FireWall-1 FAQ: Allowing or Blocking ICQ
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
Note that the following information was based on information available from http://www.icq.com/icqtour/firewall/netadmin.html on 19 November 2002. You may wish to check this page for the latest instructions.
Client to server Communication is done via port 5190 to login.icq.com. Note that login.icq.com resolves to multiple IP addresses, so you will need to perform an nslookup to determine what IP addresses it resolves to. Windows and some Unix implmentations of nslookup only show one IP address even when multiple IPs are possible.
Client to client communication uses tcp high ports (i.e. all ports above 1024). If you allow clients to initiate "any" service outbound, then client to client communication will work. If you don't feel comfortable with this configuration, you can restrict the client to specific "listening" ports. This will be compatible with static NAT, but not HIDE NAT.
In a HIDE NAT configuration, your users will need to configure their clients to "Use Server Proxy Settings" and it will not be possible to initiate a direct communication to other users in a similar configuration.
You can block ICQ access by simply blocking all services to 18.104.22.168, netmask 255.255.0.0 and 22.214.171.124, netmask 255.255.0.0. You will also need to block access to the IP 126.96.36.199. Also, there's apparently a program out there that tunnels ICQ over HTTP. To block access to this, you must block access to www.icqproxy.com.