Hi, I'm using shorewall-perl on Ubuntu 8.10 server. Everything is fine, except for iChat AV video transfer, which I didn't manage to use yet. Current configuration of shorewall is at http://raq550.dyndns.org/~christian/dump.txt.gz , just in case you'd need it.
I've set up a macro for iChatAV, adding all the ports that Apple mentioned in [1]: christ...@cobalt:~/public_html\ cat /etc/shorewall/macro.iChatAV # # Shorewall version 4 - iChat AV Macro # # /usr/share/shorewall/macro.iChatAV # # This macro handles iChat AV over AIM traffic # ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - - tcp 5190,5220,5222,5223,5298 PARAM - - udp 5060,5190,5297,5298,5353,5678 PARAM - - udp 16384:16403 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE In my rules file, this is activated using christ...@cobalt:~/public_html\ sudo cat /etc/shorewall/rules | grep iChat iChatAV/ACCEPT loc net This works for all ports opened from inside to outside, but the other way round is still blocked. I can use text messaging. When I try to initiate or receive a video chat, I see kernel messages like this: Jan 10 19:01:34 cobalt kernel: [4871566.876742] Shorewall:net2srv:DROP:IN=eth1 OUT= MAC=00:30:48:90:67:83:00:30:b8:cd: 4e:00:08:00 SRC=90.44.112.48 DST=62.143.92.172 LEN=80 TOS=0x08 PREC=0x20 TTL=46 ID=18127 PROTO=UDP SPT=51326 DPT=57669 LEN=60 Jan 10 19:01:34 cobalt kernel: [4871567.167577] Shorewall:net2srv:DROP:IN=eth1 OUT= MAC=00:30:48:90:67:83:00:30:b8:cd: 4e:00:08:00 SRC=90.44.112.48 DST=62.143.92.172 LEN=80 TOS=0x08 PREC=0x20 TTL=46 ID=32202 PROTO=UDP SPT=51326 DPT=57669 LEN=60 Jan 10 19:01:35 cobalt kernel: [4871567.465417] Shorewall:net2srv:DROP:IN=eth1 OUT= MAC=00:30:48:90:67:83:00:30:b8:cd: 4e:00:08:00 SRC=90.44.112.48 DST=62.143.92.172 LEN=80 TOS=0x08 PREC=0x20 TTL=46 ID=56311 PROTO=UDP SPT=51326 DPT=57669 LEN=60 Jan 10 19:01:37 cobalt kernel: [4871569.905100] Shorewall:net2srv:DROP:IN=eth1 OUT= MAC=00:30:48:90:67:83:00:30:b8:cd: 4e:00:08:00 SRC=90.44.112.48 DST=62.143.92.172 LEN=80 TOS=0x08 PREC=0x20 TTL=46 ID=12739 PROTO=UDP SPT=51326 DPT=57669 LEN=60 Jan 10 19:01:38 cobalt kernel: [4871570.200939] Shorewall:net2srv:DROP:IN=eth1 OUT= MAC=00:30:48:90:67:83:00:30:b8:cd: 4e:00:08:00 SRC=90.44.112.48 DST=62.143.92.172 LEN=80 TOS=0x08 PREC=0x20 TTL=46 ID=39809 PROTO=UDP SPT=51326 DPT=57669 LEN=60 Jan 10 19:01:38 cobalt kernel: [4871570.498777] Shorewall:net2srv:DROP:IN=eth1 OUT= MAC=00:30:48:90:67:83:00:30:b8:cd: 4e:00:08:00 SRC=90.44.112.48 DST=62.143.92.172 LEN=80 TOS=0x08 PREC=0x20 TTL=46 ID=25058 PROTO=UDP SPT=51326 DPT=57669 LEN=60 After a while, iChat gives up and claims that the transmission has been cancelled by the peer. However, the UDP ports seen above are not mentioned in Apples list of used iChat ports, appearantly they change between different invocations of iChat. There's a hint on [2] on how to set up iptables directly, but I must admit that I never got the hang of fully understanding the Shorewall macro commands to be able to translate this into a macro. Anybody willing to help? Kind regards, Christian [1] http://support.apple.com/kb/HT1507 [2] http://osdir.com/ml/culture.people.kragen.hacks/2004-11/msg00000.html -- Christian Aust M +49-151-22328261 [email protected] http://software-consultant.net/ ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
