Date: Mon, 23 Sep 2002 09:09:21 +0200 From: <Danny.Carroll@mail.ing.nl> To: <forrie@forrie.com>, <freebsd-ipfw@freebsd.org> Subject: RE: Forwarding/proxying of IM services Message-ID: <C6304883FB11E347AD4958D3F14EC00AE89200@ing.com>
next in thread | raw e-mail | index | archive | help
No *really* being familiar with trillian, I'll try and answer this as it applies to ICQ. It's been a while since I looked into this but I doubt much has changed. I will also assume your firewall is completely open since, it really is a NAT problem. This is actually really similar to the passive/active ftp problem for firewalls. It basically centers around the fact that application developers, when choosing protocols for their net apps, need to take into consideration clients being on opposite sides of firewalls. Nat works by watching the outgoing connections a client works and redirecting them on the way back in. Unfortunatly, it is not god, therefore when it comes accross something it has no idea about it really has no option but to drop the packet (Or forward to some default host, very unwise). Here is what happens when your ICQ wants to recieve a file: 1. Your client(trillian or ICQ) is told to expect a file from the sender's client. 2. Your client then says "OK, send it to me on port AAAA". 3. The sender's client opens up a connection to the your IP address on port AAAA and the file is transfered. Now, if you have nat, then the nat sofware is used to seeing packets from the recipient on port BBBB (For the chat transfers), or worse, you have not even been communicating with the client directly, but via an ICQ server. So the Natd software sees this new connection, on port AAAA, and it has NO idea who it is meant for. Nat get's around this in the case of active FTP transfers by actually watching the FTP protocol for the handshaking (steps 1 and 2), and redirects accordingly... But you can't expect Natd to implement every different IM protocol out there, can you? At least not until the IM developers get their act together and integrate their protocols. (Yeah right!) Sometimes, IM clients give the opption to skip the server and send directly to the client for all transfers, but chances are you will get firewalled at the recipients end anyway, so it's kind of a useless workaround. The only thing you can do is watch what the software is *trying* to do and see if you can get IPFW/Natd to open up enough to allow what you need. For example, if you watch ICQ attempts and see that most of the time, they are comming in on ports 8000 - 9000 (This is a guess), you *could* tell natd to forward all these ports to one machine, and do all your IM'ing from there. It's not really an elegant solution tho is it? -D -----Original Message----- From: Forrest Aldrich [mailto:forrie@forrie.com] Sent: 23 September 2002 03:31 To: freebsd-ipfw@freebsd.org Subject: Forwarding/proxying of IM services I've not found a FAQ on this, as it applies to ipfw. I use a popular IM client called Trillian (http://www.trillian.cc). For the longest time (with IM generally), I've not been able to perform file transfers; this is because I'm behind a FreeBSD-4.7 NAT (ipfw + nat) firewall, with an internal RFC network. What I want to know is if there are rules I can implement with ipfw that will permit these file transfer services to work properly - or if I'd otherwise have to install some proxying program. Any pointers would be appreciated, and I will forward that info to the Trillian Forum for future users to see. Thanks! Forrest To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message ----------------------------------------------------------------- ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C6304883FB11E347AD4958D3F14EC00AE89200>