Christian Aust wrote: > christ...@cobalt:~/public_html\ cat /etc/shorewall/macro.iChatAV > # > # Shorewall version 4 - iChat AV Macro > # > # /usr/share/shorewall/macro.iChatAV > # > # This macro handles iChat AV over AIM traffic > # > ############################################################################### > #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ > # PORT(S) PORT(S) LIMIT GROUP > PARAM - - tcp 5190,5220,5222,5223,5298 > PARAM - - udp 5060,5190,5297,5298,5353,5678 > PARAM - - udp 16384:16403 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > In my rules file, this is activated using > > christ...@cobalt:~/public_html\ sudo cat /etc/shorewall/rules | grep > iChat > iChatAV/ACCEPT loc net
Given that your loc->net policy is probably ACCEPT, I suspect that your macro does absolutely nothing. When the loc->net policy is ACCEPT, adding yet more loc->net ACCEPT rules is redundant. > > This works for all ports opened from inside to outside, but the other > way round is still blocked. I can use text messaging. When I try to > initiate or receive a video chat, I see kernel messages like this: > > Jan 10 19:01:34 cobalt kernel: [4871566.876742] > Shorewall:net2srv:DROP:IN=eth1 OUT= MAC=00:30:48:90:67:83:00:30:b8:cd: > 4e:00:08:00 SRC=90.44.112.48 DST=62.143.92.172 LEN=80 TOS=0x08 > PREC=0x20 TTL=46 ID=18127 PROTO=UDP SPT=51326 DPT=57669 LEN=60 > There's a hint on [2] on how > to set up iptables directly, but I must admit that I never got the > hang of fully understanding the Shorewall macro commands to be able to > translate this into a macro. Anybody willing to help? Kind regards, > > [1] http://support.apple.com/kb/HT1507 > [2] http://osdir.com/ml/culture.people.kragen.hacks/2004-11/msg00000.html > The two references seem to provide conflicting information. [1] says that iChat works transparently through NAT firewalls while [2] provides instructions for making it work through a particular NAT firewall. Translating the rules in [2] to Shorewall: DNAT net loc:<MAC IP addr> udp 5060 DNAT net loc:<MAC IP addr> udp 16384:16403 Note that neither of the rules is likely to affect the traffic in the log messages that you posted. ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
