scrolling down to 'Edit Options', left-click 'Edit Preferences', left-click 'Connection' tab, left-click 'Reset', and viewing the 'Host:' input box.
The following is a NSLOOKUP query for login.oscar.aol.com which reveals DNS entries, such as A, MX, NS, PTR, about a hostname, domain name or IP address. This assumes that the selected DNS contains information about the hostname, domain name or IP address in question.
Looking up [login.oscar.aol.com]
Server: dns-01.ns.AOL.com
Address: 152.163.159.232
login.oscar.aol.com internet (IPv4) address = 152.163.241.120
login.oscar.aol.com internet (IPv4) address = 152.163.241.128
login.oscar.aol.com internet (IPv4) address = 152.163.242.24
login.oscar.aol.com internet (IPv4) address = 152.163.242.28
oscar.aol.com nameserver = dns-01.ns.aol.com
oscar.aol.com nameserver = dns-02.ns.aol.com
dns-01.ns.aol.com internet (IPv4) address = 152.163.159.232
dns-02.ns.aol.com internet (IPv4) address = 205.188.157.232
By performing this query we are shown that login.oscar.aol.com is associated with four IP addresses. This may change at any time, so it is recommended you perform your own NSLOOKUP using server dns-01.ns.AOL.com or dns-02.ns.AOL.com when implementing this solution.
Additional solutions are available to block MSN Messenger, ICQ, and Yahoo! Instant Messenger.
Author: Robert Heward
Created: Apr. 3, 2001.
document
| Document Title: | How to block AOL Instant Messenger communication using BorderManager 3.x |
| Document ID: | 10061334 |
| Solution ID: | NOVL43573 |
| Creation Date: | 26Mar2001 |
| Modified Date: | 21Aug2002 |
| Novell Product Class: | Groupware Novell BorderManager Services |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.