I’m playing around with blocking all outbound connections on our computers and run most traffic through a proxy … Skype, however, won’t make voice/video calls with the HTTPS proxy set. We had to add a lot of subnets to the ruleset before the called party would get a ring. But it finally worked. This is the NFT ruleset, but I’ve got the same subnets added to the Windows Firewall too.
table inet filter {
chain WIFI-FILTERONLYLOCAL {
type filter hook output priority filter; policy accept;
ip protocol tcp ip daddr 10.0.0.0/8 accept
ip protocol udp ip daddr 10.0.0.0/8 accept
ip protocol tcp ip daddr 13.64.0.0/11 accept
ip protocol tcp ip daddr 13.96.0.0/13 accept
ip protocol tcp ip daddr 13.104.0.0/14 accept
ip protocol tcp ip daddr 13.107.0.0/16 accept
ip protocol tcp ip daddr 13.107.6.171/32 accept
ip protocol tcp ip daddr 13.107.18.15/32 accept
ip protocol tcp ip daddr 13.107.140.6/32 accept
ip protocol tcp ip daddr 20.20.32.0/19 accept
ip protocol tcp ip daddr 20.180.0.0/14 accept
ip protocol tcp ip daddr 20.184.0.0/13 accept
ip protocol tcp ip daddr 20.190.128.0/18 accept
ip protocol tcp ip daddr 20.192.0.0/10 accept
ip protocol tcp ip daddr 20.202.0.0/16 accept
ip protocol udp ip daddr 20.202.0.0/16 accept
ip protocol tcp ip daddr 20.231.128.0/19 accept
ip protocol tcp ip daddr 40.126.0.0/18 accept
ip protocol tcp ip daddr 51.105.0.0/16 accept
ip protocol tcp ip daddr 51.116.0.0/16 accept
ip protocol tcp ip daddr 52.108.0.0/14 accept
ip protocol tcp ip daddr 52.112.0.0/14 accept
ip protocol tcp ip daddr 52.138.0.0/16 accept
ip protocol udp ip daddr 52.138.0.0/16 accept
ip protocol tcp ip daddr 52.145.0.0/16 accept
ip protocol tcp ip daddr 52.146.0.0/15 accept
ip protocol tcp ip daddr 52.148.0.0/14 accept
ip protocol tcp ip daddr 52.152.0.0/13 accept
ip protocol tcp ip daddr 52.160.0.0/11 accept
ip protocol tcp ip daddr 52.244.37.168/32 accept
ip protocol tcp ip daddr 138.91.0.0/16 accept
ip protocol udp ip daddr 138.91.0.0/16 accept
ip protocol icmp accept
ip protocol udp ct state { established, related } accept
limit rate over 1/second log prefix "FILTERONLYLOCAL: "
drop
}
}