NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] ICQ - Help



Title: RE: [FW1] ICQ - Help
I read that on their site, and am still a little confused about the scenario...  that is why I posted the question...
 
Thanks

Edward Kuhner
PowerIT-Up, Inc.
[email protected]
www.powerit-up.com

fax

-----Original Message-----
From: Jose Vicente da Costa Machado Filho [mailto:[email protected]]
Sent: Friday, January 05, 2001 5:51 PM
To: '[email protected]'; [email protected]
Subject: RE: [FW1] ICQ - Help

Hi Edward, I think that I have bad news to you. I will paste the coment that was cut of the Phoneboy Website (www.phoneboy.com/fw1) that show how ICQ and Fw-1 works.

Allowing or Blocking ICQ
Q:
How do I block ICQ?
How do I allow ICQ through my firewall?
A:
You can block ICQ access by simply blocking all services to 205.188.153.0, netmask 255.255.255.0 (Thanks to Johan Grip <mailto:[email protected]> for the tip). Also, there's apparently a program out there that tunnels ICQ over HTTP. To block access to this, you must block access to www.icqproxy.com, IP 216.122.100.172 (Thanks to Gaston Molina <mailto:[email protected]> for the tip)

ICQ is a program written by Mirabilis, Ltd., <http://www.mirabilis.com> and is becoming quite popular. Unfortunately, unless you are using a SOCKS5 proxy server, ICQ is not terribly firewall friendly. You will need to make changes on both the client side and the firewall side. On the firewall, you will need to create two new services:

*       ICQ-UDP (UDP port 4000)
*       ICQ-TCP (Other, see below)
For the service of ICQ-TCP, put the following in the match field:
tcp, th_dport >= a, th_dport <= b
Where a and b are the endpoints for the range of ports you wish to allow. ICQ requires at least 3 TCP ports in a row be opened and Mirabilis recommends 12.

On the ICQ client, you will need to specify:
        Using a non-SOCKS firewall
        Connections time out after 30 seconds (especially if you use HIDE-mode translation)
        Using UDP port 4000
        Using TCP ports a through b, as specified above
The rulebase will look like the following for either no address translation or static address translation (ICQServers is a group that contains network objects for all known ICQ Servers):

Source  Destination     Service Action 
InternalNets    ICQServers      ICQ-UDP Accept 
Any     Any     ICQ-TCP Accept 
If you are using hide translation for your internal users, your rules will look like:
Source  Destination     Service Action 
InternalNets    ICQServers      ICQ-UDP Accept 
InternalNets    Any     ICQ-TCP Accept 
Limitations of HIDE mode translation and ICQ:
Other users behind a firewall will not be directly accessable. They will only be accessable through the ICQ server. Users may have to initially send messages to you via the ICQ servers (i.e. not directly). Note: The above assumes you have "Accept UDP Replies" checked in Policy->Properties. If this is not true in your case, you can either:

*       Check "Accept UDP Replies" in Policy->Properties
*       Create a service called ICQ-UDP-Reply with port >1023, source port 4000-4000 and add to your rulebase.

Regards,
Jose Vicente da C Machado
AMERICEL
I.T. - Information Security
email: [email protected]
office:(61) 329-6698
fax:(61) 329-6709
mobile:(61) 929-0016
http://www.americel.com.br
Address:
SEPS 702/902 Bloco B 1º andar
70390-025 - Brasilia - DF
Brazil

>  -----Original Message-----
> From:         Edward Kuhner [mailto:[email protected]]
> Sent: Friday, January 05, 2001 17:34
> To:   [email protected]
> Subject:      [FW1] ICQ - Help
>
> Hello All,
>
> We are using HIDE NAT for all of our Internal Users, and I don't have ANY outgoing ports blocked
>
> INTERNAL USERS   -   ANY   -   ACCEPT
>
> I cannot seem to get the chat/file transfer portions of ICQ to work for me though...
>
> If anyone can help, I would appreciate it!
>
> Thanks
>
> Edward Kuhner
> PowerIT-Up, Inc.
> [email protected]
> www.powerit-up.com
>
> fax
>



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.