Re: iptables + icq
> On Fri, 17 Aug 2001, Michael Wood wrote:
>
> > On Fri, Aug 17, 2001 at 08:10:41AM +1000, Paul Haesler wrote:
> > > Are you masquerading?I found the easiest way to get icq to
> > > work through IP-masquerading was to use a SOCKS proxy:
> > >
> > > apt-get install socks4
> >
> > Or "apt-get install dante" since it supports socks4 and socks5.
>
> But isn't a socks proxy quite a big hole in the firewall?
Yes, but not as big as opening up every port from 1024 to 65535
which is what the original post suggested!
> Spesifically, it allows any trojaned host in the inside network to
> accept connections from the outside.
>
> (Also: an ICQ client listening on a port is also a weakness. I'm not
> entirely sure that those clients, at least the mirabilis ones, don't
> have some exploitable/exploited buffer overflows)
The bottom line is, if you want users behind the firewall to be able to
use generalised proprietary communications software, you have to
wear some pretty big holes in the firewall (or some pretty unhappy
users.) At least icq will work with a socks proxy. The only way to
get Microshit Netmeeting to work through a firewall for example is
to pretty much turn off the firewall entirely.
Paul Haesler
paul@anti-tank.mine.nu icq: 74142604
"We are the Steely-Pips and we have no fear, no
spats in our vats, no rules, no schools, no gloom,
no evil influence of the moon, for we have a machine,
a dream of a machine, with springs and gears and
perfect in every respect."
Stanislaw Lem, The Cyberiad (Trurl's Prescription)
Reply to: