This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1B644.19D62320 Content-Type: text/plain Does anyone know of a way to setup Shorewall to nat or not nat based on username (preferably based on windows 2000 account/group membership)? Blake Parker, Network Administrator Alacare Home Health & Hospice 4752 Hwy 280 East Birmingham, AL 35242 (205) 981-8648, Beeper: (205) 501-0408 bparker@alacare.com <mailto:bparker@alacare.com> Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ------_=_NextPart_001_01C1B644.19D62320 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version 5.5.2653.12"> <TITLE>Question</TITLE> </HEAD> <BODY> <P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Does anyone know of a way to setup</FONT> <FONT SIZE=3D2 FACE=3D"Arial">Shorewall</FONT><FONT SIZE=3D2 FACE=3D"Arial"> to nat or not nat based on username (</FONT><FONT SIZE=3D2 FACE=3D"Arial">preferably</FONT><FONT SIZE=3D2 FACE=3D"Arial"></FONT> <FONT SIZE=3D2 FACE=3D"Arial">based on windows 2000 account/group membership)?</FONT></P> <P ALIGN=3DLEFT><B></B><A NAME=3D"_MailAutoSig"><B><FONT SIZE=3D2 FACE=3D"Tahoma">Blake Parker, Network Administrator</FONT></B></A></P> <P ALIGN=3DLEFT><FONT SIZE=3D1 FACE=3D"Tahoma">Alacare Home Health & Hospice</FONT></P> <P ALIGN=3DLEFT><FONT SIZE=3D1 FACE=3D"Tahoma">4752 Hwy 280 East</FONT></P> <P ALIGN=3DLEFT><FONT SIZE=3D1 FACE=3D"Tahoma">Birmingham, AL 35242</FONT></P> <P ALIGN=3DLEFT><FONT SIZE=3D1 FACE=3D"Tahoma">(205) 981-8648, Beeper: (205) 501-0408</FONT></P> <P ALIGN=3DLEFT><A HREF=3D"mailto:bparker@alacare.com"><U><FONT COLOR=3D"#0000FF" SIZE=3D1 FACE=3D"Tahoma">bparker@alacare.com</FONT></U></A></P> <P ALIGN=3DLEFT><FONT FACE=3D"Arial"> </FONT></P> <P ALIGN=3DLEFT><B><U><FONT SIZE=3D1 FACE=3D"Tahoma">Confidentiality Notice:</FONT></U></B><FONT SIZE=3D2 FACE=3D"Arial"></FONT> <FONT SIZE=3D1 FACE=3D"Tahoma">This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.</FONT></P> <P ALIGN=3DLEFT></P> </BODY> </HTML> ------_=_NextPart_001_01C1B644.19D62320--
You should not post to this list if you do not want it to be archived and / or read by everyone in the world!!!!!!! THE DATA MAY be used in anyway that anyone wishes! If in your opinion the data you provide is miss used then $EVERYONE$ should SUE YOU, and your employer should firer YOU! You should use an email account of your own, if you do not wish emails like this to be sent! Please HAVE a GOOD DAY, if you wish! Larry Platzek larryp@inow.com On Fri, 15 Feb 2002, Parker Blake MIS wrote:> Date: Fri, 15 Feb 2002 11:13:35 -0600 > From: Parker Blake MIS <bparker@alacare.com> > To: "Shorewall Users List (shorewall-users@shorewall.net)" > <shorewall-users@shorewall.net> > Subject: [Shorewall-users] Question > > Does anyone know of a way to setup Shorewall to nat or not nat based on > username (preferably based on windows 2000 account/group membership)? > > Blake Parker, Network Administrator > Alacare Home Health & Hospice > 4752 Hwy 280 East > Birmingham, AL 35242 > (205) 981-8648, Beeper: (205) 501-0408 > bparker@alacare.com <mailto:bparker@alacare.com> > > Confidentiality Notice: This e-mail message, including any attachments, is > for the sole use of the intended recipient(s) and may contain confidential > and privileged information. Any unauthorized review, use, disclosure or > distribution is prohibited. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the original > message. > >
> -----Original Message----- > From: Larry Platzek [mailto:larryp@inow.com] > Sent: Friday, February 15, 2002 10:51 AM > To: Parker Blake MIS > Cc: Shorewall Users List (shorewall-users@shorewall.net) > Subject: Re: [Shorewall-users] Question > > > You should not post to this list if you do not want it to be archived > and / or read by everyone in the world!!!!!!! THE DATA MAY be used in > anyway that anyone wishes!<- SNIP -> I assume you''re referring to the confidentiality notice at the bottom of Blake''s message. I suspect that notice is simply appended to all email leaving their office, so I doubt they really intended it to apply in this case. As far as an answer to Blake''s question, see below:> > Date: Fri, 15 Feb 2002 11:13:35 -0600 > > From: Parker Blake MIS <bparker@alacare.com> > > To: "Shorewall Users List (shorewall-users@shorewall.net)" > > <shorewall-users@shorewall.net> > > Subject: [Shorewall-users] Question > > > > Does anyone know of a way to setup Shorewall to nat or not > nat based on > > username (preferably based on windows 2000 account/group > membership)?I''m afraid Shorewall has no way of knowing who a user is logged in as. It doesn''t operate on that high of a level. It thinks in terms of IP addresses. But you could have a group of machines which are NAT-ed and another group which are not, based on their IP. --Josh
Josh: You are right about what I was refering to. I consider such posting SPAMMING when sent to a public list. Larry Platzek larryp@inow.com On Fri, 15 Feb 2002, Joshua Penix wrote:> Date: Fri, 15 Feb 2002 11:33:43 -0800 > From: Joshua Penix <jpenix@projectdesign.com> > To: "''shorewall-users@shorewall.net''" <shorewall-users@shorewall.net> > Subject: RE: [Shorewall-users] Question > > > > -----Original Message----- > > From: Larry Platzek [mailto:larryp@inow.com] > > Sent: Friday, February 15, 2002 10:51 AM > > To: Parker Blake MIS > > Cc: Shorewall Users List (shorewall-users@shorewall.net) > > Subject: Re: [Shorewall-users] Question > > > > > > You should not post to this list if you do not want it to be archived > > and / or read by everyone in the world!!!!!!! THE DATA MAY be used in > > anyway that anyone wishes! > <- SNIP -> > > I assume you''re referring to the confidentiality notice at the bottom of > Blake''s message. I suspect that notice is simply appended to all email > leaving their office, so I doubt they really intended it to apply in this > case.<- SNIP ->
> Josh: You are right about what I was refering to. > I consider such posting SPAMMING when sent to a public list.Spam is _unsolicited commercial email_. The email in question was neither unsolicited, nor commercial in nature. For an entertaining review on some of the interpretations of spam, please read: http://petemoss.com/spamflames/ShifmanIsAMoronSpammer.html If you object to Blake''s post being on the list, why drag all of us into the affair? Why not respond politely - and discreetly - just to Blake offlist? I, for one, found your tone hostile, and not at all an appropriate response. I''m not a lawyer, but I think the fact that he disclaims the message _does_ mean that people are prohibitted from using that material against his employer in any way specifically because they are not the originally intended recipients. It''s not always practicable to create extra email addresses just to subscribe to mailing lists. Perhaps Blake''s company does not allow him to access free webmail services like Hotmail or Yahoo. Perhaps Blake wants to maintain an offline archive of list traffic (that''s what I''m doing, and specifically the reason I subscribed from this email account). Perhaps Blake is required by his employer to append the disclaimer. Who cares! He asked a legitimate question of the shorewall-users list. That''s no cause to shout him down. I''ll share with the list what I sent to Blake privately: I don''t think this is possible, given that the NAT works at the network level, and the user authentication will be happening at the application level. I think what you need is a proxy application, not NAT. Depending on what sort of traffic you''re trying to proxy, there are a number of available packages. I''ve successfully installed and used Squid for HTTP and HTTPS (and FTP) proxying. I configured Squid to query my Samba PDC for authentication, and only users in the "internet" group were granted outbound access. I tried to get the Dante SOCKS package to work, but never had any success. Good luck, Scott
Enclosed is my params file. I''m using Shorewall 1.2.6 and the templates for "three-interfaces". The net is on eth0, my local users on eth1, and two machines are on the DMZ on eth2, one for web services, one for ftp services.. Basically, what I want to do is; net2fw -> none fw2net -> none net2loc -> none fw2dmz -> none net2dmz -> ftp and http/s fw2loc -> none dmz2net -> ftp,ssh,dns loc2net -> everything dmz2fw -> none loc2fw -> ssh dmz2loc -> none loc2dmz -> ssh I don''t have the machine set up to test out the web function, but the machine that is doing ftp and ssh seems to be working. From the local network I can ssh into the firewall machine and the dmz ftp server. What I can''t seem to do is browse the web from a local machine. Any idea what I''m missing? The "params" file is the only one I''ve changed from the "three-interfaces" templates. Thanks for any points in the right direction. Gar # etc/shorewall/params # modified 2/15/2002 # cleaned up by g.nelson et-ggw NET_IF=eth0 NET_BCAST=204.228.188.255 NET_OPTIONS=noping,norfc1918 LOCAL_IF=eth1 LOCAL_BCAST=192.168.100.255 LOCAL_OPTIONS=routestopped LOCAL_NET=192.168.100.0/24 DMZ_IF=eth2 DMZ_BCAST=192.168.200.255 DMZ_OPTIONS=routestopped DMZ_NET=192.168.200.0/24 FW_NET_TCP_PORTS=none FW_NET_UDP_PORTS=none NET_LOC_TCP_PORTS1=none NET_LOC_UDP_PORTS1=none LOC_SERVER1=none NET_LOC_TCP_PORTS2=none NET_LOC_UDP_PORTS2=none LOC_SERVER2=none NET_DMZ_TCP_PORTS1=80,443 NET_DMZ_UDP_PORTS1=none LOC_DMZ_TCP_PORTS1=22,80,443 LOC_DMZ_UDP_PORTS1=none FW_DMZ_TCP_PORTS1=none FW_DMZ_UDP_PORTS1=none DMZ_SERVER1=192.168.200.10 NET_DMZ_TCP_PORTS2=21 NET_DMZ_UDP_PORTS2=none LOC_DMZ_TCP_PORTS2=21,22 LOC_DMZ_UDP_PORTS2=none FW_DMZ_TCP_PORTS2=none FW_DMZ_UDP_PORTS2=none DMZ_SERVER2=192.168.200.20 DMZ_NET_TCP_PORTS=21,22,53 DMZ_NET_UDP_PORTS=53 NET_FW_TCP_PORTS=none NET_FW_UDP_PORTS=none LOC_FW_TCP_PORTS=22 LOC_FW_UDP_PORTS=none #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE -- Gar Nelson I fix the computers, National Weather Service I don''t write the forecast. 101 Airport Rd. v (406)228-2850 Glasgow, Mt. 59230 f (406)228-9627
Can''t be done. -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net <http://www.shorewall.net/> ICQ: #60745924 \ teastep@shorewall.net -----Original Message----- From: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Parker Blake MIS Sent: Friday, February 15, 2002 9:14 AM To: Shorewall Users List (shorewall-users@shorewall.net) Subject: [Shorewall-users] Question Does anyone know of a way to setup Shorewall to nat or not nat based on username (preferably based on windows 2000 account/group membership)? Blake Parker, Network Administrator Alacare Home Health & Hospice 4752 Hwy 280 East Birmingham, AL 35242 (205) 981-8648, Beeper: (205) 501-0408 <mailto:bparker@alacare.com> bparker@alacare.com Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Gar Nelson > Sent: Friday, February 15, 2002 3:12 PM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] missing something on loc2net > > > Enclosed is my params file. I''m using Shorewall 1.2.6 and > the templates for > "three-interfaces". The net is on eth0, my local users on > eth1, and two > machines are on the DMZ on eth2, one for web services, one > for ftp services.. > > Basically, what I want to do is; > > net2fw -> none fw2net -> none > net2loc -> none fw2dmz -> none > net2dmz -> ftp and http/s fw2loc -> none > > dmz2net -> ftp,ssh,dns loc2net -> everything > dmz2fw -> none loc2fw -> ssh > dmz2loc -> none loc2dmz -> sshSo your firewall doesn''t need DNS?> > I don''t have the machine set up to test out the web function, > but the machine > that is doing ftp and ssh seems to be working. From the local > network I can ssh > into the firewall machine and the dmz ftp server. What I > can''t seem to do is > browse the web from a local machine. > > Any idea what I''m missing? The "params" file is the only one > I''ve changed from > the "three-interfaces" templates.Are your local systems configured with the firewall''s internal interface as their default gateway? -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> > net2fw -> none fw2net -> none > > net2loc -> none fw2dmz -> none > > net2dmz -> ftp and http/s fw2loc -> none > > > > dmz2net -> ftp,ssh,dns loc2net -> everything > > dmz2fw -> none loc2fw -> ssh > > dmz2loc -> none loc2dmz -> ssh > > So your firewall doesn''t need DNS?No, my thinking behind that is that if I need to go out and get something for the firewall box, I''ll do it from one of the local machines and sftp it to the firewall box. I''m assuming the only real reason I''d need DNS on the firewall machine is to get updates from you, and from RedHat. If that''s the only reason, I''m comfortable with the extra step, and further isolating my forewall box.> > What I can''t seem to do is browse the web from a local machine. > > Are your local systems configured with the firewall''s internal interface > as their default gateway?Yes, my local machine has 192.168.100.1 as its default gateway, and I can ssh to 192.168.100.1 and get a connection. The earlier suggestion of "shorewall show loc2net" returns: pkt bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED, ESTABLISHED 80 5660 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Shouldn''t the source addresses show 192.168.100.0/24 so only stuff from my internal local address goes out? And shouldn''t there be a "state NEW" up there somewhere? Thanks, Gar -- Gar Nelson I fix the computers, National Weather Service I don''t write the forecast. 101 Airport Rd. v (406)228-2850 Glasgow, Mt. 59230 f (406)228-9627
> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Gar Nelson > Sent: Tuesday, February 19, 2002 8:32 AM > To: Tom Eastep > Cc: shorewall-users@shorewall.net > Subject: Re: [Shorewall-users] missing something on loc2net > > Are your local systems configured with the firewall''s > internal interface > > as their default gateway? > > Yes, my local machine has 192.168.100.1 as its default > gateway, and I can > ssh to 192.168.100.1 and get a connection. The earlier suggestion of > "shorewall show loc2net" returns: > > pkt bytes target prot opt in out source destination > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state > RELATED, ESTABLISHED > 80 5660 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > > Shouldn''t the source addresses show 192.168.100.0/24 so only > stuff from my > internal local address goes out?Only traffic entering the firewall from your local interface is routed through the loc2net chain.> > And shouldn''t there be a "state NEW" up there somewhere? >With a policy of ACCEPT, I''ve chosen to simply break the accounting into RELATED, ESTABLISHED and "other". It is, after all, just an accounting since ACCEPT means that you are allowing all traffic. Since your report doesn''t say much except "It doesn''t work", I''m sort of grasping at straws. Can you access the internet from your Firewall (I realize testing that will be tough since you have no DNS on the Firewall but you should be able to ping by IP address hosts outside of the subnetwork defined by your ISP). -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Hello. I just received the task to enable video-conferencing. Now it seems that this won''t be able with H323-compliant software, as far as I read. If I''m wrong in this point I''d be glad if you corrected me. Now I''d like to know whether anyone of you could recommend me a software that is available for Windows and that allows video-conferencing (both video- and audio-streams) over a firewall (shorewall in this case) by requiring only specific (definable, if possible) ports, so I can allow it from inside my lan. It does not require to support more than 2 members. Thanks. Markus
Markus, There is an H323 connection-tracking/NAT module in the current iptables "Patch-o-matic". -Tom> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of > Markus Bossert > Sent: Tuesday, February 19, 2002 9:56 AM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] Video-Conferencing with Shorewall > > > Hello. > > I just received the task to enable video-conferencing. Now it > seems that > this won''t be able with H323-compliant software, as far as I read. > If I''m wrong in this point I''d be glad if you corrected me. > > Now I''d like to know whether anyone of you could recommend me > a software > that is available for Windows and that allows > video-conferencing (both > video- and audio-streams) over a firewall (shorewall in this case) by > requiring only specific (definable, if possible) ports, so I > can allow it > from inside my lan. > It does not require to support more than 2 members. > > Thanks. > Markus > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
The other thing that you can do is video-conferencing over VPN -- that''s what I do here. I connect to my Corporate intranet using PPTP then use Netmeeting through the VPN tunnel. -Tom> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of > Markus Bossert > Sent: Tuesday, February 19, 2002 9:56 AM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] Video-Conferencing with Shorewall > > > Hello. > > I just received the task to enable video-conferencing. Now it > seems that > this won''t be able with H323-compliant software, as far as I read. > If I''m wrong in this point I''d be glad if you corrected me. > > Now I''d like to know whether anyone of you could recommend me > a software > that is available for Windows and that allows > video-conferencing (both > video- and audio-streams) over a firewall (shorewall in this case) by > requiring only specific (definable, if possible) ports, so I > can allow it > from inside my lan. > It does not require to support more than 2 members. > > Thanks. > Markus > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
Markus- I might be mistaken, but I think that there is an iptables patch/module availible for H323 connections. Perhaps it is in their "patch-o-matic" collection? Z On Tue, 2002-02-19 at 12:55, Markus Bossert wrote:> Hello. > > I just received the task to enable video-conferencing. Now it seems that > this won''t be able with H323-compliant software, as far as I read. > If I''m wrong in this point I''d be glad if you corrected me. > > Now I''d like to know whether anyone of you could recommend me a software > that is available for Windows and that allows video-conferencing (both > video- and audio-streams) over a firewall (shorewall in this case) by > requiring only specific (definable, if possible) ports, so I can allow it > from inside my lan. > It does not require to support more than 2 members. > > Thanks. > Markus
Tom Eastep wrote:With a policy of ACCEPT, I''ve chosen to simply break the accounting into> RELATED, ESTABLISHED and "other". It is, after all, just an accounting > since ACCEPT means that you are allowing all traffic. > > Since your report doesn''t say much except "It doesn''t work", I''m sort of > grasping at straws. Can you access the internet from your Firewall (I > realize testing that will be tough since you have no DNS on the Firewall > but you should be able to ping by IP address hosts outside of the > subnetwork defined by your ISP).Sorry about that, I am trying to be as specific as I can, and make as many intelligent pre-tests as I can think up. The Shorewall firewall box is off in a corner, with all but two of the office machines NOT running through it. The system I ping tested to is our regional DNS server in Salt Lake City. Its at 198.177.182.9>From our regular 204.228.188.xxx addresses, I can ping to it without error.>From ''loc'', 192.168.100.27 (my loc test box) when I ping, nothing isreported until I ctrl-c, and then ping displays ''x'' packets with 100% data loss.>From the firewall, when I ping Salt Lake, I also get nothing until I ctrl-c,and then ping reports ''x'' packets transmitted, 0 received, 100% loss (same as from local)>From the dmz system at 192.168.200.20, when I ping Salt Lake I do get anerror report for each individual transmission. Ping reports "Destination Port Unreachable". As I noted earlier, I''m using your stock three interfaces templates, with only the ''params'' file modified locally, and version 1.2.6 of Shorewall. If there are any tests you can suggest, or files to copy and send you, I''d be more than happy to. Every little bit adds to my understanding how Shorewall works, and knowing how your network functions is always a good thing. <s> Gar -- Gar Nelson I fix the computers, National Weather Service I don''t write the forecast. 101 Airport Rd. v (406)228-2850 Glasgow, Mt. 59230 f (406)228-9627
Tom Eastep wrote:> > > Are your local systems configured with the firewall''s > > > internal interface as their default gateway?Well, color my face red. The local machines, and the dmz machine had proper gateways in /etc/sysconfig/network. Unfortunately, the firewall machine did not. Now that that''s fixed, everything seems to be working peachy. Gar
Hmm. I noticed this about a month before yet, but didn''t dare to mess around with iptables, since I was glad shorewall was running smoothly ^_^ and have never messed around with cvs before. Finally I got the sources, applied the necessary patches and tried to recompile the kernel with the new h323-options, but about half the way it stopped with this error-message: ip_nat_h323.c:394: `IP_NAT_ALWAYS'' undeclared here (not in a function) ip_nat_h323.c:394: initializer element is not constant ip_nat_h323.c:394: (near initialization for `h225.flags'') make[3]: *** [ip_nat_h323.o] Error 1 make[3]: Leaving directory `/usr/src/linux-2.4.17/net/ipv4/netfilter'' make[2]: *** [first_rule] Error 2 make[2]: Leaving directory `/usr/src/linux-2.4.17/net/ipv4/netfilter'' make[1]: *** [_subdir_ipv4/netfilter] Error 2 make[1]: Leaving directory `/usr/src/linux-2.4.17/net'' make: *** [_dir_net] Error 2 I posted this problem to the netfilter-ml, too, but if someone in here knows something to solve this error - just let me hear a yell ;) Regards, Markus At 09:57 19.02.2002 -0800, Tom Eastep wrote:>Markus, > >There is an H323 connection-tracking/NAT module in the current iptables >"Patch-o-matic". > >-Tom > > > -----Original Message----- > > From: shorewall-users-admin@shorewall.net > > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of > > Markus Bossert > > Sent: Tuesday, February 19, 2002 9:56 AM > > To: shorewall-users@shorewall.net > > Subject: [Shorewall-users] Video-Conferencing with Shorewall > > > > > > Hello. > > > > I just received the task to enable video-conferencing. Now it > > seems that > > this won''t be able with H323-compliant software, as far as I read. > > If I''m wrong in this point I''d be glad if you corrected me. > > > > Now I''d like to know whether anyone of you could recommend me > > a software > > that is available for Windows and that allows > > video-conferencing (both > > video- and audio-streams) over a firewall (shorewall in this case) by > > requiring only specific (definable, if possible) ports, so I > > can allow it > > from inside my lan. > > It does not require to support more than 2 members. > > > > Thanks. > > Markus > > > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@shorewall.net > > http://www.shorewall.net/mailman/listinfo/shorewall-users > >