Ingate Firewall 4.2: User Manual
PrevAppendix C. Common servicesNext

ICQ

ICQ is a popular service for communication with other people via Internet. The user client program connects to a server, enabling the user to communicate to other users via this server.

From a security point of view, ICQ traffic through a firewall is not advisable. ICQ clients and servers are notorious for having bugs and safety holes. The protocol is too insecure, sending all traffic, including passwords, unencrypted. The protocol design also makes it easier for a third party to intercept a connection without the client's noticing. The ICQ clients disclose a lot of information, such as the real IP address of the client computer - regardless of NAT being used - and which communication software is available on the client computer.

The ICQ client establish a connection from a high port to port 5190 on the server, using the TCP protocol. The server sends data from port 5190 to the same high port on the client. ICQ might also use other services, e.g., Real Audio/Video (see separate section on that).

This corresponds to the following service definitions:

Services
NameProtocolFirewall typeClient portsServer ports
icqTCPDynamic session management1024-655355190

Outgoing ICQ configuration

Using Rules (NAT/no NAT)

For the client and the server to be able to communicate, only one rule is needed, as the firewall automatically creates shadow rules for TCP reply traffic. Allow the icq service from the Inside to the Internet.

Rules
ClientServerServiceAction
InsideInterneticqAllow

Incoming ICQ configuration

Using rules (no NAT)

For the client and the server to be able to communicate, only one rule is needed, as the firewall automatically creates shadow rules for TCP reply traffic. Allow the icq service from the Internet to the ICQ server.

Rules
ClientServerServiceAction
InternetICQ servericqAllow

Using Relays (NAT/no NAT)

Use a relay to forward ICQ connections to a computer. Example (assuming the internal ICQ server has the IP address 192.168.1.17):

Relays
Listen to ...Relay to ...Relay typeAllow access from
IP addressPortDNS name or IP addressPort Networks
Outside (1.2.3.4)5190192.168.1.175190TCP relayInternet

If you want the server to know the IP addresses of the clients you should change the TCP relay to a semitransparent TCP port forwarding.

N.B.: The visitors should connect to the outside address of the firewall - addresses inside a NAT:ed network aren't visible on the outside.

PrevHomeNext
Real Audio/VideoUpMore about SIP