Date: Mon, 23 Sep 2002 09:09:21 +0200 From: <Danny.Carroll@mail.ing.nl> To: <forrie@forrie.com>, <freebsd-ipfw@freebsd.org> Subject: RE: Forwarding/proxying of IM services Message-ID: <C6304883FB11E347AD4958D3F14EC00AE89200@ing.com>
next in thread | raw e-mail | index | archive | help
No *really* being familiar with trillian, I'll try and answer this as it = applies to ICQ. It's been a while since I looked into this but I doubt much has changed. = I will also assume your firewall is completely open since, it really is = a NAT problem. This is actually really similar to the passive/active ftp problem for = firewalls. It basically centers around the fact that application developers, when = choosing protocols for their net apps, need to take into consideration = clients being on opposite sides of firewalls. Nat works by watching the outgoing connections a client works and = redirecting them on the way back in. Unfortunatly, it is not god, therefore when it comes accross something = it has no idea about it really has no option but to drop the packet (Or = forward to some default host, very unwise). Here is what happens when your ICQ wants to recieve a file: 1. Your client(trillian or ICQ) is told to expect a file from the = sender's client. 2. Your client then says "OK, send it to me on port AAAA". 3. The sender's client opens up a connection to the your IP address on = port AAAA and the file is transfered. Now, if you have nat, then the nat sofware is used to seeing packets = from the recipient on port BBBB (For the chat transfers), or worse, you = have not even been communicating with the client directly, but via an = ICQ server. So the Natd software sees this new connection, on port AAAA, and it has = NO idea who it is meant for. Nat get's around this in the case of active FTP transfers by actually = watching the FTP protocol for the handshaking (steps 1 and 2), and = redirects accordingly... But you can't expect Natd to implement every = different IM protocol out there, can you? At least not until the IM developers get their act together and = integrate their protocols. (Yeah right!) Sometimes, IM clients give the opption to skip the server and send = directly to the client for all transfers, but chances are you will get = firewalled at the recipients end anyway, so it's kind of a useless = workaround. The only thing you can do is watch what the software is *trying* to do = and see if you can get IPFW/Natd to open up enough to allow what you = need. For example, if you watch ICQ attempts and see that most of the time, = they are comming in on ports 8000 - 9000 (This is a guess), you *could* = tell natd to forward all these ports to one machine, and do all your = IM'ing from there. It's not really an elegant solution tho is it? -D -----Original Message----- From: Forrest Aldrich [mailto:forrie@forrie.com] Sent: 23 September 2002 03:31 To: freebsd-ipfw@freebsd.org Subject: Forwarding/proxying of IM services I've not found a FAQ on this, as it applies to ipfw. I use a popular IM client called Trillian (http://www.trillian.cc). = For=20 the longest time (with IM generally), I've not been able to perform file = transfers; this is because I'm behind a FreeBSD-4.7 NAT (ipfw + nat)=20 firewall, with an internal RFC network. What I want to know is if there are rules I can implement with ipfw that = will permit these file transfer services to work properly - or if I'd=20 otherwise have to install some proxying program. Any pointers would be appreciated, and I will forward that info to the=20 Trillian Forum for future users to see. Thanks! Forrest To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C6304883FB11E347AD4958D3F14EC00AE89200>