From owner-freebsd-security  Thu Jun  7  7:38: 3 2001
Delivered-To: freebsd-security@freebsd.org
Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2])
	by hub.freebsd.org (Postfix) with ESMTP id B2EB137B406
	for <freebsd-security@FreeBSD.ORG>; Thu,  7 Jun 2001 07:37:53 -0700 (PDT)
	(envelope-from 3APA3A@SECURITY.NNOV.RU)
Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.40]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1-AGK-0.5) with ESMTP id SAA73672; Thu, 7 Jun 2001 18:36:18 +0400 (MSD)
Date: Thu, 7 Jun 2001 18:36:18 +0400
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
X-Mailer: The Bat! (v1.51)
Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Organization: http://www.security.nnov.ru
X-Priority: 3 (Normal)
Message-ID: <86117967378.20010607183618@SECURITY.NNOV.RU>
To: "Nikolaj I. Potanin" <nikolaj@mail.spbnit.ru>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: ipfw and icq
In-Reply-To: <1569370004.20010607180037@mail.spbnit.ru>
References: 
 <Pine.BSF.4.30_heb2.09.0106061220000.50496-100000@slis-two.lis.fsu.edu>
 <009e01c0ef55$da422340$9201a8c0@home.net>
 <1569370004.20010607180037@mail.spbnit.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hello Nikolaj,

You've  allowed  only  outgoing  traffic,  but  you also need to allow
incoming  one.  Allowing UDP 4000 for all ports from whole Internet is
huge  security  risk, you should limit port range and allowed network.
In this case:

allow udp from any 1024-65535 to 205.188.153.0/24 4000
allow udp from 205.188.153.0/24 4000 to any 1024-65535

This  will  work  for  ICQ  up  to  99  and  licq/micq. Icq 2000 works
different  way - it uses TCP and first connects login.icq.com and then
it's redirected to another server in the AOL Network.

It's  better  to  have  incoming  and  outgoing lists for internal and
external  interface  (and  DMZ  if  you have one) in this case you can
allow ICQ with something like:

allow udp from any 1024-65535 to 205.188.153.0/24 4000 out via ext
allow udp from 205.188.153.0/24 4000 to any 1024-65535 in via ext

in  this  case you can also allow any outgoing TCP connections for ICQ
2000 to work:

allow tcp from any 1024-65535,20 to any out via ext
allow tcp from any to any 1024-65535,20 in via ext established

For  internal  interface  you  can create list to only limit access to
router itself.

In any case in your configuration you will have problems with incoming
direct  connections  with  another  ICQ  users.  You will be able only
communicate  via  server (some unix ICQ clients always communicate via
server), or connection may be established by your request if you allow
outgoing  TCP.  If  you  use  Windows ICQ client and you want to allow
incoming  direct connections (by request of your interlocutor) you can
create  port  mappings  of  port  ranges (approx. 50-70 ports for each
host) and configure ICQ for each host to use external IP and this port
range, or you can configure socks5 on your router.


--Thursday, June 07, 2001, 6:00:37 PM, you wrote to freebsd-security@FreeBSD.ORG:

NIP> Hello to every GURU in this list!

NIP> I'm a novice in this world :) and I have problem configuring
NIP> firewall(ipfw) and icq on my FreeBSD4.2-box. I'm using a PPP connection
NIP> to my ISP and therefore there are some differences in configuring ipfw
NIP> (or not?). Everything works perfect, firewall filters all is has to, but
NIP> I didn't manage to connect to my favorite icq.mirabilis.com:4000 %)I
NIP> know that I should add something like

NIP> $fwcmd add allow udp from any to any 4000

NIP> But it doesn't work!

NIP> Here is my fwrules-file:

NIP> fwcmd="/sbin/ipfw"
NIP> $fwcmd -f flush
NIP> $fwcmd add divert natd all from any to any via tun0
NIP> $fwcmd add allow ip from any to any via lo0
NIP> $fwcmd add allow tcp from any to any out xmit tun0 setup
NIP> $fwcmd add allow tcp from any to any via tun0 established
NIP> $fwcmd add allow tcp from any to any 80 setup
NIP> $fwcmd add allow tcp from any to any 22 setup
NIP> $fwcmd add reset log tcp from any to any 113 in recv tun0
NIP> $fwcmd add allow udp from any to MY_ISP'S_DNS_NUMBER 53 out xmit tun0
NIP> $fwcmd add allow udp from MY_ISP'S_DNS_NUMBER 53 to any in recv tun0
NIP> $fwcmd add 65435 allow icmp from any to any
NIP> $fwcmd add 65435 deny log ip from any to any

NIP> Maybe it's beacause of [options TCP_RESTRICT_RST] option added to my
NIP> CUSTOM_KERNEL config file? Any ideas about this problem?

NIP> Thanks in advance,

NIP> ==
NIP> Nikolaj I. Potanin
NIP> http://www.physto.se/~nikolaj
NIP> UIN: 20582042



NIP> To Unsubscribe: send mail to majordomo@FreeBSD.org
NIP> with "unsubscribe freebsd-security" in the body of the message


-- 
~/3APA3A
Появился новый тип элементарных частиц - шкварки.
Не очень большие, слегка подгоревшие.  (Лем)



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message