On Wednesday 16 January 2002 19:45, Mauricio Latorre wrote:
ICQ it's a risk inside a network. A way to avoid this risk and allow the chat, U can use a web-proxy in order to send the messages by a HTTP tunnel. ICQ can do this, and IMHO it's a bit more secure.
One thing I've seen is that ICQ servers defined for both ports 4000, and 53 on their servers, so if you NAT/Masquerade DNS traffic you might be permitting ICQ (and other UDP protocols) not just DNS lookups. How much of a risk is ICQ? Surely all protocols including http are a 'risk', just look at M$'s recent advisory on IE5.5sp2 and IE6, image/jpegs, with .exe extensions are downloaded and run. A proxy can't protect you against client software like that. The rules that work for me are : $iprulecmd -A ludpin -p udp -s 205.188.153.0/24 --source-port 4000 --destination-port 1024: -j ACCEPT You would need something similar, but to use NAT or Masquerade that UDP traffic. A questioner posted on ICQ in one of the Linux Today forums, and there's more info there about the TCP/IP ports used. AFAIK if you want ICQ to function completely in the protected network with outside, you need to use 2.2 ipchains, and the ICQ helper module, which is not yet available for 2.4 and Rusty Russel et al, have no interest in supporting this proprietary protocol. Rob