Auf dem Ansatz der alten Lösung, Link, werd ich das ganze mal auf die ZBF übertragen.
Hier der erste Ansatz:
--- snip ---
class-map type inspect http block-skype-class
match request method connect
!
class−map type inspect match−any private−allowed−class
match protocol tcp
match protocol udp
match protocol icmp
!
policy-map type inspect inside-outside-policy
class type inspect http block-skype-class
drop
log
class type inspect private−allowed−class
inspect
class class-default
!
! the good
zone security inside
!
! the bad
zone security dmz
!
! and the ugly
zone security outside
!
! combine inside and outside
! traffic goes from inside to outside
zone-pair security inside-outside source inside destination outside
service-policy type inspect inside-outside-policy
!
interface FastEthernet 0
zone-member security inside
!
interface FastEthernet 1
zone-member security outside
!
--- snip ---
[sourcecode]
!
interface FastEthernet3
description WAN to VDSL-Modem
switchport mode trunk
!
interface Vlan7
description VLAN fuer VDSL
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache policy
ip route-cache flow
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp authentication chap pap callin
ppp pap sent-username @t-online.de password 0
[/sourcecode]
[sourcecode]
!
interface FastEthernet3
description WAN to VDSL-Modem
switchport mode trunk
!
interface Vlan7
description VLAN fuer VDSL
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache policy
ip route-cache flow
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp authentication chap pap callin
ppp pap sent-username @t-online.de password 0
[/sourcecode]
Mit Squid scheint es relative easy zu sein skype aus dem Netz zu bekommen. Mal schauen.
[sourcecode]
# — snip —
# Prevent Skype connecting HTTPs using CONNECT requests to IP addresses (those not using domain names)
acl numeric_IPs url_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+
http_access deny CONNECT numeric_IPs all
# Prevent Skype connecting http
acl Skype_UA browser Skype
http_access deny Skype_UA
# Prevent anyone to download anything from skype website
acl Skype_domain dstdomain skype.com
http_access deny Skype_domain
#– snip —
[/sourcecode]