j4: (dodecahedron)
j4 ([personal profile] j4) wrote2005-03-07 10:13 pm
  • Add Memory
  • Share This Entry

... but everywhere he is in ipchains

Right. I'm trying to set up my iSight, and it's not working, and this suggests that our home-brewed firewall is the crux of the problem:
To use iChat AV behind a firewall, make sure your network administrator has opened UDP port 5060.

When video conferencing, iChat AV uses four UDP ports in this range: 16384 to 16403.
So anyway, my network administrator is tired & stressed and says port forwarding is complicated. I have bashed my head against the ipchains man page to no avail. Anybody have any hints (or lines I can cut and paste into our firewall)?

TIA...
Flat | Top-Level Comments Only
sparrowsion: (cat5)

[personal profile] sparrowsion 2005-03-08 01:00 am (UTC)(link)
Looking at the firewall logs, I think it should be easily possible to set things up to allow you to establish a connection using the same trick that the internal name and time servers do. Assuming the other end port-forwards sensibly. Ugh, I really should have gone to sleep an hour ago instead of looking into this.

[identity profile] j4.livejournal.com 2005-03-08 01:22 pm (UTC)(link)
Does that mean [livejournal.com profile] martling's solution isn't what we need? It looked like the sort of thing we were groping towards (and failing to find!) last night...
sparrowsion: (cat5)

[personal profile] sparrowsion 2005-03-08 01:59 pm (UTC)(link)
Not knowing how the iChat protocol works (in particular, where it gets its ip addresses from), I'm guessing [livejournal.com profile] martling's solution will allow connections to be made to you whereas I'm looking at how a connection could be established from you. So we may need both.

[identity profile] martling.livejournal.com 2005-03-08 03:04 pm (UTC)(link)
I'm not sure you need to do anything for traffic initiated in the other direction, since you're already allowing and masquerading things outbound from badgers.
sparrowsion: (cat5)

[personal profile] sparrowsion 2005-03-08 03:31 pm (UTC)(link)
Yes, but it won't in general allow udp packets back onto the internal network (there are specific exceptions for the name and time servers—I'm talking about making iChat a specific exception too).

[identity profile] j4.livejournal.com 2005-03-08 08:02 pm (UTC)(link)
IHNJ, IJLS "outbound from badgers" :-)

[identity profile] aardvark179.livejournal.com 2005-03-09 01:08 am (UTC)(link)
You'd be best off upgrading the kernel to iptables. The important thing to watch for is that the firewall should not change the source port of outgoing UDP packets, and I don't think ipchains guarantees to preserve this, and I think iptables will, but have a check.

Also worth looking at this (http://docs.info.apple.com/article.html?artnum=93208) which lists the main ports to do with the iChat protocols and has a couple of links to the nitty gritty stuff.
sparrowsion: (cat5)

[personal profile] sparrowsion 2005-03-09 10:23 am (UTC)(link)
Actually, having (another) look at that, and a bit more digging around, it appears that the summary solution is "What you're trying to do is fundamentally impossible, because Linux firewalls don't know how to handle SIP."

[identity profile] j4.livejournal.com 2005-03-09 11:08 am (UTC)(link)
So I can't actually use my iSight at all? :-(
sparrowsion: (cat5)

[personal profile] sparrowsion 2005-03-09 11:42 am (UTC)(link)
The port forwarding stuff might work. I don't know. My brain is full of work stress, and isn't up to trying to second guess undocumented protocols.
Flat | Top-Level Comments Only