Date: Sun, 21 Oct 2001 19:47:57 -0500 From: David Kelly <dkelly@hiwaay.net> To: Allen Landsidel <all@biosys.net> Cc: Kal Torak <kaltorak@quake.com.au>, FreeBSD Stable <freebsd-stable@FreeBSD.ORG> Subject: Re: ICQ with NAT problems Message-ID: <200110220047.f9M0lvw43677@grumpy.dyndns.org> In-Reply-To: Message from Allen Landsidel <all@biosys.net> of "Sun, 21 Oct 2001 01:32:13 EDT." <5.1.0.14.0.20011021012339.00b2b3a8@rfnj.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Allen Landsidel writes:
> At 02:48 PM 10/21/2001 +1000, Kal Torak wrote:
> >Thanks for the replies, but let me make it clear what I
> >am saying..
[...]
> So, you have two options.
>
> #1 Run a Socks proxy. You have said you (for whatever reason, it's really
> not a bad idea) don't want to do this.
>
> #2 Configure ICQ to use a certain range of listening TCP ports. Use a
> different port range on each machine that will be running ICQ, and
> configure NAT to forward connections to these ports appropriately.
>
> I've done both things on connections from a T1 all the way down to 28.8kbps
> multiuser modem connection, and they work fine.. I really would suggest the
> proxy though, they exist to solve just such problems.. trying other methods
> is really a bit like trying to hammer a square peg into a round hole;
> You're behind NAT, and you have to deal with it.
What am I missing about the problem that the punch_fw option in natd is
not supposed to deal with? Is my understanding ICQ is only a particular
implementation of IRC?
natd(1) says:
-punch_fw basenumber:count
This option directs natd to ``punch holes'' in an
ipfirewall(4) based firewall for FTP/IRC DCC connections.
This is done dynamically by installing temporary firewall
rules which allow a particular connection (and only that con-
nection) to go through the firewall. The rules are removed
once the corresponding connection terminates.
I don't do IRC or allow it thru my firewalls. But the above works very
well for me to allow non-passive ftp out. I don't allow all outgoing
connections from any internal port simply because this way I've stopped
a number of spyware agents which were not smart enough to link on port
80 or something.
--
David Kelly N4HHE, dkelly@hiwaay.net
=====================================================================
The human mind ordinarily operates at only ten percent of its
capacity -- the rest is overhead for the operating system.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110220047.f9M0lvw43677>