From owner-freebsd-ipfw Mon Sep 23 0:12: 3 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BEE4937B401 for ; Mon, 23 Sep 2002 00:12:00 -0700 (PDT) Received: from mail1.ing.nl (mail1.ing.nl [145.221.93.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B52F43E3B for ; Mon, 23 Sep 2002 00:11:59 -0700 (PDT) (envelope-from Danny.Carroll@mail.ing.nl) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: Forwarding/proxying of IM services Date: Mon, 23 Sep 2002 09:09:21 +0200 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Forwarding/proxying of IM services Thread-Index: AcJioN/Z5XW7W3RxT9W/wnS4JRPMYAALLXCg Importance: normal From: To: , X-OriginalArrivalTime: 23 Sep 2002 07:09:21.0376 (UTC) FILETIME=[23D64600:01C262D0] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG No *really* being familiar with trillian, I'll try and answer this as it = applies to ICQ. It's been a while since I looked into this but I doubt much has changed. = I will also assume your firewall is completely open since, it really is = a NAT problem. This is actually really similar to the passive/active ftp problem for = firewalls. It basically centers around the fact that application developers, when = choosing protocols for their net apps, need to take into consideration = clients being on opposite sides of firewalls. Nat works by watching the outgoing connections a client works and = redirecting them on the way back in. Unfortunatly, it is not god, therefore when it comes accross something = it has no idea about it really has no option but to drop the packet (Or = forward to some default host, very unwise). Here is what happens when your ICQ wants to recieve a file: 1. Your client(trillian or ICQ) is told to expect a file from the = sender's client. 2. Your client then says "OK, send it to me on port AAAA". 3. The sender's client opens up a connection to the your IP address on = port AAAA and the file is transfered. Now, if you have nat, then the nat sofware is used to seeing packets = from the recipient on port BBBB (For the chat transfers), or worse, you = have not even been communicating with the client directly, but via an = ICQ server. So the Natd software sees this new connection, on port AAAA, and it has = NO idea who it is meant for. Nat get's around this in the case of active FTP transfers by actually = watching the FTP protocol for the handshaking (steps 1 and 2), and = redirects accordingly... But you can't expect Natd to implement every = different IM protocol out there, can you? At least not until the IM developers get their act together and = integrate their protocols. (Yeah right!) Sometimes, IM clients give the opption to skip the server and send = directly to the client for all transfers, but chances are you will get = firewalled at the recipients end anyway, so it's kind of a useless = workaround. The only thing you can do is watch what the software is *trying* to do = and see if you can get IPFW/Natd to open up enough to allow what you = need. For example, if you watch ICQ attempts and see that most of the time, = they are comming in on ports 8000 - 9000 (This is a guess), you *could* = tell natd to forward all these ports to one machine, and do all your = IM'ing from there. It's not really an elegant solution tho is it? -D -----Original Message----- From: Forrest Aldrich [mailto:forrie@forrie.com] Sent: 23 September 2002 03:31 To: freebsd-ipfw@freebsd.org Subject: Forwarding/proxying of IM services I've not found a FAQ on this, as it applies to ipfw. I use a popular IM client called Trillian (http://www.trillian.cc). = For=20 the longest time (with IM generally), I've not been able to perform file = transfers; this is because I'm behind a FreeBSD-4.7 NAT (ipfw + nat)=20 firewall, with an internal RFC network. What I want to know is if there are rules I can implement with ipfw that = will permit these file transfer services to work properly - or if I'd=20 otherwise have to install some proxying program. Any pointers would be appreciated, and I will forward that info to the=20 Trillian Forum for future users to see. Thanks! Forrest To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message