Blocking MSN

with the Thomson SpeedTouch 580

ADSL Wireless modem

It took several nights of fighting with the SpeedTouch 580 telnet interface to learn how to configure the firewall beyond the simple options offered by the user interface. We wanted to block MS Messenger, though the commands obviously apply to any other firewalling task. The firewall commands were not obvious, so these instructions have been written as a guide.

The first thing to know is that address or port ranges are associated with a key word, using the expr command. You then use this key word in the rule section of the firewall command. For example, MSN uses port 1863 tcp to register with Microsoft. If this is blocked, it will then try port 80 tcp to within a Microsoft domain. To block port 1863 tcp the modem must be sent the expr command:
:expr add name=msn1863tcp type=serv proto=tcp dstport=1863 dstportend=1863

and then have this added to the forward section of the firewall rules using this command:

:firewall rule add chain=forward name=msn1863tcp serv=msn1863tcp state=enabled action=drop

Notice this pair of commands contains the information you would expect to find in a firewall rule, the protocol and the port. Also notice it is given the name msn1863tcp, besides being essential to use unique and understandable names, this will be useful if you want to automatically remove the rules. Rules are removed based on their index number rather than the contents of the rule, so I find it easier to enable MSN by deleting all the rule index numbers with msn in the rule.

To sucessfully block MSN at the moment (8th Dec, 2006), you must block tcp port 1863 and tcp port 80 to microsoft domains 65.52.0.0-65.55.255.255 and 207.46.0.0-207.46.255.255. Online research suggested we should also block tcp port 5190, the tcp range 6891-6901 and upd ports 80, 1863, 5190 and 6901. We never proved these ports to be necessary, using windump these ports were not used for MSN logon but maybe they are used later.

The full MSN blocking script looks like this:

:expr add name=msn1863tcp type=serv proto=tcp dstport=1863 dstportend=1863
:firewall rule add chain=forward name=msn1863tcp serv=msn1863tcp state=enabled action=drop

:expr add name=msn5190tcp type=serv proto=tcp dstport=5190 dstportend=5190
:firewall rule add chain=forward name=msn5190tcp serv=msn5190tcp state=enabled action=drop

:expr add name=msn80addr1 type=ip addr=65.52.0.0-65.55.255.255
:expr add name=msn80addr2 type=ip addr=207.46.0.0-207.46.255.255
:expr add name=msn80port type=serv proto=tcp dstport=80 dstportend=80

:firewall rule add chain=forward name=msn80a dstip=msn80addr1 serv=msn80port state=enabled action=drop
:firewall rule add chain=forward name=msn80b dstip=msn80addr1 state=enabled action=drop
:firewall rule add chain=forward name=msn80c dstip=msn80addr2 state=enabled action=drop

:expr add name=msn6891-6901 type=serv proto=tcp dstport=6891 dstportend=6901
:firewall rule add chain=forward name=msn6891-6901 serv=msn6891-6901 state=enabled action=drop

:expr add name=msn80udp type=serv proto=udp dstport=80 dstportend=80
:firewall rule add chain=forward name=msn80udp serv=msn80udp state=enabled action=drop

:expr add name=msn1863udp type=serv proto=udp dstport=1863 dstportend=1863
:firewall rule add chain=forward name=msn1863udp serv=msn1863udp state=enabled action=drop

:expr add name=msn5190udp type=serv proto=udp dstport=5190 dstportend=5190
:firewall rule add chain=forward name=msn5190udp serv=msn5190udp state=enabled action=drop

:expr add name=msn6901udp type=serv proto=udp dstport=6901 dstportend=6901
:firewall rule add chain=forward name=msn6901udp serv=msn6901udp state=enabled action=drop

This is mainly only for reference, or if you want to copy'n'paste it in. If you want to enable and disable MSN you will need something more automated to enter rules, and enter the commands to delete them. The ideal tool for the job is expect, a Tcl/Tk extension. In our case, a Linux machine is behind the SpeedTouch modem and has expect installed. Using expect, these commands can be sent to the modem simply by running the script. Using another expect script, the firewall rules can be removed, though this isn't as straight forward as it seems - once added the rules have indexes and that index number must be used to delete a rule.

The complete set of expect scripts are available here: modemfw.tar.gz. Obviously you will need to change the username/password and ip of the modem. The scripts should go into /usr/local/share/modemfw, and the frontend scripts in your /bin/ directory.

This tar ball consist of:
bin/fwadd : Frontend script, adds the MSN blocking rules.
bin/fwrm : Frontend script, removes the MSN blocking rules.
bin/fwgoto : Frontend script, logs into the modem's command prompt.
modemfw/addmsnfw.expect : The rule adding script.
modemfw/gotomodem.expect : A simple log-into-the-prompt script that enters the username/password for you.
modemfw/rmmsnfw.sh : The rule deletion script, which uses the scripts below.
modemfw/listmsnports.expect : Prints all the expr(essions), so rmmsnfw.sh knows what to delete.
modemfw/listmsnfw.expect : Prints all the firewalls rules, so rmmsnfw.sh knows what to delete.
modemfw/rmmsnfwports.expectt : Template which rmmsnfw.sh modifies to delete all MSN expr(essions).
modemfw/rmmsnfw.expectt : Template which rmmsnfw.sh modifies to delete all MSN rules.

Contact

Written by Greg: greg at csc liv ac uk. Would welcome any comments.