Shorewall users - Nov 2005 - shorewall and Apple iChat?

Hi,

I have a network with three zones (loc, net, dmz) and some Macs in the
loc-zone that like to use iChat video conferencing via a free aim
account. They are connected to the internet via masquerading.

This works good if the other side is not behind a masquerading gateway.
If both sides are, then in the logs I can see shorewall dropping the
other sides packages. "Normal" chats without video conferencing work
also. (I believe AOL routes that over their server, while for video
conferencing a direct connection is neccessary.)

I have successfully initiated a video chat by redirecting every port
used by iChat on the firewall to ONE internal machine. However, I have
some more users that want to use iChat.

Is this possible at all? If yes - how could that be done?

Thanks in advance,
Ratti

P.S.: dmz is not involved at all.




-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

On Tuesday 01 November 2005 12:24, Jörg Roßdeutscher
wrote:
> Hi,
>
> I have a network with three zones (loc, net, dmz) and some Macs in the
> loc-zone that like to use iChat video conferencing via a free aim
> account. They are connected to the internet via masquerading.
>
> This works good if the other side is not behind a masquerading gateway.
> If both sides are, then in the logs I can see shorewall dropping the
> other sides packages. "Normal" chats without video conferencing
work
> also. (I believe AOL routes that over their server, while for video
> conferencing a direct connection is neccessary.)
>
> I have successfully initiated a video chat by redirecting every port
> used by iChat on the firewall to ONE internal machine. However, I have
> some more users that want to use iChat.
>
> Is this possible at all?
I doubt it -- these chat applications require conntrack/nat helpers to work 
with Netfilter and I''m not aware of one for iChat.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key