[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] ICQ - Help
Title: RE: [FW1] ICQ - Help
I read
that on their site, and am still a little confused about the scenario...
that is why I posted the question...
Thanks
Edward Kuhner PowerIT-Up, Inc. [email protected] www.powerit-up.com
fax
Hi Edward, I think that I have bad news to you. I will paste
the coment that was cut of the Phoneboy Website (www.phoneboy.com/fw1) that
show how ICQ and Fw-1 works.
Allowing or Blocking ICQ Q:
How do I block ICQ? How do I allow
ICQ through my firewall? A: You can block ICQ access by simply blocking all services to
205.188.153.0, netmask 255.255.255.0 (Thanks to Johan Grip <mailto:[email protected]>
for the tip). Also, there's apparently a program out there that tunnels ICQ
over HTTP. To block access to this, you must block access to www.icqproxy.com,
IP 216.122.100.172 (Thanks to Gaston Molina <mailto:[email protected]> for the
tip)
ICQ is a program written by Mirabilis, Ltd., <http://www.mirabilis.com>
and is becoming quite popular. Unfortunately, unless you are using a SOCKS5
proxy server, ICQ is not terribly firewall friendly. You will need to make
changes on both the client side and the firewall side. On the firewall, you
will need to create two new services:
* ICQ-UDP (UDP port 4000)
* ICQ-TCP (Other,
see below) For the service of ICQ-TCP, put the
following in the match field: tcp, th_dport >= a,
th_dport <= b Where a and b are the endpoints for
the range of ports you wish to allow. ICQ requires at least 3 TCP ports in a
row be opened and Mirabilis recommends 12.
On the ICQ client, you will need to specify:
Using a
non-SOCKS firewall Connections time out after 30 seconds (especially if you use HIDE-mode
translation) Using UDP port 4000
Using TCP
ports a through b, as specified above The rulebase
will look like the following for either no address translation or static
address translation (ICQServers is a group that contains network objects for
all known ICQ Servers):
Source Destination Service
Action InternalNets
ICQServers ICQ-UDP Accept Any Any ICQ-TCP
Accept If you are using hide translation for
your internal users, your rules will look like: Source Destination Service Action
InternalNets
ICQServers ICQ-UDP Accept InternalNets Any ICQ-TCP
Accept Limitations of HIDE mode translation and
ICQ: Other users behind a firewall will not be
directly accessable. They will only be accessable through the ICQ server.
Users may have to initially send messages to you via the ICQ servers (i.e. not
directly). Note: The above assumes you have "Accept UDP Replies" checked in
Policy->Properties. If this is not true in your case, you can either:
* Check "Accept UDP
Replies" in Policy->Properties * Create a service called
ICQ-UDP-Reply with port >1023, source port 4000-4000 and add to your
rulebase.
Regards, Jose Vicente da C
Machado AMERICEL I.T. -
Information Security email:
[email protected] office:(61) 329-6698
fax:(61) 329-6709 mobile:(61)
929-0016 http://www.americel.com.br Address: SEPS 702/902 Bloco B 1º andar
70390-025 - Brasilia - DF Brazil
> -----Original Message----- > From: Edward Kuhner [mailto:[email protected]]
> Sent: Friday, January 05, 2001 17:34
> To:
[email protected] >
Subject: [FW1] ICQ - Help > > Hello All, > > We are using HIDE NAT for all of our
Internal Users, and I don't have ANY outgoing ports blocked > > INTERNAL USERS
- ANY - ACCEPT > > I cannot seem to get the chat/file
transfer portions of ICQ to work for me though... >
> If anyone can help, I would appreciate it!
> > Thanks > > Edward Kuhner > PowerIT-Up, Inc. >
[email protected] > www.powerit-up.com
> > fax >
|