Shorewall users - Sep 2003 - MSN Messenger question

Hello,

 

I''m trying to get MSN Messenger to work on my computer.

 

I have read Tom''s section on FAQ #3 and I don''t want to resort
to installing
linuxigd module if I can help it.

 

I have defined my PC in the NAT file:

216.17.21.90     eth0      10.10.1.101       no         no

 

I have also built some rules for incoming traffic to this PC for MSN
Messenger (per google searches and Microsoft info that I could find
regarding ports that MSN needed):

#          MSN Messenger

ACCEPT                       net                    loc:10.10.1.101  tcp
1863

ACCEPT                       net                    loc:10.10.1.101 udp
1863

ACCEPT                       net                    loc:10.10.1.101 udp
5190

ACCEPT                       net                    loc:10.10.1.101 tcp
6901

ACCEPT                       net                    loc:10.10.1.101 udp
6901

ACCEPT                       net                    loc:10.10.1.101  tcp
6891:6900

 

My firewall also has DHCP installed on it and I pass out
10.10.1.51~10.10.1.100 IP addresses with the 10.10.1.1 firewall internal
interface as the gateway.

 

The interesting thing is that any PC that gets an address from DHCP will be
able to connect with MSN/Windows Messenger.

 

Tom, I noticed that the link to FAQ #30 (right after link to #1c) at the top
of the FAQ.htm file is broken.

 

I have some clients that require me to come into their networks from
216.17.21.90.  I also want my PC to be accessed from the Internet for some
other services so I figured that I needed to define it in the NAT file and
open the ports using RULES file.  So, why does MSN Messenger work with DHCP
clients and not my PC?

 

I suppose that I could use the MASQ file to make all internal sources look
like 216.17.21.90 or I could change the external interface on my firewall to
default to 216.17.21.90 and then use DNAT rules to bring the packets into my
PC.  The 2nd option sounds the easiest.  Any other suggestions?

 

Thanks,

sj

On Tue, 2003-09-30 at 22:43, Scott Jibben wrote:
> Hello,
> 
>  
> 
> I''m trying to get MSN Messenger to work on my computer.
> 
>  
> 
> I have read Tom''s section on FAQ #3 and I don''t want to
resort to installing
> linuxigd module if I can help it.
> 
>  
> 
> I have defined my PC in the NAT file:
> 
> 216.17.21.90     eth0      10.10.1.101       no         no
> 
>  
> 
> I have also built some rules for incoming traffic to this PC for MSN
> Messenger (per google searches and Microsoft info that I could find
> regarding ports that MSN needed):
> 
> #          MSN Messenger
> 
> ACCEPT                       net                    loc:10.10.1.101  tcp
> 1863
> 
> ACCEPT                       net                    loc:10.10.1.101 udp
> 1863
> 
> ACCEPT                       net                    loc:10.10.1.101 udp
> 5190
> 
> ACCEPT                       net                    loc:10.10.1.101 tcp
> 6901
> 
> ACCEPT                       net                    loc:10.10.1.101 udp
> 6901
> 
> ACCEPT                       net                    loc:10.10.1.101  tcp
> 6891:6900
> 
>  
> 
> My firewall also has DHCP installed on it and I pass out
> 10.10.1.51~10.10.1.100 IP addresses with the 10.10.1.1 firewall internal
> interface as the gateway.
> 
>  
> 
> The interesting thing is that any PC that gets an address from DHCP will be
> able to connect with MSN/Windows Messenger.
No one said that you couldn''t connect to MSN -- you just don''t
have
access to all of the features.
> 
>  
> 
> Tom, I noticed that the link to FAQ #30 (right after link to #1c) at the
top
> of the FAQ.htm file is broken.
Thanks -- you are user 1,496 to report that problem.
> 
>  
> 
> I have some clients that require me to come into their networks from
> 216.17.21.90.  I also want my PC to be accessed from the Internet for some
> other services so I figured that I needed to define it in the NAT file and
> open the ports using RULES file.  So, why does MSN Messenger work with DHCP
> clients and not my PC?
> 
I haven''t a clue based on what you have told us. If there are no
Shorewall messages being generated when you try to connect, you''ll have
to resort to tcpdump or ethereal.
>  
> 
> I suppose that I could use the MASQ file to make all internal sources look
> like 216.17.21.90 or I could change the external interface on my firewall
to
> default to 216.17.21.90 and then use DNAT rules to bring the packets into
my
> PC.  The 2nd option sounds the easiest.  Any other suggestions?
Determine why your current setup doesn''t work and fix it.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net