Re: [newbie] [Fwd: [Mandrake Off Topic] LICQ/Dynamically openingports in Linksys router]
On Mon, 2003-06-16 at 14:32, rikona wrote: Hello Technoslick, Sunday, June 15, 2003, 7:31:07 AM, you wrote: T I have a Linksys router/gateway that has the ability to dynamically T open ports and port ranges when a certain executable is requesting T to do so from a network client. This has worked very well from T Windows clients using NetMeeting, ICQ or MSN Messenger for video T conferencing and chat sessions, respectively. It might be that it only works with Netmeeting or other pgms that specifically use that capability. No, thankfully. It just has to be an executable that shows itself in calling for services through ports that need to be opened. This is a very limited feature in that it only allows for ten designations. NetMeeting takes up three (if I include the ILS/ULS servers) which means that I lose the opportunity to open ports for two other applications. Once ten designations have been made, that's it. On the other hand, if your network has several clients that would use ICQ, whether one or 100 were on, the ports would open for any client running ICQ. It is a neat feature. I don't believe it is program specific, but it may be that the programs have to H.323 compliant. I would think LICQ is to work with other IM's that are. Wouldn't you? I was VERY interested in this idea because it opens up an entirely different level of protection for the comps on the local net. Without this, it is necessary to have a separate *app-aware* firewall on each computer. Exactly. If you have ICQ (continuing the example) run at different times over the network by different clients, you would need to go into DMZ just to keep up with the requests. If you do that, it can't be a firewall anymore. To provide software firewalls on each client that would do this as needed, you still would have to put the router's firewall into DMZ or nothing gets through the firewall barrier to the Web. I found this on the net, as a starter: When Microsoft developed NetMeeting 3.0 they chose to use the existing h.323 video conferencing protocol. This protocol happens to be completely incompatible with standard NAT(network address translation) - the technology used for most internet sharing devices. Unlike most TCP/IP applications, NetMeeting uses DYNAMIC PORTS instead of STATIC PORTS. That means that each NetMeeting connection is somewhat different than the last. For instance, the HTTP web site application uses port 80. NetMeeting can use any of over 60,000 different ports. Putting a web server behind a firewall means opening a single small hole. Putting a NetMeeting computer behind a firewall means opening over 60,000 ports - a security nightmare. Which is why running a NetMeeting server locally would be something yo would want to run entirely off on its own network. Most of us wouldn't have a need for a NetMeeting server. Generally speaking, you are going to open ports 1024 through 65,535 for H.323 communications entailing video, sound and chat capability with NetMeeting. That's a whole lot of holes! Other clients can shoe-horn in with fewer ports, but from what few I have played with and what have reports I've read, NetMeeting is *the* top performer --- because it uses such a wide band of ports to carry such heavily laden data at a reasonable bandwidth. Shut down the ports and you bottleneck video and audio conferencing quality and performance. The other choices are not pleasant, either. Gnomemeeting is suppose to be a NetMeeting clone/client. It's got to be as much a security issue in Linux as in the Windows environment. A few hardware manufacturers have taken it on themselves to actually provide H.323 compatibility. This is not an easy task since the router must search each incoming packet for signs that it might be a netmeeting packet. This is a whole lot more work than a router normally does and may actually be a weak point in the firewall. True, but something's got to do it. Better it than me. So - it does not seem to be generally useful, and introduced a new batch of security problems. Too bad. It sounded good. :-) I haven't given up on this, just tabling it for a while, at least until I can regroup for another attack. ;0) T Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] [Fwd: [Mandrake Off Topic] LICQ/Dynamically openingports in Linksys router]
On Mon, 2003-06-16 at 18:36, FemmeFatale wrote: At 06:23 PM 6/15/2003 -0400, you wrote: snip but it makes no sense for me to manually open ports 1024-65535 and then just as manually shut them down after a chat or video conference session when I have the ability to let the router do it dynamically. T Dunno which router you have BUT if you get port triggering to work for your linksys tell me... i can't do it either. Nor does LICQ support limiting hte ports it uses I found out. :( Least the older ver I had didn't... i limit my ports for filesharing other shit to 19 ports total. Thats it. not this ridiculous 2 ports ICQ needs (or says it does) in windows. Screw that. In trying to setup a full chat session with a friend (that is, peer-to-peer, not using the ICQ servers), she was able to statically open 1024 and away we went. For a full chat session, that's probably all that's needed, but you are also doing file-sharing this way? What ports are you opening? port 5000 or 8000? My Linksys is a BEFSR41. Four fully Switched ports, Cable Modem or DSL capable. If I can figure out how to get Linux to use the Port Triggering, I'll let you know. T Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] [Fwd: [Mandrake Off Topic] LICQ/Dynamically openingports in Linksys router]
On Mon, 2003-06-16 at 18:40, FemmeFatale wrote: snip Rikona has hit it. ICQ does this as well it seems as if you look on the net ICQ tries to use / request (I joke not) 64,000 *yes THOUSAND* Ports! jesus... no wonder IT security guys hate ICQ. *If* you want to have chat sessions, and audio chat, and file sharing, and send messages to cell phones and receive them from your friends as well, and, and, and...yes, you have to open up the sky for ICQ. However, if all you want is an Instant Messaging (IM) client, port 80 is all you need. No other openings in the firewall. At this point, ICQ is no worse than any other IM, maybe better since it is the more configurable than any other and seems to have more design for serious use. I feel more secure IM'ing in ICQ than Yahoo Messenger or MSN Messenger. Forget AOL...won't even give that app the time of day. If you want to talk about spyware and system resource hogging...say: A-O-L I-M! T Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] [Fwd: [Mandrake Off Topic] LICQ/Dynamically openingports in Linksys router]
On Mon, 2003-06-16 at 00:31, Technoslick wrote: I've got LICQ configured on my MDK 9.1 workstation with my ICQ accounts. I tried to open the needed ports on my router for a full chat session, but it doesn't seem to be working. I cannot create a peer-to-peer chat session, just IM. Obviously, the router is not seeing 'licq' as the program requesting the use of the ports needed to do so. Could this be a syntax error on my part? Isn't the name of the executable running, 'licq'? Does anyone know what I am missing? TIA, T Linux isn't going to necessarily TELL you what program wants to use a port - just that a port is requesting to be opened. Just force open the ICQ ports and you should be right. -- Mon Jun 16 07:05:01 EST 2003 07:05:01 up 2 days, 14:19, 3 users, load average: 0.08, 0.17, 0.17 - |____ |kuhn media australia| | /-oo /| |'-. |http://kma.0catch.com | | .\__/ || | | || | _ / `._ \|_|_.-' |stephen kuhn| | | / \__.`=._) (_ | email: [EMAIL PROTECTED] | - linux user #:267497 linux machine #:194239 * MDK 9.1 RH 7.3 Mandrake Linux Kernel 2.4.21-11mdk Cooker for i586 - * This message was composed on a 100% Microsoft free computer * Jesus is my POSTMASTER GENERAL ... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] [Fwd: [Mandrake Off Topic] LICQ/Dynamically openingports in Linksys router]
On Mon, 2003-06-16 at 07:34, Anne Wilson wrote: Linux isn't going to necessarily TELL you what program wants to use a port - just that a port is requesting to be opened. Just force open the ICQ ports and you should be right. How do you do that, Stephen? Anne With the understanding that his ADSL router has intelligent functionality, there exists then a way to statically open particular ports and leave them open. ICQ/MSN/AIM/AOL ports would fit that bill. -- Mon Jun 16 07:55:00 EST 2003 07:55:00 up 2 days, 15:09, 3 users, load average: 0.01, 0.05, 0.06 - |____ |kuhn media australia| | /-oo /| |'-. |http://kma.0catch.com | | .\__/ || | | || | _ / `._ \|_|_.-' |stephen kuhn| | | / \__.`=._) (_ | email: [EMAIL PROTECTED] | - linux user #:267497 linux machine #:194239 * MDK 9.1 RH 7.3 Mandrake Linux Kernel 2.4.21-11mdk Cooker for i586 - * This message was composed on a 100% Microsoft free computer * If it wasn't for Newton, we wouldn't have to eat bruised apples. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] [Fwd: [Mandrake Off Topic] LICQ/Dynamically openingports in Linksys router]
On Sun, 2003-06-15 at 17:08, Stephen Kuhn wrote: On Mon, 2003-06-16 at 00:31, Technoslick wrote: I've got LICQ configured on my MDK 9.1 workstation with my ICQ accounts. I tried to open the needed ports on my router for a full chat session, but it doesn't seem to be working. I cannot create a peer-to-peer chat session, just IM. Obviously, the router is not seeing 'licq' as the program requesting the use of the ports needed to do so. Could this be a syntax error on my part? Isn't the name of the executable running, 'licq'? Does anyone know what I am missing? TIA, T Linux isn't going to necessarily TELL you what program wants to use a port - just that a port is requesting to be opened. Just force open the ICQ ports and you should be right. I'm not sure that that makes sense, Stephen. If I run top, I see licq running. It would seem to reason that licq would be the program to make the requests through the firewall on the ports that it expects to communicate through...UNLESS, another program or file is actually doing the communicating on behalf of 'licq'. This is very possible since man apps rely on a substructure program to fulfill the desired function. I could just manually open the ports when I want to, but it makes no sense for me to manually open ports 1024-65535 and then just as manually shut them down after a chat or video conference session when I have the ability to let the router do it dynamically. The whole point of 'port triggering' is to allow apps that need port access to trigger the opening of these port for only as long as the app is requesting, then they are closed automatically. I have told the router/firewall which ones to accept in the Web interface. The triggering is nothing more than the executables trying to get through. It works fine in Windows. So, what do you think? If 'licq' is running, is *it* requesting the ports or some other supporting program? If the latter, any idea what that/they might be? I would have thought someone using a Linksys Etherfast Cable/DSL Router would have dealt with this issue by now. It's a great feature that's not available in all firewalled routers. Thanks for a shot at anyway, Stephen. T Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] [Fwd: [Mandrake Off Topic] LICQ/Dynamically openingports in Linksys router]
On Sun, 2003-06-15 at 19:40, Stephen Kuhn wrote: On Mon, 2003-06-16 at 08:23, Technoslick wrote: So, what do you think? If 'licq' is running, is *it* requesting the ports or some other supporting program? If the latter, any idea what that/they might be? I would have thought someone using a Linksys Etherfast Cable/DSL Router would have dealt with this issue by now. It's a great feature that's not available in all firewalled routers. Thanks for a shot at anyway, Stephen. T From what I understand about unix/linux networking, linux (the system et. al.) is requesting the port be opened, whereas in Windows, the program is requesting the port. A program under linux would communicate directly to the kernel, then the kernel would manipulate whatever port after that. If this is what I have to go up against, it appears that I will have to open the ports manually or go into 'DMZ' for the length of session. That sucks. sigh I think I'll send an email off to Linksys and see if anyone there is playing with Linux while their on beating on M$ pud. I suspect they will tell me that's life and accept it. T :0[ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] [Fwd: [Mandrake Off Topic] LICQ/Dynamically openingports in Linksys router]
On Sun, 2003-06-15 at 19:45, Stephen Kuhn wrote: On Mon, 2003-06-16 at 08:46, Technoslick wrote: Untrue, Stephen. Every application that communicates through a port, or series of ports, has a signature, for lack of a better term. It's best to explain through the Windows end just because it works. So then would it be identfied as /usr/bin/licq ? Tried that. Believe it or not, I couldn't get the q in before it stopped my cursor. Oh, but msnmsgr.exe just fits... Thanks for having a go at, it mate. T Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com