[GnomeMeeting-list] Gnomemeeting behind a BSD-Firewall/Router

[m-redlich t-online de (Matthias Redlich)]

Dear Gnomemeeting-Users,

as you probably all know many routers/firewalls doing NAT/PAT(in Linux
with iptables) for a network have problems with the h.323 protocol. It
might be very difficult to teach you firewall the h.323, but on some
platforms there exist several solutions (Linux with newnat,rsip and a
gatekeeper).
In my private LAN I've got a NetBSD Router with IP Filter. The
gnomemeeting FAQ just informs about solutions with Linx so I had to
search for other ways. First of all I thougt I could use a gatekeeper. I
downloaded the source and tried to compile pwlib and the other necessary
packets. But after some time I gave up because the packets had problems
with NetBSD's pthreads (I just tested it on NetBSD, maybe OpenBSD and
FreeBSD have no problem with those packets).I wouldn't suggest you to
use a gatekeeper - the following solution is much easier. 
After giving up I had to search for other possibilities - and I found
another one. I read about the h.323 proxy of IP Filter. My version of IP
Filter was too old and didn't include the h323 proxy: It was something
like version 3.4.9 (test your version with 'ipf -V'), so I had to
upgrade my IP Filter. I didn't find a changelog so I can't tell you
since which version h.323 is supported. If you are not sure just test it
or search in the kernel's netinet directory.Otherwise you have to
upgrade your IP Filter. I'd suggest you to take the latest release
because I read about bugs in older versions. After compiling/installing
the new version of IP Filter and a new kernel I had to reboot (now check
your IPF version to make sure everything worked fine). After the upgrade
I started testing. 
The first test was with a person who uses a linux router with the newnat
patch. I had to allow the tcp port 1720 (I suggest you to use "keep
state") for incoming traffic. I also allowed tcp ports between
30000-30010 and udp port 5000-5003. Remember to allow the the packets
for incoming and outgoing traffic. If something doesn't work use the
ipmon utility to see which packets are still blocked. To be able to
receive incoming calls you have to forward tcp port 1720 to your
computer behind the router.
I won' t paste any IP Filter rules because I think everybody using BSD
is able to write some short rules. Again, the rules really depend on
your IP Filter configuration. If you need some help I can suggest you
the manpages of ipf and ipnat. The examples in /usr/share/examples/ipf
are also interesting - everything should be quite easy (in my opinion it
is easier than the terrible iptables ;). If everything doesn't help you
can also mail me - but I don't promise to answer very fast.
After having done all configuration Gnomemeeting worked pretty fine.
Audio and Video Stream worked in both directions - we had a nice
conversation.

I talked to Damien in the IRC-Channel of Gnomemeeting. After I told him
about my success he asked me to send a short mail to the mailing-list -
and here it is ;). I hope I could help some people having a BSD router
who search for a solution. If there are any further questions or I
forgot something (and I possibly did because I wrote very fast) please
ask - I' ll try to answer.

In the end, here are a few URLs:
IP Filter Homepage - http://www.ipfilter.org
IP Filter Howto - http://www.obfuscation.org/ipf/ipf-howto.txt
Howto upgrade IPF under NetBSD -
http://www.muine.org/~hoang/netnat.html#upgrading

You can find many other things with google.com.

Best regards,
Matthias Redlich

PS: Damien, I have to laud you for GM. I like it very much - you did a
very good job!