Perhaps I am reading this wrong, but couldn''t you simply reject all outbound port 6667, configure your IRC client to use a different port, and then add a rule to your firewall to forward that traffic to port 6667 on your external interface? Z On Fri, 2002-07-19 at 15:02, Rogan Lynch wrote:> Sorry for resubmitting this... My FW blocked my getting any responses for > the last week... (oops..) > > Hello Tom (et al). > > I have a fairly straight forward question. Is there a way (without > installing a SOCKS Firewall) to use an outbound port 6667 blocking rule to > curtail trojan connections while (with client side reconfiguration) still > allowing IRC? > > Thanks much, > Rogan > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
Sorry for resubmitting this... My FW blocked my getting any responses for the last week... (oops..) Hello Tom (et al). I have a fairly straight forward question. Is there a way (without installing a SOCKS Firewall) to use an outbound port 6667 blocking rule to curtail trojan connections while (with client side reconfiguration) still allowing IRC? Thanks much, Rogan
On 19 Jul 2002, Zachariah Mully wrote:> > Perhaps I am reading this wrong, but couldn''t you simply reject all > outbound port 6667, configure your IRC client to use a different port, > and then add a rule to your firewall to forward that traffic to port > 6667 on your external interface? >That will work if Rogan want to add a separate DNAT entry for each IRC server that he uses. From the DNAT description in ''man iptables'': --to-destination ipaddr[-ipaddr][:port-port] Note that a destination ipaddrss is required so just changing a port doesn''t fly.... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Adding DNAT entries for all the various hosts on the main networks seems like a largish and painful undertaking.... perhaps SOCKS would be better. Too bad there isn''t a netfilter extension that does this... Thanks much :O) At 12:19 PM 7/19/2002, Tom Eastep wrote:>On 19 Jul 2002, Zachariah Mully wrote: > > > > > Perhaps I am reading this wrong, but couldn''t you simply reject all > > outbound port 6667, configure your IRC client to use a different port, > > and then add a rule to your firewall to forward that traffic to port > > 6667 on your external interface? > > > >That will work if Rogan want to add a separate DNAT entry for each IRC >server that he uses. From the DNAT description in ''man iptables'': > >--to-destination ipaddr[-ipaddr][:port-port] > >Note that a destination ipaddrss is required so just changing a port >doesn''t fly.... > > >-Tom >-- >Tom Eastep \ Shorewall - iptables made easy >AIM: tmeastep \ http://www.shorewall.net >ICQ: #60745924 \ teastep@shorewall.net