From owner-freebsd-stable Sun Oct 21 17:48:15 2001 Delivered-To: freebsd-stable@freebsd.org Received: from grumpy.dyndns.org (user-24-214-92-93.knology.net [24.214.92.93]) by hub.freebsd.org (Postfix) with ESMTP id 626BE37B401 for ; Sun, 21 Oct 2001 17:48:12 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by grumpy.dyndns.org (8.11.6/8.11.6) with ESMTP id f9M0lvw43677; Sun, 21 Oct 2001 19:47:58 -0500 (CDT) (envelope-from dkelly@grumpy.dyndns.org) Message-Id: <200110220047.f9M0lvw43677@grumpy.dyndns.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Allen Landsidel Cc: Kal Torak , FreeBSD Stable From: David Kelly Subject: Re: ICQ with NAT problems In-reply-to: Message from Allen Landsidel of "Sun, 21 Oct 2001 01:32:13 EDT." <5.1.0.14.0.20011021012339.00b2b3a8@rfnj.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 21 Oct 2001 19:47:57 -0500 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Allen Landsidel writes: > At 02:48 PM 10/21/2001 +1000, Kal Torak wrote: > >Thanks for the replies, but let me make it clear what I > >am saying.. [...] > So, you have two options. > > #1 Run a Socks proxy. You have said you (for whatever reason, it's really > not a bad idea) don't want to do this. > > #2 Configure ICQ to use a certain range of listening TCP ports. Use a > different port range on each machine that will be running ICQ, and > configure NAT to forward connections to these ports appropriately. > > I've done both things on connections from a T1 all the way down to 28.8kbps > multiuser modem connection, and they work fine.. I really would suggest the > proxy though, they exist to solve just such problems.. trying other methods > is really a bit like trying to hammer a square peg into a round hole; > You're behind NAT, and you have to deal with it. What am I missing about the problem that the punch_fw option in natd is not supposed to deal with? Is my understanding ICQ is only a particular implementation of IRC? natd(1) says: -punch_fw basenumber:count This option directs natd to ``punch holes'' in an ipfirewall(4) based firewall for FTP/IRC DCC connections. This is done dynamically by installing temporary firewall rules which allow a particular connection (and only that con- nection) to go through the firewall. The rules are removed once the corresponding connection terminates. I don't do IRC or allow it thru my firewalls. But the above works very well for me to allow non-passive ftp out. I don't allow all outgoing connections from any internal port simply because this way I've stopped a number of spyware agents which were not smart enough to link on port 80 or something. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message