I found this out today.

I am currently using <a href="http://jsmoriss.mvlan.net/linux/rcf.html" target="rcf">The RCF Linux Firewall 5.0</a>

I was using ICQ99b and it can't not pass the RCF, but, ICQ2000b can pass thought. Does anyone know How ICQ2000B did it and How should I set firewall to prevent ICQ2000b to connect to the Internet (just in case http://www.linuxnewbie.org/ubb/biggrin.gif)

ICQ2000b probably uses something like the new Napster versions do, which looks for any available port, and uses it, instead of a fixed port like the older versions did.

to block it, add something like..


$IPCHAINS -A input -p UDP -s icq.mirabilis.com 1024:65535 -j DENY -l

#now we'll deny from logging on to to ICQ.
$IPCHAINS -A output -i ppp3 -p TCP -s 192.168.0.1/24 1024:65535 -d login.icq.com 1024:65535 -j DENY -l


however, ripped from ICQ.com:

Client to client communication:

Client to client connection is done using the TCP protocol, using port range 1024-65535. This means that the client needs an open listening port within the mentioned range-- 1024-65535.


but if you want to try it anyways.. here's the firewall rule:


#block anything from inside LAN on ports 1024:65535 going on *outside* *interface* &log it.
#note: this may cause other problems!
$IPCHAINS -A output -i ppp3 -p TCP -s 192.168.0.1/24 1024:65535 -d any/0 1024:65535 -j DENY -l

basically, icq has switched from going through their server for everything, to *individual* user-to-user interaction, which makes it almost impossible to totally block ICQ. Although, if you can't authenticate (ie. login) with login.icq.com, I would think it would work. Try it out and get back with us http://www.linuxnewbie.org/ubb/smile.gif


hope this helps,

~kyle


[This message has been edited by Fandelem (edited 03 December 2000).]

a little update.. I was running sniffit -I a few minutes ago, then tried connecting to ICQ, and it is using:

152.163.243.* port 5190

now, keep in mind, there is probably more than one server to authenticate to.. but, it looks like it's using port 5190.. sooo.. block all source traffic from port5190 and it might work..

$REMOTENET=0/0
ppp3=interface connected to internet

$IPCHAINS -A input -i ppp3 -p tcp -s 152.163.243.0/24 1024:65535 -d $REMOTENET 1024:65535 -j DENY -l
$IPCHAINS -A input -i ppp3 -p tcp -s $REMOTENET 1024:65535 -d 152.163.243.0/24 1024:65535 -j DENY -l
$IPCHAINS -A input -i ppp3 -p udp -s 152.163.243.0/24 1024:65535 -d $REMOTENET 1024:65535 -j DENY -l
$IPCHAINS -A input -i ppp3 -p udp -s $REMOTENET 1024:65535 -d 152.163.243.0/24 1024:65535 -j DENY -l


keep in mind, it's all where you PUT these rules that will make them work. it took me a while to figure this out. if you put them at the end of the file, they aren't gonna work, because somewhere under ipchains -L near the top, you will have something like..


ACCEPT all ------ 192.168.0.0/24 anywhere n/a

which if you put the rules after that, then it won't work..


regards,

~kyle

ripped from securityportal.com:


Blocking ICQ 2000
"ICQ 2000" posted by Flavio Rabello de Souza

Q: A seemingly simple question was posed: How do you block ICQ 2000? This isn't quite as easy it would appear on the surface.....
A: Apparently, the developers of AIM and ICQ would really like their product to work, regardless of your security policy. According to Ronald Atkinson, they accomplish this by first using a default port (TCP 5190 in this case), and then supporting an option to "auto-detect" ports. This "auto-detect" feature will actually scan various ports for access to the AOL/ICQ servers, such as telnet, ftp, DNS, discard, http, etc. It will then reconfigure the local ICQ client to run over that port instead of the default. In this way, ICQ can be automatically "tunneled" through any port you have allowed to leave your network.

Editor's Comment: Personally, I feel that this type of programming is both 1) extremely clever and 2) potentially dangerous. I applaud the ingenuity of the developer, but the "auto-detect" features can only be described as a way for the average, less enlightened user to completely circumvent security controls you have put in place to drop non-business related Internet traffic. Further, how long will it be before system crackers adopt such technology into new Trojan variants? It really wouldn't be that difficult to set up a new distributed Trojan model in which a master Trojan server listens on multiple ports, and then compromised Trojan clients could scan through our firewalls to see what ports are available. I'm guessing that this type of thing will open up an entire new arena in content- and protocol-aware stateful inspection. Life is going to get interesting - be sure to voice your concerns to your local Check Point representative....


hmm, interesting.. very interesting..

I read the solutions, it seems to say block the whole class B address (which I listed above)..

regards,

~kyle


[This message has been edited by Fandelem (edited 03 December 2000).]

Thanx * 999, I will give that a try.

$REMOTENET=0/0

$IPCHAINS -A input -i ppp3 -p tcp -s 152.163.243.0/24 1024:65535 -d $REMOTENET 1024:65535 -j DENY -l
$IPCHAINS -A input -i ppp3 -p tcp -s $REMOTENET 1024:65535 -d 152.163.243.0/24 1024:65535 -j DENY -l
$IPCHAINS -A input -i ppp3 -p udp -s 152.163.243.0/24 1024:65535 -d $REMOTENET 1024:65535 -j DENY -l
$IPCHAINS -A input -i ppp3 -p udp -s $REMOTENET 1024:65535 -d 152.163.243.0/24 1024:65535 -j DENY -l

those will effectively block icq from working, tested and effective http://www.linuxnewbie.org/ubb/smile.gif

have fun,

~kyle

[This message has been edited by Fandelem (edited 04 December 2000).]