I have gotten my firewall setup pretty well so far ( it blocks everything :) ) but I want to allow any icq and aim connections. Both everybuddy and gaim were able to set the gaim port to 4001 so that is out of the way.

I've tried letting everything on port 4000 go through the firewall ( tcp and udp ) with

add allow udp from any to any 4000

but this didn't work at all either...
anybody else ever get icq to work ?

>> add allow udp from any to any 4000

Try this instead:

add check-state
add pass udp from any to any 4001 keep-state

I don't know anything about AIM at all. If you are sure it listens to port 4001.

>> anybody else ever get icq to work ?

Yes, but thru a socks5 server. ICQ doesn't connect to a fixed port, unless you have all your high port wide open and keeping its state. You may allow ICQ to send out (no in) if you keeping state of all going connection. I am sure you don't want one dimensional.

Anyhow, if you want your ICQ to be fully functional, you should install a socks5 server and have just your port 1080 opens, and of course, keeping its state.
You should switch to IP Filter, it's whole lot easier to configure and the state table is alot smarter than ipfw (default in FreeBSD).

Mkay... assuming I switch to IP Filter, would it be any easier to let ICQ through on it? How would I let ICQ through with IP FIlter?

<another question>

I installed Socks5, I think :o , and then ran it on port 3000 ( socks5 -b localhost:3000 ) and let it open on my firewall and set everybuddy to use it, but it still wouldn't work :confused:

:confused: :mad: :confused:

>> would it be any easier to let ICQ through on it?

Many people might say IP Filter or ipfw is a religious issue but in my opinion that's not the case. The advantages of IP Filter over ipfw:
1) More secure (fewer holes)
2) More reliable (its smarter state table)
3) Easier to configure

>> How would I let ICQ through with IP FIlter?

You don't let ICQ thru directly. It should configure thru a socks5 server.

pass in quick on vr0 proto tcp from any to any port = 1080 keep state

Prior to this rule, of course, you need a pass out quick rule on tcp and keeping its state.

Your FreeBSD box itself doesn't need to configure ICQ to go thru your socks5 server, basically your clients behind it. Say rtk0 is the internal interface,

pass in quick on rtk0 proto tcp/udp all keep state
pass out quick on rtk0 proto tcp/udp all keep state

>> and then ran it on port 3000

Why port 3000?
Here is an example of /usr/local/etc/socks5.conf:

set SOCKS5_BINDINTFC my.static.ip.here:1080
set BINDPORT 1080
set SOCKS5_MAXCHILD 20
set SOCKS5_PIDFILE /var/run/socks5.pid
set SOCKS5_NOIDENT
set SOCKS5_PWDFILE /usr/local/etc/socks5.passwd
set SOCKS5_TIMEOUT 30

auth 192.168.0. - u
permit - - 192.168.0. - - - -
deny - - - - - - -

>> and set everybuddy to use it

I don't use everybuddy, but I believe the socks5 configuration is pretty much the same. Say your FreeBSD internal interface's IP is 192.168.0.1, you just need to configure everybuddy to 192.168.0.1 on port 1080, then set the appropriate username and password.

I hate to be a pain, but that brings up more questions :)

1. What ICQ client do you use? I downloaded everybuddy, gaim, and licq, and it seems like only everybuddy can filter it through Socks5.

2. Will IP Filter work on FreeBSD 4.2 ? All the docs I have seen say it is for FreeBSD 2.2 or so...

My thanks extend many times over!

1. ICQ 2000b on Win98SE
2. Sure. NetBSD use it, OpenBSD use it and Solaris use it, too.
You need to recompile your kernel and enable it and disable IPFIREWALL.

Thanks.. great. I'll try this all as soon as I get home :)

Thanks. I have ipfilter installed now, and am trying (again) to get it working. Thanks.

Thanks again. I got it working with IP Filter