On Mon, 12 Aug 1996, Matthew Stier - Imonics Corporation wrote:
> I have a few users that, on their free time, like to chat on the IRC.
>
> Now that our site has replaced its packet filtering, with FireWall-1,
> these users are have trouble with DCC and CTCP protocols from within
> thier IRC clients.
>
> I have been looking for the port/protocol specifications for these
> so a solution can be implemented.
DCC (especially) and CTCP work like FTP in that they open a port and do a
bind to a random non-priv port (not root, after all, and multiple users are
allowed on a single machine so they can't use a single port), a getsockname()
to discover what they happened to bind, and then the client sends the port
number and address in a private protocol message to the other party, who then
attempts to connect to the backchannel.
You need either a proxy, a socksified IRC client, or some such. To open this
up on a filtering router requires leaving a *huge* hole. But even a proxy is
not likely to help if your users are using random clients. A socksified
client might work, as you will then report the address of the port on the
socks host, on the outside of the firewall.
FW-1 should provide a proxy, or recognition as they try to do with FTP
that they need to open a path from the contacted host to a backchannel.
But you probably do not want to open up a path from random hosts to large
port ranges on systems inside your firewall. If you do that, you might
as well not bother with a firewall at all.
Eat a package of natto first thing in the morning and nothing worse can happen to you for the rest of the day.
Nick Simicich-njs @
scifi .
squawk .
com
(last choice)-nick_simicich @
bocaraton .
ibm .
com
http://scifi.squawk.com/njs.html -- Stop by and Light Up The World!
Follow-Ups:
References:
|
|
