Hi all, I have set up shorewall for a client with some twenty users, and everything is working great. Now the client just asked me about MSN messenger. He wants to be able to use the voice features of messenger, but complains that it doesn''t work. Now, as far as I know, MSN messenger''s chat functions work no problem with NAT, but voice doesn''t - and won''t - right? Is it possible to forward specific ports to one designated ''phone-client'' on the local net, or is it totally impossible to get voice to work through shorewall/NAT? The client''s setup is as follows: * ADSL-modem, gets public ip dynamically from isp. We have to call the isp with any port forwarding requests, we can''t get to this modem. Internal IP is 192.168.2.254 * Red Hat 7.2 running shorewall. eth0 has ip 192.168.2.1 connected to the modem. eth1 has ip 192.168.1.254 and is the local net''s gateway. I don''t have a lot of experience when it comes to MSN messenger, so any hints/pointers/url''s etc on the subject would be great, I''m guessing I''m not the first one to run across this problem - right? TIA, =D6rjan
> MSN messenger''s chat functions work no problem with NAT, but voice doesn''t - > and won''t - right?Correct. According to http://support.microsoft.com/default.aspx?scid=http://messenger.microsoft.co m/support/knownissues.asp and MS knowledgebase article Q316660, Messenger''s voice feature is apparently NAT incompatible... "Currently, certain extended features of MSN Messenger, such as voice conversations and file transfer, might not work behind Internet Connection Sharing applications and hardware (often called NATs). Basic functionality such as signing in, instant messaging, and checking e-mail should not be affected at all." Note, I don''t use Messenger myself, I just did a quick search at support.microsoft.com dvt
MSN file-send and voice (and most other IMs too) have server based chat but direct connect for voice/filesend as they don''t want all those bytes going through their server since that would multiply the bandwidth requirements several orders of magnitude. The way they do that is one side sends its IP address to the other side as part of a message. If it is behind a fw, it is sending its local rfc1918 address which does the other side no good at all -- hence no connection. I *think* icq can be used to specify a fw that you can bleed your file transfers through but I don''t think it does voice. An option that I used to solve that and a host of other problems is to build a WAN with your contacts using freeswan so you are all effectively on the same network at which time these things start working again because the local address that is sent back and forth now makes sense and are directly addressable.. Steve ----- Original Message ----- From: "David Tilley" <david@t2bsolutions.com> To: "shorewall" <shorewall@bolibompa.com>; <shorewall-users@shorewall.net> Sent: Sunday, September 22, 2002 7:20 PM Subject: Re: [Shorewall-users] MSN messenger> > MSN messenger''s chat functions work no problem with NAT, but voicedoesn''t -> > and won''t - right? > > Correct. According to > >http://support.microsoft.com/default.aspx?scid=http://messenger.microsoft.co> m/support/knownissues.asp > > and MS knowledgebase article Q316660, Messenger''s voice feature is > apparently NAT incompatible... > > "Currently, certain extended features of MSN Messenger, such as voice > conversations and file transfer, might not work behind Internet Connection > Sharing applications and hardware (often called NATs). Basic functionality > such as signing in, instant messaging, and checking e-mail should not be > affected at all." > > Note, I don''t use Messenger myself, I just did a quick search at > support.microsoft.com > > > dvt > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
Another option is to write a conntrack module for the various messengers ;-) Considering how irc/dcc works... MSN, YIM, and AIM all should have a similar direct connection architecture. The question is what their respective protocols look like... I''ve pondered writing one for AIM (the IM I use), but have been too lazy to look at the AIM protocol (I assume gaim has some specs somewhere).> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Steve Estes > Sent: Sunday, September 22, 2002 4:38 PM > To: David Tilley; shorewall; shorewall-users@shorewall.net > Subject: Re: [Shorewall-users] MSN messenger > > > MSN file-send and voice (and most other IMs too) have server > based chat but direct connect for voice/filesend as they > don''t want all those bytes going through their server since > that would multiply the bandwidth requirements several orders > of magnitude. The way they do that is one side sends its IP > address to the other side as part of a message. If it is > behind a fw, it is sending its local rfc1918 address which > does the other side no good at all -- hence no connection. > > I *think* icq can be used to specify a fw that you can bleed > your file transfers through but I don''t think it does voice. > > An option that I used to solve that and a host of other > problems is to build a WAN with your contacts using freeswan > so you are all effectively on the same network at which time > these things start working again because the local address > that is sent back and forth now makes sense and are directly > addressable.. > > Steve > > > ----- Original Message ----- > From: "David Tilley" <david@t2bsolutions.com> > To: "shorewall" <shorewall@bolibompa.com>; > <shorewall-users@shorewall.net> > Sent: Sunday, September 22, 2002 7:20 PM > Subject: Re: [Shorewall-users] MSN messenger > > > > > MSN messenger''s chat functions work no problem with NAT, but voice > doesn''t - > > > and won''t - right? > > > > Correct. According to > > > > > http://support.microsoft.com/default.aspx?scid=http://messenger.microsoft.co> m/support/knownissues.asp > > and MS knowledgebase article Q316660, Messenger''s voice feature is > apparently NAT incompatible... > > "Currently, certain extended features of MSN Messenger, such as voice > conversations and file transfer, might not work behind Internet > Connection Sharing applications and hardware (often called NATs). > Basic functionality such as signing in, instant messaging, and > checking e-mail should not be affected at all." > > Note, I don''t use Messenger myself, I just did a quick search at > support.microsoft.com > > > dvt > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users_______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
This is a cryptographically signed message in MIME format. --------------ms030603080702040900070104 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Perry F Nguyen wrote:> Another option is to write a conntrack module for the various messengers > ;-) Considering how irc/dcc works... MSN, YIM, and AIM all should have > a similar direct connection architecture. The question is what their > respective protocols look like... > > I''ve pondered writing one for AIM (the IM I use), but have been too lazy > to look at the AIM protocol (I assume gaim has some specs somewhere).MSN Messenger uses H.323 which is the same underlying technology employed by netmeeting. There is are conntrack/nat modules for H.323 but they don''t do a good job on MSN Messenger either :-( -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net --------------ms030603080702040900070104 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJVDCC AwgwggJxoAMCAQICAwhOLTANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCWkExFTATBgNV BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVl bWFpbCBSU0EgMjAwMC44LjMwMB4XDTAyMDkxODIxMTQxN1oXDTAzMDkxODIxMTQxN1owRzEf MB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEkMCIGCSqGSIb3DQEJARYVdGVhc3Rl cEBzaG9yZXdhbGwubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvdDPv/q5 adQCmEtbNtdWcsmF7qO5Eg5JkvI50WkiCkcv89KfsRA6tFGtsgIOsgU5l3wDQSzqEVX0MfIV qpn7ycZJ6823cuvXXjBQwwpqVSlpJkHhpd1uCCLomkfPAxKdfBNAjh4E1ZgHuur7GAWc0iBd 2n9oJ9wBg8gDQP9ViYU4+x2z/7muvY4RuzL5eF+mtzx4UtSx9CFqu1n8uNIu44T4CXRZ8HwT Hg2eC61x6E6XFV48Oid9t8qmKXjUGINJ3hbXwQmees3K/ZrGYZ+FPoOJyWn+PpvrNQrVvkp5 a7YblgaoLX1dS5QGgsl9XhRz6sqzvklAd7eh4g0JoWOD4QIDAQABozIwMDAgBgNVHREEGTAX gRV0ZWFzdGVwQHNob3Jld2FsbC5uZXQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOB gQDakl1XW6IrAL4ZG+WtwT5GqQLPnFgbHjo/s88xvvdQRRhgd//uW81hQUk5tHkBisJKgHcv F1trxcylWylrSSLf2TANtw0M8kvW9clJe5xZieyshemLvEWHsC4mItPiId9dWaZQX90L9yZz 0qi8iTlmU5i8JPeiJJVwwmQJNI93LzCCAwgwggJxoAMCAQICAwhOLTANBgkqhkiG9w0BAQQF ADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2Fw ZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2Vz MSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwMB4XDTAyMDkxODIx MTQxN1oXDTAzMDkxODIxMTQxN1owRzEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJl cjEkMCIGCSqGSIb3DQEJARYVdGVhc3RlcEBzaG9yZXdhbGwubmV0MIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAvdDPv/q5adQCmEtbNtdWcsmF7qO5Eg5JkvI50WkiCkcv89Kf sRA6tFGtsgIOsgU5l3wDQSzqEVX0MfIVqpn7ycZJ6823cuvXXjBQwwpqVSlpJkHhpd1uCCLo mkfPAxKdfBNAjh4E1ZgHuur7GAWc0iBd2n9oJ9wBg8gDQP9ViYU4+x2z/7muvY4RuzL5eF+m tzx4UtSx9CFqu1n8uNIu44T4CXRZ8HwTHg2eC61x6E6XFV48Oid9t8qmKXjUGINJ3hbXwQme es3K/ZrGYZ+FPoOJyWn+PpvrNQrVvkp5a7YblgaoLX1dS5QGgsl9XhRz6sqzvklAd7eh4g0J oWOD4QIDAQABozIwMDAgBgNVHREEGTAXgRV0ZWFzdGVwQHNob3Jld2FsbC5uZXQwDAYDVR0T AQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQDakl1XW6IrAL4ZG+WtwT5GqQLPnFgbHjo/s88x vvdQRRhgd//uW81hQUk5tHkBisJKgHcvF1trxcylWylrSSLf2TANtw0M8kvW9clJe5xZieys hemLvEWHsC4mItPiId9dWaZQX90L9yZz0qi8iTlmU5i8JPeiJJVwwmQJNI93LzCCAzgwggKh oAMCAQICEGZFcrfMdPXPY3ZFhNAukQEwDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpB MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMR VGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2 aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3 DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMDA4MzAwMDAwMDBaFw0w NDA4MjcyMzU5NTlaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIw EAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNh dGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAwLjguMzAw gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN4zMqZjxwklRT7SbngnZ4HF2ogZgpcO40Qp imM1Km1wPPrcrvfudG8wvDOQf/k0caCjbZjxw0+iZdsN+kvx1t1hpfmFzVWaNRqdknWoJ67Y cvm6AvbXsJHeHOmr4BgDqHxDQlBRh4M88Dm0m1SKE4f/s5udSWYALQmJ7JRr6aFpAgMBAAGj TjBMMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwxLTI5NzASBgNVHRMB Af8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQQFAAOBgQAxsUtHXfkBceX1 U2xdedY9mMAmE2KBIqcS+CKV6BtJtyd7BDm6/ObyJOuR+r3sDSo491BVqGz3Da1MG7wD9LXr okefbKIMWI0xQgkRbLAaadErErJAXWr5edDqLiXdiuT82w0fnQLzWtvKPPZE6iZph39Ins6l n+eE2MliYq0FxjGCAycwggMjAgEBMIGaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2Vz dGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UE CxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJT QSAyMDAwLjguMzACAwhOLTAJBgUrDgMCGgUAoIIBYTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN AQcBMBwGCSqGSIb3DQEJBTEPFw0wMjA5MjMwMTA1MzJaMCMGCSqGSIb3DQEJBDEWBBSJVx1/ Rpj99Ep3WecYRpjQ/oSzGDBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3 DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBrQYLKoZI hvcNAQkQAgsxgZ2ggZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUx EjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZp Y2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4z MAIDCE4tMA0GCSqGSIb3DQEBAQUABIIBALdgzkSFE9o7jj/Bj5/P3FpDO0d5hkU55mgVc78H wK3Oc9kNYoaufC3hG3/1CJEKezhN4Jci99yEUg7qzoJP4LX8uceNXy5v4Ke9JsMeeQ69X5gP 6wI/sTGR26lGX7LW/C3UbSWpwSJEmHTCtoswkyrmj2dcsySowFGNhdmNagJOg/gdztvTvfuL okf3wefgJvY11jNsdkTXRgbzm8ofjUcDyhwswj0yir6sxqpn2J+OHT+Z5+jShvAVllUWz2Kn EtRvbeqUBKpOia/rixLYigWz3bMM2EkGsVEXaXVkwdQ2Bd5udPxkrjWw6WXfo9URpCdU9PfU 5OfQWJtNfyskdDkAAAAAAAA--------------ms030603080702040900070104--