Re: [GnomeMeeting-list] Firewall rules with the new H.323 support in netfilter, 2.6.17.x



Le mercredi 28 juin 2006 à 05:02 +1000, Nick Urbanik a écrit :
> Dear Folks,
> 
> On 27/06/06 13:41 +0200, Damien Sandras wrote:
> >> Dear Folks,
> >>
> >> Thanks for your great work!  It looks like ekiga has come along so far
> >> since my first tentative experiments with the old gnomemeeting many
> >> years ago.
> >>
> >> I was exited about the h323 support in the 2.6.17 kernel, now
> >> available in my shiny new standard FC5 kernel
> >> $ uname -r
> >> 2.6.17-1.2139_FC5smp
> >> with these modules:
> >> $ find /lib/modules/2.6.17-1.2139_FC5smp -name '*h323*'
> >> /lib/modules/2.6.17-1.2139_FC5smp/kernel/net/ipv4/netfilter/ip_conntrack_h323.ko/lib/modules/2.6.17-1.2139_FC5smp/kernel/net/ipv4/netfilter/ip_nat_h323.ko
> >>
> >> so I fired up ekiga on my machine, and read the documentation on the
> >> website.
> >>
> >> The firewall rules recommended at
> >> http://www.ekiga.org/index.php?rub=3&pos=0&faqpage=x161.html#AEN188
> >> suggest simply opening up all outgoing traffic of every find to
> >> everywhere, and allowing anything to come back that is related.  All
> >> traffic of every kind is opened up to and from the internal network.
> >>
> >> The mail messages at
> >> http://mail.gnome.org/archives/gnomemeeting-list/2002-March/msg00078.html
> >> and
> >> http://mail.gnome.org/archives/gnomemeeting-list/2002-March/msg00063.html
> >> say that, to communicate with *netmeeting* *clients*, I need to do
> >> something terrible such as allowing, both inbound and outbound, *all*
> >> udp ports 1024:65535.
> >>
> >> That is scary (okay, I'm a wimp :-).  Does anyone have any
> >> recommendations for communicating with netmeeting clients that do not
> >> involve the netfilter equivalent of an open-raincoat full frontal flash?
> >
> >
> >I think that you do not have anything to "open" for Netmeeting, as they
> >are outbound connections to Netmeeting.
> 
> I don't think so.  At this end we are using Ekiga.  We need to be able
> to initiate and receive calls from netmeeting clients (our relatives
> in Hong Kong!).
> 
> >You just need to open ports for Ekiga. However, with the netfilter
> >module, simply opening up 1720 should be enough.
> 
> To accept calls from netmeeting clients, I am sure that I need to open
> some ports.  I don't understand the requirements of H.323 (and
> netmeeting) enough so that I can communicate with them through Ekiga.
> Okay, I'll try simply opening TCP port 1720 in both directions to set
> up the call.  Hopefully, all the rest will be "related".  Maybe I need
> to read the code for the ip_conntrack_h323 module.

I think 1720 should be enough, all the rest is related to the H.323
connection that will be setup and should be handled by the H.323
conntrack module.

However, if it doesn't work, try with and without Fast Start, and also
with and without H.245 Tunneling.
-- 
 _      Damien Sandras
(o-     
//\     Ekiga Softphone: http://www.ekiga.org/
v_/_    FOSDEM 2006    : http://www.fosdem.org/
        SIP Phone      : sip:dsandras ekiga net
                         sip:600000 ekiga net




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]