Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] Allow ICQ under SuSEfirewall2?
On Wednesday 16 January 2002 19:45, Mauricio Latorre wrote:

> ICQ it's a risk inside a network. A way to avoid this risk and allow the
> chat, U can use a web-proxy in order to send the messages by a HTTP tunnel.
> ICQ can do this, and IMHO it's a bit more secure.

One thing I've seen is that ICQ servers defined for both ports 4000, and 53
on their servers, so if you NAT/Masquerade DNS traffic you might be
permitting ICQ (and other UDP protocols) not just DNS lookups.

How much of a risk is ICQ? Surely all protocols including http are a 'risk',
just look at M$'s recent advisory on IE5.5sp2 and IE6, image/jpegs, with .exe
extensions are downloaded and run. A proxy can't protect you against client
software like that.

The rules that work for me are :

$iprulecmd -A ludpin -p udp -s 205.188.153.0/24 --source-port 4000
--destination-port 1024: -j ACCEPT

You would need something similar, but to use NAT or Masquerade that UDP
traffic.

A questioner posted on ICQ in one of the Linux Today forums, and there's more
info there about the TCP/IP ports used. AFAIK if you want ICQ to function
completely in the protected network with outside, you need to use 2.2
ipchains, and the ICQ helper module, which is not yet available for 2.4 and
Rusty Russel et al, have no interest in supporting this proprietary protocol.

Rob


< Previous Next >
Follow Ups
References