Date: Thu, 7 Jun 2001 18:36:18 +0400 From: 3APA3A <3APA3A@SECURITY.NNOV.RU> To: "Nikolaj I. Potanin" <nikolaj@mail.spbnit.ru> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw and icq Message-ID: <86117967378.20010607183618@SECURITY.NNOV.RU> In-Reply-To: <1569370004.20010607180037@mail.spbnit.ru> References: <Pine.BSF.4.30_heb2.09.0106061220000.50496-100000@slis-two.lis.fsu.edu> <009e01c0ef55$da422340$9201a8c0@home.net> <1569370004.20010607180037@mail.spbnit.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Nikolaj, You've allowed only outgoing traffic, but you also need to allow incoming one. Allowing UDP 4000 for all ports from whole Internet is huge security risk, you should limit port range and allowed network. In this case: allow udp from any 1024-65535 to 205.188.153.0/24 4000 allow udp from 205.188.153.0/24 4000 to any 1024-65535 This will work for ICQ up to 99 and licq/micq. Icq 2000 works different way - it uses TCP and first connects login.icq.com and then it's redirected to another server in the AOL Network. It's better to have incoming and outgoing lists for internal and external interface (and DMZ if you have one) in this case you can allow ICQ with something like: allow udp from any 1024-65535 to 205.188.153.0/24 4000 out via ext allow udp from 205.188.153.0/24 4000 to any 1024-65535 in via ext in this case you can also allow any outgoing TCP connections for ICQ 2000 to work: allow tcp from any 1024-65535,20 to any out via ext allow tcp from any to any 1024-65535,20 in via ext established For internal interface you can create list to only limit access to router itself. In any case in your configuration you will have problems with incoming direct connections with another ICQ users. You will be able only communicate via server (some unix ICQ clients always communicate via server), or connection may be established by your request if you allow outgoing TCP. If you use Windows ICQ client and you want to allow incoming direct connections (by request of your interlocutor) you can create port mappings of port ranges (approx. 50-70 ports for each host) and configure ICQ for each host to use external IP and this port range, or you can configure socks5 on your router. --Thursday, June 07, 2001, 6:00:37 PM, you wrote to freebsd-security@FreeBSD.ORG: NIP> Hello to every GURU in this list! NIP> I'm a novice in this world :) and I have problem configuring NIP> firewall(ipfw) and icq on my FreeBSD4.2-box. I'm using a PPP connection NIP> to my ISP and therefore there are some differences in configuring ipfw NIP> (or not?). Everything works perfect, firewall filters all is has to, but NIP> I didn't manage to connect to my favorite icq.mirabilis.com:4000 %)I NIP> know that I should add something like NIP> $fwcmd add allow udp from any to any 4000 NIP> But it doesn't work! NIP> Here is my fwrules-file: NIP> fwcmd="/sbin/ipfw" NIP> $fwcmd -f flush NIP> $fwcmd add divert natd all from any to any via tun0 NIP> $fwcmd add allow ip from any to any via lo0 NIP> $fwcmd add allow tcp from any to any out xmit tun0 setup NIP> $fwcmd add allow tcp from any to any via tun0 established NIP> $fwcmd add allow tcp from any to any 80 setup NIP> $fwcmd add allow tcp from any to any 22 setup NIP> $fwcmd add reset log tcp from any to any 113 in recv tun0 NIP> $fwcmd add allow udp from any to MY_ISP'S_DNS_NUMBER 53 out xmit tun0 NIP> $fwcmd add allow udp from MY_ISP'S_DNS_NUMBER 53 to any in recv tun0 NIP> $fwcmd add 65435 allow icmp from any to any NIP> $fwcmd add 65435 deny log ip from any to any NIP> Maybe it's beacause of [options TCP_RESTRICT_RST] option added to my NIP> CUSTOM_KERNEL config file? Any ideas about this problem? NIP> Thanks in advance, NIP> == NIP> Nikolaj I. Potanin NIP> http://www.physto.se/~nikolaj NIP> UIN: 20582042 NIP> To Unsubscribe: send mail to majordomo@FreeBSD.org NIP> with "unsubscribe freebsd-security" in the body of the message -- ~/3APA3A Появился новый тип элементарных частиц - шкварки. Не очень большие, слегка подгоревшие. (Лем) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86117967378.20010607183618>