Re: [GnomeMeeting-list] Firewall rules with the new H.323 support in netfilter, 2.6.17.x

["Damien Sandras" <dsandras seconix com>]

> Dear Folks,
>
> Thanks for your great work!  It looks like ekiga has come along so far
> since my first tentative experiments with the old gnomemeeting many
> years ago.
>
> I was exited about the h323 support in the 2.6.17 kernel, now
> available in my shiny new standard FC5 kernel
> $ uname -r
> 2.6.17-1.2139_FC5smp
> with these modules:
> $ find /lib/modules/2.6.17-1.2139_FC5smp -name '*h323*'
> /lib/modules/2.6.17-1.2139_FC5smp/kernel/net/ipv4/netfilter/ip_conntrack_h323.ko/lib/modules/2.6.17-1.2139_FC5smp/kernel/net/ipv4/netfilter/ip_nat_h323.ko
>
> so I fired up ekiga on my machine, and read the documentation on the
> website.
>
> The firewall rules recommended at
> http://www.ekiga.org/index.php?rub=3&pos=0&faqpage=x161.html#AEN188
> suggest simply opening up all outgoing traffic of every find to
> everywhere, and allowing anything to come back that is related.  All
> traffic of every kind is opened up to and from the internal network.
>
> The mail messages at
> http://mail.gnome.org/archives/gnomemeeting-list/2002-March/msg00078.html
> and
> http://mail.gnome.org/archives/gnomemeeting-list/2002-March/msg00063.html
> say that, to communicate with *netmeeting* *clients*, I need to do
> something terrible such as allowing, both inbound and outbound, *all*
> udp ports 1024:65535.
>
> That is scary (okay, I'm a wimp :-).  Does anyone have any
> recommendations for communicating with netmeeting clients that do not
> involve the netfilter equivalent of an open-raincoat full frontal flash?


I think that you do not have anything to "open" for Netmeeting, as they
are outbound connections to Netmeeting. You just need to open ports for
Ekiga. However, with the netfilter module, simply opening up 1720 should
be enough.