icq

icq

[Peter Marshall]

what do I need to do to allow ICQ to work through my firewall


Peter Marshall, BCS
Network Administrator, CARIS 
115 Waggoners Lane, Fredericton NB, E3B 2L4 CANADA
Phone:  (506) 458-8533 (Reception) 

RE: icq

[Alexis]

Let port tcp/5050 pass trough to destination "at least" login.icq.com



-----Mensaje original-----
De: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] En nombre de Peter Marshall
Enviado el: Miércoles, 16 de Junio de 2004 14:45
Para: netfilter
Asunto: icq

what do I need to do to allow ICQ to work through my firewall


Peter Marshall, BCS
Network Administrator, CARIS 
115 Waggoners Lane, Fredericton NB, E3B 2L4 CANADA
Phone:  (506) 458-8533 (Reception) 

Re: icq

[Florian Boelstler]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Peter Marshall wrote:
> what do I need to do to allow ICQ to work through my firewall

For plain ICQ messages I use the following rules in my iptables setup
script:

$IPTABLES=`which iptables`
ICQ="205.188.0.0/16 64.12.0.0/16"	# subnets for ICQ servers

[...]

# if you use iptables on your desktop
for icq in $ICQ
do
        $IPTABLES -A OUTPUT -o <YOUR EXTERNAL IF> -m state NEW \
	-p TCP --sport 1024:65535 --dport 5190 -d $icq -j ACCEPT
done


# if you use iptables on your gateway
for icq in $ICQ
do
        $IPTABLES -A FORWARD -i <YOUR INTERNAL IF> \
	-o <YOUR EXTERNAL IF> -m state --state NEW -p TCP \
	--sport 1024:65535 --dport 5190 -d $icq -j ACCEPT
done

[...]

Of course you'll need default rules(ESTABLISHED,RELATED) for all
subsequent packets and the way back to your clients or desktop.


  Florian




- --
Public PGP key is available on common key servers.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFA0JCJwT2gPfZm6tURAlJgAKCGIhQP0bHpyIazISLz8Oamk3QUBwCguDbL
Op02A+6Cu5uy7yUUvGLg4e0=
=7naS
-----END PGP SIGNATURE-----

RE: icq

[Rob Sterenborg]

> what do I need to do to allow ICQ to work through my firewall

(Other answers already given..)

Not sure about recent versions, but with old versions you could only do
simple things like messaging when using NAT only.
If you wanted to do things like chat and/or filetransfer, you needed a
socks server. I guess this still holds.
NEC had a free socks5 server for *nix once, but stopped providing it.
It's now Permeo's (www.permeo.com) but AFAIK not free any more. If you
need it ; there's a source version on rpmfind.net.



Gr,
Rob

RE: icq

[Hudson Delbert J Contr 61 CS/SCBN]

the rpc like tendencies of icq make it not worth the trouble to manage
access to/from it.

~piranha

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Rob Sterenborg
Sent: Wednesday, June 16, 2004 1:42 PM
To: 'netfilter'
Subject: RE: icq


> what do I need to do to allow ICQ to work through my firewall

(Other answers already given..)

Not sure about recent versions, but with old versions you could only do
simple things like messaging when using NAT only.
If you wanted to do things like chat and/or filetransfer, you needed a
socks server. I guess this still holds.
NEC had a free socks5 server for *nix once, but stopped providing it.
It's now Permeo's (www.permeo.com) but AFAIK not free any more. If you
need it ; there's a source version on rpmfind.net.



Gr,
Rob

Re: icq

[Alistair Tonner]

On June 16, 2004 05:03 pm, Hudson Delbert J Contr 61 CS/SCBN wrote:
> the rpc like tendencies of icq make it not worth the trouble to manage
> access to/from it.
>
> ~piranha

	? rpc like ? 

> Not sure about recent versions, but with old versions you could only do
> simple things like messaging when using NAT only.
> If you wanted to do things like chat and/or filetransfer, you needed a
> socks server. I guess this still holds.
> NEC had a free socks5 server for *nix once, but stopped providing it.
> It's now Permeo's (www.permeo.com) but AFAIK not free any more. If you
> need it ; there's a source version on rpmfind.net.
>
	
	Although there are already some answers here, the extended attributes
	for icq can be managed in a small home lan situation by properly configuring
	the clients (set the ports on which connections can be recieved to a 
	different specific range per client) and then forward the appropriate range
	of  ports per client from the firewall.  In my case at home, I have three
	internal clients that are permanently forwarded.  You can't filter on source
	address as icq -> icq transfers are client to client.  For standard chatting 
	however, nothing need be done save the initial connection out to 
	login.icq.com and an established related rule.  Some folks might find that
	they have to send the initial message through the servers (window clients 
	auto fallback to this state, licq has to be told to do it) but after the 
	first message out from behind the firewall, if the ESTABLISHED,RELATED rule
	is in place, chat messages work just fine.

	Alistair Tonner.



>
>
> Gr,
> Rob

RE: icq

[Hudson Delbert J Contr 61 CS/SCBN]

A,

	you just dont get it...

	the access itself is risky for an enterprise.

	small home lans are not relevant in this conversation.

	the setup for rpc mimics some of the port nonsense that
rpc/portmapper
	type of architectures is the problem.

	the client-2-client interface is the security problem in and of
itself.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Alistair Tonner
Sent: Wednesday, June 16, 2004 7:26 PM
To: netfilter@lists.netfilter.org
Subject: Re: icq


On June 16, 2004 05:03 pm, Hudson Delbert J Contr 61 CS/SCBN wrote:
> the rpc like tendencies of icq make it not worth the trouble to manage
> access to/from it.
>
> ~piranha

	? rpc like ? 

> Not sure about recent versions, but with old versions you could only do
> simple things like messaging when using NAT only.
> If you wanted to do things like chat and/or filetransfer, you needed a
> socks server. I guess this still holds.
> NEC had a free socks5 server for *nix once, but stopped providing it.
> It's now Permeo's (www.permeo.com) but AFAIK not free any more. If you
> need it ; there's a source version on rpmfind.net.
>
	
	Although there are already some answers here, the extended
attributes
	for icq can be managed in a small home lan situation by properly
configuring
	the clients (set the ports on which connections can be recieved to a

	different specific range per client) and then forward the
appropriate range
	of  ports per client from the firewall.  In my case at home, I have
three
	internal clients that are permanently forwarded.  You can't filter
on source
	address as icq -> icq transfers are client to client.  For standard
chatting 
	however, nothing need be done save the initial connection out to 
	login.icq.com and an established related rule.  Some folks might
find that
	they have to send the initial message through the servers (window
clients 
	auto fallback to this state, licq has to be told to do it) but after
the 
	first message out from behind the firewall, if the
ESTABLISHED,RELATED rule
	is in place, chat messages work just fine.

	Alistair Tonner.



>
>
> Gr,
> Rob