Hi,
I''m using shorewall-perl on Ubuntu 8.10 server. Everything is fine,
except for iChat AV video transfer, which I didn''t manage to use yet.
Current configuration of shorewall is at
http://raq550.dyndns.org/~christian/dump.txt.gz
, just in case you''d need it.
I''ve set up a macro for iChatAV, adding all the ports that Apple
mentioned in [1]:
christian@cobalt:~/public_html\ cat /etc/shorewall/macro.iChatAV
#
# Shorewall version 4 - iChat AV Macro
#
# /usr/share/shorewall/macro.iChatAV
#
# This macro handles iChat AV over AIM traffic
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 5190,5220,5222,5223,5298
PARAM - - udp 5060,5190,5297,5298,5353,5678
PARAM - - udp 16384:16403
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
In my rules file, this is activated using
christian@cobalt:~/public_html\ sudo cat /etc/shorewall/rules | grep
iChat
iChatAV/ACCEPT loc net
This works for all ports opened from inside to outside, but the other
way round is still blocked. I can use text messaging. When I try to
initiate or receive a video chat, I see kernel messages like this:
Jan 10 19:01:34 cobalt kernel: [4871566.876742]
Shorewall:net2srv:DROP:IN=eth1 OUT= MAC=00:30:48:90:67:83:00:30:b8:cd:
4e:00:08:00 SRC=90.44.112.48 DST=62.143.92.172 LEN=80 TOS=0x08
PREC=0x20 TTL=46 ID=18127 PROTO=UDP SPT=51326 DPT=57669 LEN=60
Jan 10 19:01:34 cobalt kernel: [4871567.167577]
Shorewall:net2srv:DROP:IN=eth1 OUT= MAC=00:30:48:90:67:83:00:30:b8:cd:
4e:00:08:00 SRC=90.44.112.48 DST=62.143.92.172 LEN=80 TOS=0x08
PREC=0x20 TTL=46 ID=32202 PROTO=UDP SPT=51326 DPT=57669 LEN=60
Jan 10 19:01:35 cobalt kernel: [4871567.465417]
Shorewall:net2srv:DROP:IN=eth1 OUT= MAC=00:30:48:90:67:83:00:30:b8:cd:
4e:00:08:00 SRC=90.44.112.48 DST=62.143.92.172 LEN=80 TOS=0x08
PREC=0x20 TTL=46 ID=56311 PROTO=UDP SPT=51326 DPT=57669 LEN=60
Jan 10 19:01:37 cobalt kernel: [4871569.905100]
Shorewall:net2srv:DROP:IN=eth1 OUT= MAC=00:30:48:90:67:83:00:30:b8:cd:
4e:00:08:00 SRC=90.44.112.48 DST=62.143.92.172 LEN=80 TOS=0x08
PREC=0x20 TTL=46 ID=12739 PROTO=UDP SPT=51326 DPT=57669 LEN=60
Jan 10 19:01:38 cobalt kernel: [4871570.200939]
Shorewall:net2srv:DROP:IN=eth1 OUT= MAC=00:30:48:90:67:83:00:30:b8:cd:
4e:00:08:00 SRC=90.44.112.48 DST=62.143.92.172 LEN=80 TOS=0x08
PREC=0x20 TTL=46 ID=39809 PROTO=UDP SPT=51326 DPT=57669 LEN=60
Jan 10 19:01:38 cobalt kernel: [4871570.498777]
Shorewall:net2srv:DROP:IN=eth1 OUT= MAC=00:30:48:90:67:83:00:30:b8:cd:
4e:00:08:00 SRC=90.44.112.48 DST=62.143.92.172 LEN=80 TOS=0x08
PREC=0x20 TTL=46 ID=25058 PROTO=UDP SPT=51326 DPT=57669 LEN=60
After a while, iChat gives up and claims that the transmission has
been cancelled by the peer. However, the UDP ports seen above are not
mentioned in Apples list of used iChat ports, appearantly they change
between different invocations of iChat. There''s a hint on [2] on how
to set up iptables directly, but I must admit that I never got the
hang of fully understanding the Shorewall macro commands to be able to
translate this into a macro. Anybody willing to help? Kind regards,
Christian
[1] http://support.apple.com/kb/HT1507
[2] http://osdir.com/ml/culture.people.kragen.hacks/2004-11/msg00000.html
--
Christian Aust
M +49-151-22328261
christian.aust@software-consultant.net
http://software-consultant.net/
------------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB