I am running Mandrake Linux 9.2 with Shorewall 1.4, and GAIM direct connect does not work, and it did before on my hardware router. Upon connection attempts, the program reports that the connection was attempted at 0.0.0.0:5190 for any user, and then promptly fails. The syslog does report that the packets were blocked. These are my stanzas in the rules file for shorewall configuration: DNAT net loc:192.168.2.2 tcp 5190 - DNAT net loc:192.168.2.2 udp 5190 - ACCEPT net fw udp 5190 - ACCEPT net fw tcp 5190 - # DROP net fw tcp 0 -
On Sun, 22 Aug 2004 arasoi@charter.net wrote:> I am running Mandrake Linux 9.2 with Shorewall 1.4, and GAIM direct > connect does not work, and it did before on my hardware router. Upon > connection attempts, the program reports that the connection was > attempted at 0.0.0.0:5190 for any user, and then promptly fails. The > syslog does report that the packets were blocked.And what did your analysis of these messages reveal? Did you try to use FAQ 17?> These are my stanzas > in the rules file for shorewall configuration: > > DNAT net loc:192.168.2.2 tcp 5190 - > DNAT net loc:192.168.2.2 udp 5190 - > ACCEPT net fw udp 5190 - > ACCEPT net fw tcp 5190 - > # DROP net fw tcp 0 -FWIW, I run Gaim on several systems behind Shorewall with accounts on ICQ, AIM and MSN and I have *no rules* whatsoever to support Gaim other than the default loc->net ACCEPT policy. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | | FWIW, I run Gaim on several systems behind Shorewall with accounts on ICQ, | AIM and MSN and I have *no rules* whatsoever to support Gaim other than | the default loc->net ACCEPT policy. I stand corrected -- I have the equivalent of this rule for ICQ: DNAT net loc:<local ip> tcp 4000:4100 - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBKLBsO/MAbZfjDLIRAsfTAJ99kO4N5Vl1fzDSdmT5U6Nk5VvDTQCgp0ZF pgvy5b/RFlKdinN9vAR6Bvw=3mgd -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | Tom Eastep wrote: | | | | | FWIW, I run Gaim on several systems behind Shorewall with accounts on | ICQ, | | AIM and MSN and I have *no rules* whatsoever to support Gaim other than | | the default loc->net ACCEPT policy. | | I stand corrected -- I have the equivalent of this rule for ICQ: | | DNAT net loc:<local ip> tcp 4000:4100 | That rule was to support file transfers under LICQ however -- Normal IMs work fine with no rules. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBKLqBO/MAbZfjDLIRAtTQAJ4lgHEx8A0R5ZnQhCv40/gjgM+yQQCgx27l 8YLKXPbBb624P9NWDTmAhOo=zup0 -----END PGP SIGNATURE-----
Tom, thank you for your prompt response. I will answer your questions.> And what did your analysis of these messages reveal? Did you try to use > FAQ 17?The analysis revealed that the firewall was dropping the GAIM packets, as identified by the IP addresses of my associates on AIM. Using the method of FAQ 17, the chain of net2all is the chain being used to drop the packets on eth0 with a destination port of 5190.> FWIW, I run Gaim on several systems behind Shorewall with accounts on ICQ, > AIM and MSN and I have *no rules* whatsoever to support Gaim other than > the default loc->net ACCEPT policy.The access of the AIM service is functioning properly, but the direct connect portion of the service does not function correctly, the file transfer feature does not function correctly either. I have not tried MSN or ICQ, so I am unsure of their compatibility with my configuration.
On Mon, 23 Aug 2004 arasoi@charter.net wrote:> Tom, thank you for your prompt response. I will answer your questions. > > > And what did your analysis of these messages reveal? Did you try to use > > FAQ 17? > > The analysis revealed that the firewall was dropping the GAIM packets, > as identified by the IP addresses of my associates on AIM. Using the > method of FAQ 17, the chain of net2all is the chain being used to drop > the packets on eth0 with a destination port of 5190. > > > > FWIW, I run Gaim on several systems behind Shorewall with accounts on ICQ, > > AIM and MSN and I have *no rules* whatsoever to support Gaim other than > > the default loc->net ACCEPT policy. > > The access of the AIM service is functioning properly, but the direct > connect portion of the service does not function correctly, the file > transfer feature does not function correctly either. I have not tried > MSN or ICQ, so I am unsure of their compatibility with my configuration. >A Google search returned lot of information on the Internet about AIM direct connections and NATing firewalls. Here''s an example: http://reaim.sourceforge.net/dcc.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | On Mon, 23 Aug 2004 arasoi@charter.net wrote: | | |>Tom, thank you for your prompt response. I will answer your questions. |> |> |>>And what did your analysis of these messages reveal? Did you try to use |>>FAQ 17? |> |>The analysis revealed that the firewall was dropping the GAIM packets, |>as identified by the IP addresses of my associates on AIM. Using the |>method of FAQ 17, the chain of net2all is the chain being used to drop |>the packets on eth0 with a destination port of 5190. |> So presumably, a rule such as follows corrects that: DNAT net loc:<local ip> tcp 5190 You posted such a rule in your original message (you also posted additional rules which didn''t appear to be helpful). - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBKg9NO/MAbZfjDLIRAsTFAJ9UhXGvsZT6N1EtlvAwD60GykTsswCfa3V1 PD3dXcsDu4jVwI5KetJgmrk=q7Ki -----END PGP SIGNATURE-----