NATd and ICQ problems

NATd and ICQ problems

Post by Todd Fulle » Mon, 15 Feb 1999 04:00:00



        I recently configured my FreeBSD box to act as a gateway with pretty
good success. The only problem I am having is that occasionally I am not
able to get direct connections to others on ICQ from one of the machines
on my mini-lan. I have natd running with the -s and -m flags, so I am
not sure what else I can do. Maybe this is a problem with the firewall
rules. They are currently set to open (so essentially no firewall). Any
ideas? I'm running FreeBSD 3.0.

Todd Fuller

 
 
 

NATd and ICQ problems

Post by Shaun Rowlan » Mon, 15 Feb 1999 04:00:00



>    I recently configured my FreeBSD box to act as a gateway with pretty
> good success. The only problem I am having is that occasionally I am not
> able to get direct connections to others on ICQ from one of the machines
> on my mini-lan. I have natd running with the -s and -m flags, so I am
> not sure what else I can do. Maybe this is a problem with the firewall
> rules. They are currently set to open (so essentially no firewall). Any
> ideas? I'm running FreeBSD 3.0.

> Todd Fuller

Not sure, but it is not a problem with your firewall rules.  If it is set to
open, then it will basically not touch anything.  I only use the -u -m flags
to natd.  This seems to work for my roomate's AOL Instant Messanger (I hate
it).  Don't know about ICQ though.  I think there is a firewall option that
might help you with going through natd.  Not sure though.  I am using the
Java version.

I occasionally can't get direct connections through ICQ anyway :-)

--

IICF System Administrator       DL798
http://www.cis.ohio-state.edu/~rowland

 
 
 

NATd and ICQ problems

Post by Marc Si » Mon, 15 Feb 1999 04:00:00



Quote:>    I recently configured my FreeBSD box to act as a gateway with pretty
>good success. The only problem I am having is that occasionally I am not
>able to get direct connections to others on ICQ from one of the machines
>on my mini-lan. I have natd running with the -s and -m flags, so I am
>not sure what else I can do. Maybe this is a problem with the firewall
>rules. They are currently set to open (so essentially no firewall). Any
>ideas? I'm running FreeBSD 3.0.

This seems to be a problem with (a) ICQ itself (which isn't entirely
reliable) and (b) the ICQ protocol, meaning the way it uses TCP and UDP
connections. The protocol isn't ideally designed to work with NAT.

What you can do is install SOCKS as well as NAT on your gateway machine.
Since connections through the SOCKS proxy are addressed to the gateway machine
itself, this works fine in parallel with NAT. The socks5 daemon has a slightly
obscure man page and configuration, but a socks5.conf like the following
should do it, assuming your internal LAN is ed0:192.168.0/24. The last
line spares the ident lookup on every connection, since your internal Macs
and PCs probably don't answer ident queries most of the time.

interface - - ed0
permit - - 192.168.0. - - -
set SOCKS5_NOIDENT

--

If you can't play with words, what good are they?

 
 
 

NATd and ICQ problems

Post by Todd Fulle » Mon, 15 Feb 1999 04:00:00


I'm going to take a look at it and do some tests right now... I think
the problem stems from the fact that the user I am having problems with
is behind another NAT or firewall I think and MIrabilis says that that
will cause mucho problems.

Todd

 
 
 

NATd and ICQ problems

Post by t.. » Mon, 15 Feb 1999 04:00:00



Quote:>    I recently configured my FreeBSD box to act as a gateway with pretty
>good success. The only problem I am having is that occasionally I am not
>able to get direct connections to others on ICQ from one of the machines
>on my mini-lan. I have natd running with the -s and -m flags, so I am
>not sure what else I can do. Maybe this is a problem with the firewall
>rules. They are currently set to open (so essentially no firewall). Any
>ideas? I'm running FreeBSD 3.0.

Some people do block ICQ in their routers, along with PointCast and other traffic
deemed high-bandwidth with little value in return.

Ted

 
 
 

NATd and ICQ problems

Post by Maxim Maximo » Tue, 16 Feb 1999 04:00:00


Hi.

    From http://www.icq.com/faq/firewall.html :

-------------------------------------------------------

The following is intended for Firewall administrators.

In order to work from behind a firewall:
ICQ must be able to communicate with an ICQ server. This is done through
port 4000 UDP to icq.mirabilis.com.

! Port should be opened for icq.mirabilis.com and not any specific IP
address, since it stands for more than one IP address.

After an outgoing UDP packet is sent to icq.mirabilis.com port 4000, you
must configure the firewall so that a reply on that packet will be able to
be received through the firewall. If your firewall session times out in less
than 5 minutes, configure the ICQ preferences accordingly:

Click ICQ/Menu and choose Preferences
Hit Connection and select 'I am behind a firewall or proxy' and click the
Firewall Settings button.
If you can not change your firewall configurations in this way, you may use
one of two proxys:

Socks5 Compatible. If you are using a Socks5 Compatible, configure ICQ
accordingly: Click ICQ/Menu and select Preferences, select the Connection
tab.
UDP Mapping. You must create a mapping to the ICQ server.

ICQ must be able to communicate with other ICQ clients. This is done via TCP
ports that are above 1023 (ICQ needs at least 3 ports open). Your firewall
must enable outgoing TCP connection. You need to either enable outgoing
connection for all IPs or you could enable outgoing connection for fixed
IPs. The simplest solution is to use a proxy with the firewall (preferably,
a socks4/socks5 compatible). If you have a Socks5 server, all you need to do
is configure ICQ to use it:

Click ICQ/Menu and click Preferences.
Click Connection Settings. A Socks5 server can be found at
http://www.socks.nec.com)
If you have a Socks4 server, you will still need to configure it via
Preferences Connection, but you will also need to allow packets to go out to
an ICQ server (as explained in Requirement #1).
-------------------------------------------------------

    So I use:

    add 111 allow udp from any to any 4000
    add 112 allow tcp from private.host to any 1024-65500

    If you dislike opening so much tcp ports, you can deny some before, such
as:

    add 110 deny tcp from private.host to any 6667

    Hope this helps..

--
Maxim Maximov
Data Communications Dept.
SoftJoys Corp.

phn: +7-812-108-5463
fax: +7-812-108-4796
icq: 13495098


> I recently configured my FreeBSD box to act as a gateway with pretty
>good success. The only problem I am having is that occasionally I am not
>able to get direct connections to others on ICQ from one of the machines
>on my mini-lan. I have natd running with the -s and -m flags, so I am
>not sure what else I can do. Maybe this is a problem with the firewall
>rules. They are currently set to open (so essentially no firewall). Any
>ideas? I'm running FreeBSD 3.0.

>Todd Fuller

 
 
 

NATd and ICQ problems

Post by Seggy Umbo » Wed, 17 Feb 1999 04:00:00


Actually if you configure ICQ to use a fixed port number then you can make
a port mapping for each computer that needs to use icq.

in fact, it'd be best to assign a _range_ of ports like 10? coz each direct
connection that you receive (chat, file xfer, message) will open up a port,
so you might need a few at the same time.

to do this, you'll have to go to icq's preferences page and set it to use a
firewall->not socks->tcp ports, then set the corresponding port mappings on
your routing computer. remember to map the ports to the same port number on
the routing computer (ie port 5000 on routing computer mapped to port 5000
on client machine)

good luck!

--On Wednesday, February 17, 1999, 12:16 PM +1030 DiSKiLLeR



> gateway with pretty
>> > good success. The only problem I am having is that occasionally I am
>> > not  able to get direct connections to others on ICQ from one of the
>> > machines  on my mini-lan. I have natd running with the -s and -m
>> > flags, so I am  not sure what else I can do. Maybe this is a problem
>> > with the firewall  rules. They are currently set to open (so
>> > essentially no firewall). Any  ideas? I'm running FreeBSD 3.0.

> I have freebsd as a firewall forwarding packets to my wintel machine
> with ICQ.
> ICQ sort of works. It does work but occasionally just crashes,
> especially when one of the other computers  on both the internal and
> external networks tries to send a file to it. It does go offline and
> online a lot. I think my ip aliasing lets all outgoing connections work
> and redirects the reply packets, but if the other computers try and
> initiate the connection I thnki they get stopped. Any suggestions?

> Also does anyone know where there's any user-friendly samba
> documentation? Thats normal.

> I use up to 5 ICQ's on a minilan, all accessing the net via one Linux
> machine (using IP Masquerading). You'll find ICQ needs to go via the
> server alot. And if anybody wants to send you a message, they will ALWAYS
> get the "Direct Conection Failed" and they need to click "Send Thru
> Server". Why? Well, if u understand how IP Masquerading Works, or natd in
> this case, it will make perfect sense :)

> Not much that can be done about it, just live with it.

> It basically means that file-xfer and chat doesn't work unless you
> iniiate the connection (from within the minilan to someone outside on the
> interet who has a real IP). Won't work the other way. Simply cuz u have a
> "fake" IP from within the minilan.

> Again, internet games such as starcraft, diablo, and others won't work
> from within the minilan either. Invest in some real static IPs, and enjoy
> :)))

> - DiSKiLLeR.


> CnB inc. Company CEO  -- www.cnbinc.com -- www.wasted.net
> ---------------------------------------------------------------
> All the world's a VAX,
> And all the coders merely butchers;
> They have their exits and their entrails;
> And one int in his time plays many widths,
> His sizeof being _ N bytes.  At first the infant,
> Mewling and puking in the Regent's arms.
> And then the whining schoolboy, with his Sun,
> And shining morning face, creeping like slug
> Unwillingly to school.
>                 -- A Very Annoyed PDP-11

----------------------------------------------------------------------------

THIS IS A COMPUTER DELIVERED MESSAGE.
NO SIGNATURE IS REQUIRED.

 
 
 

NATd and ICQ problems

Post by Phil » Thu, 18 Feb 1999 04:00:00


Quote:> >       I recently configured my FreeBSD box to act as a gateway with pretty
> >good success. The only problem I am having is that occasionally I am not
> >able to get direct connections to others on ICQ from one of the machines
> >on my mini-lan. I have natd running with the -s and -m flags, so I am
> >not sure what else I can do. Maybe this is a problem with the firewall
> >rules. They are currently set to open (so essentially no firewall). Any
> >ideas? I'm running FreeBSD 3.0.

I have freebsd as a firewall forwarding packets to my wintel machine
with ICQ.
ICQ sort of works. It does work but occasionally just crashes,
especially when one of the other computers  on both the internal and
external networks tries to send a file to it. It does go offline and
online a lot. I think my ip aliasing lets all outgoing connections work
and redirects the reply packets, but if the other computers try and
initiate the connection I thnki they get stopped. Any suggestions?

Also does anyone know where there's any user-friendly samba
documentation?

 
 
 

NATd and ICQ problems

Post by DiSKiLLe » Thu, 18 Feb 1999 04:00:00



> > >       I recently configured my FreeBSD box to act as a gateway with pretty
> > >good success. The only problem I am having is that occasionally I am not
> > >able to get direct connections to others on ICQ from one of the machines
> > >on my mini-lan. I have natd running with the -s and -m flags, so I am
> > >not sure what else I can do. Maybe this is a problem with the firewall
> > >rules. They are currently set to open (so essentially no firewall). Any
> > >ideas? I'm running FreeBSD 3.0.

> I have freebsd as a firewall forwarding packets to my wintel machine
> with ICQ.
> ICQ sort of works. It does work but occasionally just crashes,
> especially when one of the other computers  on both the internal and
> external networks tries to send a file to it. It does go offline and
> online a lot. I think my ip aliasing lets all outgoing connections work
> and redirects the reply packets, but if the other computers try and
> initiate the connection I thnki they get stopped. Any suggestions?

> Also does anyone know where there's any user-friendly samba
> documentation?

Thats normal.

I use up to 5 ICQ's on a minilan, all accessing the net via one Linux machine
(using IP Masquerading). You'll find ICQ needs to go via the server alot. And if
anybody wants to send you a message, they will ALWAYS get the "Direct Conection
Failed" and they need to click "Send Thru Server". Why? Well, if u understand how
IP Masquerading Works, or natd in this case, it will make perfect sense :)

Not much that can be done about it, just live with it.

It basically means that file-xfer and chat doesn't work unless you iniiate the
connection (from within the minilan to someone outside on the interet who has a
real IP). Won't work the other way. Simply cuz u have a "fake" IP from within the
minilan.

Again, internet games such as starcraft, diablo, and others won't work from
within the minilan either. Invest in some real static IPs, and enjoy :)))

- DiSKiLLeR.


CnB inc. Company CEO  -- www.cnbinc.com -- www.wasted.net
---------------------------------------------------------------
All the world's a VAX,
And all the coders merely butchers;
They have their exits and their entrails;
And one int in his time plays many widths,
His sizeof being _ N bytes.  At first the infant,
Mewling and puking in the Regent's arms.
And then the whining schoolboy, with his Sun,
And shining morning face, creeping like slug
Unwillingly to school.
                -- A Very Annoyed PDP-11

 
 
 

NATd and ICQ problems

Post by eric G. Ols » Fri, 19 Feb 1999 04:00:00



>I have freebsd as a firewall forwarding packets to my wintel machine
>with ICQ.
>ICQ sort of works. It does work but occasionally just crashes,
>especially when one of the other computers  on both the internal and
>external networks tries to send a file to it. It does go offline and
>online a lot. I think my ip aliasing lets all outgoing connections work
>and redirects the reply packets, but if the other computers try and
>initiate the connection I thnki they get stopped. Any suggestions?

Using natd's "redirect_port" directive, you can re-direct ICQ's ports (4000,
2000-2016 for example) to a specific machine inside your firewall.  That'll
get you at least one machine that can receive chat requests, file transfers,
and the like.  The others will have to use a socks proxy, I suppose, and
chat probably won't work unless you initiate it (as others have stated).

read "man natd" regarding redirect_port, and good luck.

HTH
Eric

Quote:

>Also does anyone know where there's any user-friendly samba
>documentation?

 
 
 

1. ICQ SKIN, ICQ FRIENDS, ICQ FUN.....

This is in my opinion spam so I just reported it. If anyone else
agrees with me then please forward the original post to:

(The address spamcop.net gave me).

Sorry for being off topic,
Fyre

On Thu, 21 Sep 2000 08:48:47 +0800, "WWW.CSN23.COM"

2. crontab jobs

3. NATD & ICQ

4. ssh in scripts

5. natd + icq

6. Red Hat 6.0- @Home cable

7. IPFW/NATD and ICQ? Anybody?

8. NFS 8194k blocks?

9. natd problem - natd[121]: failed to write packet back (Permission denied).

10. Matrox Mystique ands X.

11. ICQ-Client for Intranet-ICQ?

12. Why does icq.icq.com keeps me sending these udp packets?

13. ICQ Newsgroups coming back (Re: ICQ Newsgroups kill NS