Hi, My question is: Can I block internal access from my local network to access icq service, but allowing some (ex. 172.55.114.45, 172.55.114.97, 172.55.114,217) internal hosts to access it ? How to do it ? Best Regards , Anderson Oliveira
On Fri, 23 Apr 2004, Anderson do Carmo de Oliveira wrote:> Can I block internal access from my local network to access icq service, > but allowing some (ex. 172.55.114.45, 172.55.114.97, 172.55.114,217) > internal hosts to access it ?Are you using masquerade/SNAT on your local network? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom, I''m using masquerade at my local network. Best regards, Anderson Oliveira ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Friday, April 23, 2004 2:11 PM Subject: Re: [Shorewall-users] ICQ Service - Block and Allow Use> On Fri, 23 Apr 2004, Anderson do Carmo de Oliveira wrote: > > > Can I block internal access from my local network to access icq service, > > but allowing some (ex. 172.55.114.45, 172.55.114.97, 172.55.114,217) > > internal hosts to access it ? > > Are you using masquerade/SNAT on your local network? > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Anderson do Carmo de Oliveira wrote:> > I''m using masquerade at my local network. >Ok -- Turns out that may be irrelevant since it seems that ICQ is now using the AIM protocol which uses TCP port 5190. The classic ICQ protocol required inbount UDP port 4000. I don''t know what else you might need to do but this will get you started: /etc/shorewall/params: ICQ=172.55.114.45,172.55.114.97,172.55.114,217 /etc/shorewall/rules: ACCEPT loc:$ICQ net tcp 5190 REJECT:info loc net tcp 5190 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2004-04-23 at 13:54 -0700, Tom Eastep wrote:> > Ok -- Turns out that may be irrelevant since it seems that ICQ is now > using the AIM protocol which uses TCP port 5190. The classic ICQ > protocol required inbount UDP port 4000. > > I don''t know what else you might need to do but this will get you started: > > /etc/shorewall/params: > > ICQ=172.55.114.45,172.55.114.97,172.55.114,217 > > /etc/shorewall/rules: > > ACCEPT loc:$ICQ net tcp 5190 > REJECT:info loc net tcp 5190 > > -TomOne thing to remember is that the AIM protocol uses 5190/tcp by default, but you can actually connect to it on almost any port. For blocking access, you may need to block any access to the oscar servers (dig login.oscar.aol.com) or users can just use a different port that is allowed outbound (such as 80 or 22). -- David T Hollis <dhollis@davehollis.com>