Ключевые слова:icq, firewall, (найти похожие документы)
_ RU.CISCO (2:5077/15.22) ___________________________________________ RU.CISCO _
From : Konstantin Yarchuk 2:5020/400 21 Apr 99 09:49:36
Subj : ICQ за FW
________________________________________________________________________________
From: Konstantin Yarchuk <kyar@it.ru>
Привет!
> А как спрятать ICQ за firewall не используя proxy? И может ли это
> дело работать через NAT?
Вот FAQ по этому поводу для Firewall-1 (www.phoneboy.com/fw1)
Allowing ICQ through the firewall
Q:
How do I allow ICQ through my firewall?
A:
ICQ is a program written by Mirabilis, Ltd., and is becoming quite
popular. Unfortunately, unless you
are using a SOCKS5 proxy server, ICQ is not terribly firewall friendly.
You will need to make changes
on both the client side and the firewall side. On the firewall, you will
need to create two new services:
ICQ-UDP (UDP port 4000)
ICQ-TCP (Other, see below)
Create a service of type other called ICQ-TCP. In the match field, put:
tcp, th_dport >= a, th_dport <= b
Where a and b are the endpoints for the range of ports you wish to
allow. ICQ requires at least 3 TCP
ports in a row be opened and recommends 12.
On the ICQ client, you will need to specify:
1.Using a non-SOCKS firewall
2.Connections time out after 30 seconds (if you use HIDE address
translation)
3.Using UDP port 4000
4.Using TCP ports a through b, as specified above
The rulebase will look like the following for either no address
translation or static address translation
(ICQServers is a group that contains network objects for all known ICQ
Servers):
Source Destination Service Action
InternalNets ICQServers ICQ-UDP Accept
Any Any ICQ-TCP Accept
If you are using hide translation for your internal users, your rules
will look like:
Source Destination Service Action
InternalNets ICQServers ICQ-UDP Accept
InternalNets Any ICQ-TCP Accept
Limitations of HIDE mode translation and ICQ:
Other users behind a firewall will not be directly accessable. They
will only be accessable through the ICQ server.
Users may have to initially send messages to you via the ICQ
servers (e.g. not directly).
Note: The above assumes you have "Accept UDP Replies" checked in
Policy->Properties. If this is not
true in your case, you can either:
Check "Accept UDP Replies" in Policy->Properties
Create a service called ICQ-UDP-Reply with port >1023, source port
4000-4000 and add to your rulebase.
Kostya.
--- ifmail v.2.14dev3 * Origin: Information Technologies Co. (2:5020/400)