Re: [newbie] [Fwd: [Mandrake Off Topic] LICQ/Dynamically openingports in Linksys router]

2003-06-16 Thread Technoslick 
On Mon, 2003-06-16 at 14:32, rikona wrote:
 Hello Technoslick,
 
 Sunday, June 15, 2003, 7:31:07 AM, you wrote:
 
 T I have a Linksys router/gateway that has the ability to dynamically
 T open ports and port ranges when a certain executable is requesting
 T to do so from a network client. This has worked very well from
 T Windows clients using NetMeeting, ICQ or MSN Messenger for video
 T conferencing and chat sessions, respectively.
 
 It might be that it only works with Netmeeting or other pgms that
 specifically use that capability.

No, thankfully. It just has to be an executable that shows itself in
calling for services through ports that need to be opened. This is a
very limited feature in that it only allows for ten designations.
NetMeeting takes up three (if I include the ILS/ULS servers) which means
that I lose the opportunity to open ports for two other applications.
Once ten designations have been made, that's it. On the other hand, if
your network has several clients that would use ICQ, whether one or 100
were on, the ports would open for any client running ICQ. It is a neat
feature. I don't believe it is program specific, but it may be that the
programs have to H.323 compliant. I would think LICQ is to work with
other IM's that are. Wouldn't you?

 
 I was VERY interested in this idea because it opens up an entirely
 different level of protection for the comps on the local net. Without
 this, it is necessary to have a separate *app-aware* firewall on each
 computer.
 

Exactly. If you have ICQ (continuing the example) run at different times
over the network by different clients, you would need to go into DMZ
just to keep up with the requests. If you do that, it can't be a
firewall anymore. 

To provide software firewalls on each client that would do this as
needed, you still would have to put the router's firewall into DMZ or
nothing gets through the firewall barrier to the Web.

 I found this on the net, as a starter:
 
 
 
 When Microsoft developed NetMeeting 3.0 they chose to use the existing
 h.323 video conferencing protocol. This protocol happens to be
 completely incompatible with standard NAT(network address translation)
 - the technology used for most internet sharing devices.
 
 Unlike most TCP/IP applications, NetMeeting uses DYNAMIC PORTS instead
 of STATIC PORTS. That means that each NetMeeting connection is
 somewhat different than the last. For instance, the HTTP web site
 application uses port 80. NetMeeting can use any of over 60,000
 different ports. Putting a web server behind a firewall means opening
 a single small hole. Putting a NetMeeting computer behind a firewall
 means opening over 60,000 ports - a security nightmare.

Which is why running a NetMeeting server locally would be something yo
would want to run entirely off on its own network. Most of us wouldn't
have a need for a NetMeeting server. Generally speaking, you are going
to open ports 1024 through 65,535 for H.323 communications entailing
video, sound and chat capability with NetMeeting. That's a whole lot of
holes! Other clients can shoe-horn in with fewer ports, but from what
few I have played with and what have reports I've read, NetMeeting is
*the* top performer --- because it uses such a wide band of ports to
carry such heavily laden data at a reasonable bandwidth. Shut down the
ports and you bottleneck video and audio conferencing quality and
performance. The other choices are not pleasant, either.

Gnomemeeting is suppose to be a NetMeeting clone/client. It's got to be
as much a security issue in Linux as in the Windows environment.

 
 A few hardware manufacturers have taken it on themselves to actually
 provide H.323 compatibility. This is not an easy task since the router
 must search each incoming packet for signs that it might be a
 netmeeting packet. This is a whole lot more work than a router
 normally does and may actually be a weak point in the firewall.

True, but something's got to do it. Better it than me. 

 
 So - it does not seem to be generally useful, and introduced a new
 batch of security problems. Too bad. It sounded good. :-)

I haven't given up on this, just tabling it for a while, at least until
I can regroup for another attack. ;0)

T


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [newbie] [Fwd: [Mandrake Off Topic] LICQ/Dynamically openingports in Linksys router]

2003-06-16 Thread Technoslick 
On Mon, 2003-06-16 at 18:36, FemmeFatale wrote:
 At 06:23 PM 6/15/2003 -0400, you wrote:
 snip
 
 but it makes no
 sense for me to manually open ports 1024-65535 and then just as manually
 shut them down after a chat or video conference session when I have the
 ability to let the router do it dynamically. T
 
 Dunno which router you have BUT if you  get port triggering to work for 
 your linksys tell me... i can't do it either.  Nor does LICQ support 
 limiting hte ports it uses I found out. :(
 
 Least the older ver I had didn't... i limit my ports for filesharing  
 other shit to 19 ports total.  Thats it.  not this ridiculous 
 2 ports ICQ needs (or says it does) in 
 windows.  Screw that.

In trying to setup a full chat session with a friend (that is,
peer-to-peer, not using the ICQ servers), she was able to statically
open 1024 and away we went. For a full chat session, that's probably all
that's needed, but you are also doing file-sharing this way? What ports
are you opening? port 5000 or 8000?

My Linksys is a BEFSR41. Four fully Switched ports, Cable Modem or DSL
capable.

If I can figure out how to get Linux to use the Port Triggering, I'll
let you know. 

T


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [newbie] [Fwd: [Mandrake Off Topic] LICQ/Dynamically openingports in Linksys router]

2003-06-16 Thread Technoslick 
On Mon, 2003-06-16 at 18:40, FemmeFatale wrote:
snip
 Rikona has hit it.  ICQ does this as well it seems as if you look on the 
 net ICQ tries to use / request (I joke not) 64,000 *yes THOUSAND* 
 Ports!  jesus... no wonder IT security guys hate ICQ.

*If* you want to have chat sessions, and audio chat, and file sharing,
and send messages to cell phones and receive them from your friends as
well, and, and, and...yes, you have to open up the sky for ICQ. However,
if all you want is an Instant Messaging (IM) client, port 80 is all you
need. No other openings in the firewall. At this point, ICQ is no worse
than any other IM, maybe better since it is the more configurable than
any other and seems to have more design for serious use. I feel more
secure IM'ing in ICQ than Yahoo Messenger or MSN Messenger. Forget
AOL...won't even give that app the time of day. If you want to talk
about spyware and system resource hogging...say:

A-O-L I-M!

T
 


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [newbie] [Fwd: [Mandrake Off Topic] LICQ/Dynamically openingports in Linksys router]

2003-06-15 Thread Stephen Kuhn 
On Mon, 2003-06-16 at 00:31, Technoslick wrote:

 I've got LICQ configured on my MDK 9.1 workstation with my ICQ accounts.
 I tried to open the needed ports on my router for a full chat session,
 but it doesn't seem to be working. I cannot create a peer-to-peer chat
 session, just IM. Obviously, the router is not seeing 'licq' as the
 program requesting the use of the ports needed to do so. Could this be a
 syntax error on my part? Isn't the name of the executable running,
 'licq'?
 
 Does anyone know what I am missing?
 
 TIA,
 
 T

Linux isn't going to necessarily TELL you what program wants to use a
port - just that a port is requesting to be opened. Just force open
the ICQ ports and you should be right.

-- 
Mon Jun 16 07:05:01 EST 2003
 07:05:01 up 2 days, 14:19,  3 users,  load average: 0.08, 0.17, 0.17
-
|____  |kuhn media australia|
|   /-oo /| |'-.   |http://kma.0catch.com   |
|  .\__/ || |   |  ||
|   _ /  `._ \|_|_.-'  |stephen kuhn|
|  | /  \__.`=._) (_   | email: [EMAIL PROTECTED] |
-
 linux user #:267497 linux machine #:194239 * MDK 9.1  RH 7.3  
 Mandrake Linux Kernel 2.4.21-11mdk Cooker for i586
-
 * This message was composed on a 100% Microsoft free computer *

Jesus is my POSTMASTER GENERAL ...

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [newbie] [Fwd: [Mandrake Off Topic] LICQ/Dynamically openingports in Linksys router]

2003-06-15 Thread Stephen Kuhn 
On Mon, 2003-06-16 at 07:34, Anne Wilson wrote:

  Linux isn't going to necessarily TELL you what program wants to use
  a port - just that a port is requesting to be opened. Just force
  open the ICQ ports and you should be right.
 
 How do you do that, Stephen?
 
 Anne

With the understanding that his ADSL router has intelligent
functionality, there exists then a way to statically open particular
ports and leave them open. ICQ/MSN/AIM/AOL ports would fit that bill.

-- 
Mon Jun 16 07:55:00 EST 2003
 07:55:00 up 2 days, 15:09,  3 users,  load average: 0.01, 0.05, 0.06
-
|____  |kuhn media australia|
|   /-oo /| |'-.   |http://kma.0catch.com   |
|  .\__/ || |   |  ||
|   _ /  `._ \|_|_.-'  |stephen kuhn|
|  | /  \__.`=._) (_   | email: [EMAIL PROTECTED] |
-
 linux user #:267497 linux machine #:194239 * MDK 9.1  RH 7.3  
 Mandrake Linux Kernel 2.4.21-11mdk Cooker for i586
-
 * This message was composed on a 100% Microsoft free computer *

If it wasn't for Newton, we wouldn't have to eat bruised apples.

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [newbie] [Fwd: [Mandrake Off Topic] LICQ/Dynamically openingports in Linksys router]

2003-06-15 Thread Technoslick 
On Sun, 2003-06-15 at 17:08, Stephen Kuhn wrote:
 On Mon, 2003-06-16 at 00:31, Technoslick wrote:
 
  I've got LICQ configured on my MDK 9.1 workstation with my ICQ accounts.
  I tried to open the needed ports on my router for a full chat session,
  but it doesn't seem to be working. I cannot create a peer-to-peer chat
  session, just IM. Obviously, the router is not seeing 'licq' as the
  program requesting the use of the ports needed to do so. Could this be a
  syntax error on my part? Isn't the name of the executable running,
  'licq'?
  
  Does anyone know what I am missing?
  
  TIA,
  
  T
 
 Linux isn't going to necessarily TELL you what program wants to use a
 port - just that a port is requesting to be opened. Just force open
 the ICQ ports and you should be right.

I'm not sure that that makes sense, Stephen. If I run top, I see
licq running. It would seem to reason that licq would be the program
to make the requests through the firewall on the ports that it expects
to communicate through...UNLESS, another program or file is actually
doing the communicating on behalf of 'licq'. This is very possible since
man apps rely on a substructure program to fulfill the desired function.
I could just manually open the ports when I want to, but it makes no
sense for me to manually open ports 1024-65535 and then just as manually
shut them down after a chat or video conference session when I have the
ability to let the router do it dynamically. The whole point of 'port
triggering' is to allow apps that need port access to trigger the
opening of these port for only as long as the app is requesting, then
they are closed automatically. I have told the router/firewall which
ones to accept in the Web interface. The triggering is nothing more than
the executables trying to get through. It works fine in Windows. 

So, what do you think? If 'licq' is running, is *it* requesting the
ports or some other supporting program? If the latter, any idea what
that/they might be? I would have thought someone using a Linksys
Etherfast Cable/DSL Router would have dealt with this issue by now. It's
a great feature that's not available in all firewalled routers.

Thanks for a shot at anyway, Stephen.

T


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [newbie] [Fwd: [Mandrake Off Topic] LICQ/Dynamically openingports in Linksys router]

2003-06-15 Thread Technoslick 
On Sun, 2003-06-15 at 19:40, Stephen Kuhn wrote:
 On Mon, 2003-06-16 at 08:23, Technoslick wrote:
 
  So, what do you think? If 'licq' is running, is *it* requesting the
  ports or some other supporting program? If the latter, any idea what
  that/they might be? I would have thought someone using a Linksys
  Etherfast Cable/DSL Router would have dealt with this issue by now. It's
  a great feature that's not available in all firewalled routers.
  
  Thanks for a shot at anyway, Stephen.
  
  T
 
 From what I understand about unix/linux networking, linux (the system
 et. al.) is requesting the port be opened, whereas in Windows, the
 program is requesting the port. A program under linux would communicate
 directly to the kernel, then the kernel would manipulate whatever port
 after that.

If this is what I have to go up against, it appears that I will have to
open the ports manually or go into 'DMZ' for the length of session. That
sucks. sigh I think I'll send an email off to Linksys and see if
anyone there is playing with Linux while their on beating on M$ pud. I
suspect they will tell me that's life and accept it.

T :0[


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [newbie] [Fwd: [Mandrake Off Topic] LICQ/Dynamically openingports in Linksys router]

2003-06-15 Thread Technoslick 
On Sun, 2003-06-15 at 19:45, Stephen Kuhn wrote:
 On Mon, 2003-06-16 at 08:46, Technoslick wrote:
 
  Untrue, Stephen.
  
  Every application that communicates through a port, or series of ports,
  has a signature, for lack of a better term. It's best to explain
  through the Windows end just because it works. 
 
 So then would it be identfied as /usr/bin/licq ?

Tried that. Believe it or not, I couldn't get the q in before it
stopped my cursor. Oh, but msnmsgr.exe just fits...

Thanks for having a go at, it mate.

T


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com