ICQ was changed in version ICQ 2000 to act like the AOL client software and the AOL
instant messenger program (ICQ is owned by AOL). Both AOL IM and ICQ 2000 will
operate by default over I believe port 5190 TCP (the old ICQ used either UDP port
4000, a range of ports that the user defines, or a SOCKS 4 or SOCKS 5 server). Both
clients also have an option to "auto-detect" ports. The client will scan various
ports for access to the AOL/ICQ servers, such as telnet, ftp, DNS, discard, http,
etc. If you put an AOL/ICQ client behind a firewall with a DROP rule and tell the
client to autodetect, it'll scan through the ports slowly and you can see what ports
that it's scanning through. ICQ 2000 will also support connecting via HTTPS too in
an attempt to pass through proxy servers. Also if you run a SOCKS server these
clients will pass through that also.
I configure the firewalls here to only pass what is explicitly allowed (AOL/ICQ and
other applications cannot pass through by default), and on our proxy servers and/or
firewalls I'll create filters (resources) for HTTP traffic for sites like
login.aol.com, login.icq.com, etc. with deny rules on them to prevent the clients
from trying to 'hitch a ride' on allowed HTTP/HTTPS traffic. This will also block
the web based IM clients too. AOL and Yahoo have clients (Yahoo's is Java based,
can't remember on AOL) that allows you to run IM clients within a web browser
without the user having to install any software. If either the sites are blocked
with a simple wildcard URI resource, or a proxy blocks by User-Agent, then these
clients won't work.
Speaking of User-Agent, does anyone know how to have FireWall-1 filter by a specific
User-Agent, such as "only allow Mozilla/* browsers"? I have to do this on the proxy
server now for certain sites to prevent Java applets (like the Datek streamer) from
nailing up connections and hogging up resources.
Ron
"Jarmoc, Jeff" wrote:
> >The problem is that tha ICQ 2000 uses ANY available port on the firewall.
> >We had enabled by default FTP, WWW and SMTP/POP for our users and this
> >"nice" prog can use any of these ports to route its traffic.
>
> If that's the case, how does it determine which ports are available? It'd
> either have to port scan your firewall, which I doubt, or monitor your
> outbound traffic and determine which ports you are succesfully connecting
> with. Either one is a large breech of the user's privacy, and I'd be
> concerned about it.
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
begin:vcard
n:Atkinson;Ron
tel;fax:313 235-0340
tel;work:313 235-3558
x-mozilla-html:TRUE
org:Detroit Edison;Information Protection
adr:;;2000 Second Ave;Detroit;Michigan;48226;US
version:2.1
email;internet:[EMAIL PROTECTED]
title:Software Engineer
fn:Ron Atkinson
end:vcard
S/MIME Cryptographic Signature
