Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 23 Sep 2002 09:09:21 +0200
From:      <Danny.Carroll@mail.ing.nl>
To:        <forrie@forrie.com>, <freebsd-ipfw@freebsd.org>
Subject:   RE: Forwarding/proxying of IM services
Message-ID:  <C6304883FB11E347AD4958D3F14EC00AE89200@ing.com>

Next in thread | Raw E-Mail | Index | Archive | Help
No *really* being familiar with trillian, I'll try and answer this as it =
applies to ICQ.
It's been a while since I looked into this but I doubt much has changed. =
 I will also assume your firewall is completely open since, it really is =
a NAT problem.

This is actually really similar to the passive/active ftp problem for =
firewalls.

It basically centers around the fact that application developers, when =
choosing protocols for their net apps, need to take into consideration =
clients being on opposite sides of firewalls.

Nat works by watching the outgoing connections a client works and =
redirecting them on the way back in.

Unfortunatly, it is not god, therefore when it comes accross something =
it has no idea about it really has no option but to drop the packet (Or =
forward to some default host, very unwise).

Here is what happens when your ICQ wants to recieve a file:
1. Your client(trillian or ICQ) is told to expect a file from the =
sender's client.
2. Your client then says "OK, send it to me on port AAAA".
3. The sender's client opens up a connection to the your IP address on =
port AAAA and the file is transfered.

Now, if you have nat, then the nat sofware is used to seeing packets =
from the recipient on port BBBB (For the chat transfers), or worse, you =
have not even been communicating with the client directly, but via an =
ICQ server.

So the Natd software sees this new connection, on port AAAA, and it has =
NO idea who it is meant for.

Nat get's around this in the case of active FTP transfers by actually =
watching the FTP protocol for the handshaking (steps 1 and 2), and =
redirects accordingly...  But you can't expect Natd to implement every =
different IM protocol out there, can you?

At least not until the IM developers get their act together and =
integrate their protocols.  (Yeah right!)

Sometimes, IM clients give the opption to skip the server and send =
directly to the client for all transfers, but chances are you will get =
firewalled at the recipients end anyway, so it's kind of a useless =
workaround.

The only thing you can do is watch what the software is *trying* to do =
and see if you can get IPFW/Natd to open up enough to allow what you =
need.

For example, if you watch ICQ attempts and see that most of the time, =
they are comming in on ports 8000 - 9000 (This is a guess), you *could* =
tell natd to forward all these ports to one machine, and do all your =
IM'ing from there.  It's not really an elegant solution tho is it?

-D


-----Original Message-----
From: Forrest Aldrich [mailto:forrie@forrie.com]
Sent: 23 September 2002 03:31
To: freebsd-ipfw@freebsd.org
Subject: Forwarding/proxying of IM services


I've not found a FAQ on this, as it applies to ipfw.

I use a popular IM client called Trillian (http://www.trillian.cc).   =
For=20
the longest time (with IM generally), I've not been able to perform file =

transfers; this is because I'm behind a FreeBSD-4.7 NAT (ipfw + nat)=20
firewall, with an internal RFC network.

What I want to know is if there are rules I can implement with ipfw that =

will permit these file transfer services to work properly - or if I'd=20
otherwise have to install some proxying program.

Any pointers would be appreciated, and I will forward that info to the=20
Trillian Forum for future users to see.


Thanks!
Forrest


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
-----------------------------------------------------------------=0A=
ATTENTION:=0A=
The information in this electronic mail message is private and=0A=
confidential, and only intended for the addressee. Should you=0A=
receive this message by mistake, you are hereby notified that=0A=
any disclosure, reproduction, distribution or use of this=0A=
message is strictly prohibited. Please inform the sender by=0A=
reply transmission and delete the message without copying or=0A=
opening it.=0A=
=0A=
Messages and attachments are scanned for all viruses known.=0A=
If this message contains password-protected attachments, the=0A=
files have NOT been scanned for viruses by the ING mail domain.=0A=
Always scan attachments before opening them.=0A=
-----------------------------------------------------------------

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?C6304883FB11E347AD4958D3F14EC00AE89200>