[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] ICQ - Help
Title: RE: [FW1] ICQ - Help
I
worked on a ICQ/Firewall issue a year ago and this is what I learned.... a lot
may have changed in a year and I haven't revisited the ICQ issue. That
said... read on!
You
will not be able to get the file transfer part of the icq nor the chatroom part
working. ICQ has 2 options for people to connect to each other. If
each person has a "real" ip address then icq creates a direct connection between
the two clients. If one or both of the clients has a hidden IP then ICQ
uses a "bounce" server to communicate between them. So unless your users
are using a NAT'ed address then ICQ cannot establish the direct connection and
thus file transfer/chat rooms will not work. AOL instant messenger seems
to require a NAT for the file sharing feature to work as well.
Bill
Rogers
I
read that on their site, and am still a little confused about the
scenario... that is why I posted the question...
Thanks
Edward Kuhner PowerIT-Up, Inc. [email protected] www.powerit-up.com fax
Hi Edward, I think that I have bad news to you. I will paste
the coment that was cut of the Phoneboy Website (www.phoneboy.com/fw1) that
show how ICQ and Fw-1 works.
Allowing or Blocking ICQ Q:
How do I block ICQ? How do I allow
ICQ through my firewall? A: You can block ICQ access by simply blocking all services to
205.188.153.0, netmask 255.255.255.0 (Thanks to Johan Grip <mailto:[email protected]>
for the tip). Also, there's apparently a program out there that tunnels ICQ
over HTTP. To block access to this, you must block access to
www.icqproxy.com, IP 216.122.100.172 (Thanks to Gaston Molina <mailto:[email protected]> for the
tip)
ICQ is a program written by Mirabilis, Ltd., <http://www.mirabilis.com> and is
becoming quite popular. Unfortunately, unless you are using a SOCKS5 proxy
server, ICQ is not terribly firewall friendly. You will need to make changes
on both the client side and the firewall side. On the firewall, you will
need to create two new services:
* ICQ-UDP (UDP port
4000) * ICQ-TCP
(Other, see below) For the service of ICQ-TCP, put
the following in the match field: tcp, th_dport
>= a, th_dport <= b Where a and b are the
endpoints for the range of ports you wish to allow. ICQ requires at least 3
TCP ports in a row be opened and Mirabilis recommends 12.
On the ICQ client, you will need to specify:
Using a
non-SOCKS firewall
Connections time out after 30 seconds (especially if you use
HIDE-mode translation)
Using UDP port 4000
Using TCP
ports a through b, as specified above The rulebase
will look like the following for either no address translation or static
address translation (ICQServers is a group that contains network objects for
all known ICQ Servers):
Source Destination Service
Action InternalNets
ICQServers ICQ-UDP Accept
Any
Any ICQ-TCP Accept If
you are using hide translation for your internal users, your rules will look
like: Source
Destination Service Action InternalNets
ICQServers ICQ-UDP Accept
InternalNets
Any ICQ-TCP Accept Limitations of HIDE mode translation and ICQ: Other users behind a firewall will not be directly accessable. They
will only be accessable through the ICQ server. Users may have to initially
send messages to you via the ICQ servers (i.e. not directly). Note: The
above assumes you have "Accept UDP Replies" checked in
Policy->Properties. If this is not true in your case, you can either:
* Check "Accept UDP
Replies" in Policy->Properties * Create a service called
ICQ-UDP-Reply with port >1023, source port 4000-4000 and add to your
rulebase.
Regards, Jose Vicente da C
Machado AMERICEL I.T. -
Information Security email:
[email protected] office:(61) 329-6698
fax:(61) 329-6709 mobile:(61)
929-0016 http://www.americel.com.br
Address: SEPS 702/902 Bloco B 1º
andar 70390-025 - Brasilia - DF Brazil
> -----Original Message----- > From: Edward Kuhner
[mailto:[email protected]]
> Sent: Friday, January 05, 2001 17:34
> To:
[email protected] >
Subject: [FW1] ICQ - Help > > Hello All, > > We are using HIDE NAT for all of
our Internal Users, and I don't have ANY outgoing ports blocked
> > INTERNAL
USERS - ANY - ACCEPT
> > I cannot seem to get the
chat/file transfer portions of ICQ to work for me though... > > If anyone can help, I would
appreciate it! > >
Thanks > > Edward
Kuhner > PowerIT-Up, Inc. > [email protected] >
www.powerit-up.com >
> fax >
|