PDA

View Full Version : blocking IM ports for certain users




exodus
Aug 5, 2008, 01:34 PM
I have a bunch of people in my business using macs, and a lot of them waste time using instant messaging programs. I would love to block the access entirely on the router by shutting the port, but some people need it for actual work. Does anyone know a way to block access to certain ports on a per-user basis? Thanks in advance
-Ex
:apple:



StealthRider
Aug 5, 2008, 10:12 PM
You could perhaps try talking to your employees first, before you go messing around with all of your computers.

CanadaRAM
Aug 5, 2008, 10:24 PM
I have a bunch of people in my business using macs, and a lot of them waste time using instant messaging programs. I would love to block the access entirely on the router by shutting the port, but some people need it for actual work. Does anyone know a way to block access to certain ports on a per-user basis? Thanks in advance
-Ex
:apple:

How powerful is your router? You could solve this problem with a gazillion dollars of hardware and a huge investment in time for configuration. Until next time.

theyellowdart
Aug 5, 2008, 10:26 PM
Depends on your network and where you are doing the blocking, and where the people who need to connect are.

If the users who need to get on an IM are all on specific computers (e.g. they aren't sharing a computer with users who you don't want on) I would simply deny all to the various ports that IM apps use (5190 for AIM as an example), give the users who need to have access a static IP and allow access for those specfic IPs.

Now there are issues with this, first if your users are intelligent they just change the port iChat uses to say port 80 and it will connect (in which case you can block access to the AIM server).


However, after that long explination, I'm assuming that isn't a possiblity for you, or you want to do it on the machine level. In which case I would recommend you look at Firewalk X. Haven't used it in awhile but I know it had the ability to only allow specific applications use the network with a lot of additional rules and features you might find interesting.

Consultant
Aug 6, 2008, 09:35 AM
Easy way (but easy to bypass)

Block the usual ports used by IM (you might have to look up all standard ones).

Set up some new ports on internal network that forwards to the proper external ports.

The thing is, until people will figure out how to bypass it. People can use web based IM such as meebo...

Even in billion dollar revenue enterprises, IM blocking is bypassed, so someone with smaller budget might have a hard time. It's more of a policy issue that management have to laid out in terms of internet policy.

corbywan
Aug 6, 2008, 10:41 AM
Would there be a way to block access to the applications themselves with some user-based privilege rights on the machines themselves? Parental Controls comes to mind, but I imagine without OSX server something like this would be a pain to administrate. Maybe not? Never done it before.

exodus
Aug 6, 2008, 12:42 PM
Thank you for all of the useful information. I'll try out some of these, and post my results just in case anyone else needs to do this type of thing.
-Ex

jeremy.king
Aug 6, 2008, 02:41 PM
I have a bunch of people in my business using macs, and a lot of them waste time using instant messaging programs.


What do you do about those wasting time posting to forums? :rolleyes: Are you monitoring conversations? Do you have internal IM? How do you know they are "wasting time?"

In any case, I agree with the conversation suggestion. There may be a reason they "waste" time - lack of challenge or interesting work, no growth opportunities, etc...

exodus
Aug 7, 2008, 03:25 PM
Yes, I understand blocking people's access to websites and instant messaging programs is just picking at the leaves of a problem that needs to be solved at the root. But until deeper policy changes can be made, my goal is to remove as many temptations as possible. When people are at work, they should be working. I am working on providing 'open' computers that employees can access on their lunch break to do what ever they please.
It's the thumbs up I get when peaking into an office, and the employee is actually chatting with a gal they met at match.com instead of working that bothers me.
-Ex