I have re-visited Skype on OSX and get a strong indication that we will not be seeing Skype v.3 on OS X in the near future.
After chasing multiple sources (mainly based on reverse engineering the Skpe clients) I have reached a conclusion that the supernode function is not enabled in either the OS X or the Linux clients, and that this is further protected by using port 35502 for incoming connections and not using port 80 and 443 as alternatives for incoming connections in case it was introduced in a later patch.
=== begin control details ===
Installation Details:
These computer are running OSX.3 and OSX.4 (not OSX.5 at this stage)
Bandwidth management measures:
- Skype will only be started for pre-arranged calls and to shut it down when it is not being used.
Stop autostart: via Mac’s System Preferences, select Accounts. Select the user account, then choose Login Items. Locate Skype in the list, highlight Skype then click on the ‘minus’ symbol beneath the list. Don’t simply untick it; REMOVE it. - “supernode disabled” — as we are on OSX the registry fix is unavailable; 3rd party evidence suggests that the supernode function is only enabled in the Windows client.
- Skype usage will be monitored using our K2 licencing keyserver application.
- Network traffic from this computer will also be monitored.
- Use port 35502 for incoming connections;
DO NOT use port 80 and 443 as alternatives for incoming connections.
=== end control details ===
Why only port 35502? Not 24312 for example?
35502 is the default Skype port setting and we monitor this port for activity in our environment
I am a linux user, but I know Mac has very similar functionality around firewall rules. So, if you know port number for incoming p2p connections then you can protect your host like this (I use here iptables as FW ruler just because I know it and I demonstrate idea):
iptables -A INPUT -j FW-INPUT
iptables -A FORWARD -j FW-INPUT
iptables -A FW-INPUT -i lo -j ACCEPT
iptables -A FW-INPUT -p icmp –icmp-type any -j ACCEPT
# This record allows all outgoing connections even prohibited Skype’s p2p one:
iptables -A FW-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
# Now we are prohibiting Skype’s p2p port:
iptables -A FW-INPUT -m state –state NEW -m tcp -p tcp –dport 35502 -j REJECT –reject-with icmp-host-prohibited
# All another connections are accepted:
iptables -A FW-INPUT -j ACCEPT
What do U think?
Just to be concrete
.
Mac’s firewall command line tool is ipfw (legacy of BSD). Here is link how to use it:
http://www.oreillynet.com/pub/a/mac/2005/03/15/firewall.html
If your are using Port 35502 for Skype to communicate this will block the Skype application, not just the P2P functions.
cheers