From owner-freebsd-questions Thu May 16 10:29:21 2002 Delivered-To: freebsd-questions@freebsd.org Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by hub.freebsd.org (Postfix) with ESMTP id C978237B407 for ; Thu, 16 May 2002 10:29:13 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by cactus.fi.uba.ar (8.11.6/8.11.6) with ESMTP id g4GHQ2c77827; Thu, 16 May 2002 14:26:03 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Thu, 16 May 2002 14:26:02 -0300 (ART) From: Fernando Gleiser X-X-Sender: To: Oli Cc: FreeBSD Questions Subject: Re: ipf/ipnat question In-Reply-To: <20020516092825.69DF537B400@hub.freebsd.org> Message-ID: <20020516141759.K77474-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 16 May 2002, Oli wrote: > > Hello, > > I have ipf active as firewall on my internet gateway, with ipnat for the > address translation. The gateway has basically 2 NICs, one to the cable-modem > (dc0) and the other to my home LAN(dc1 -> 192.168.2.0/24), providing internet > access to comps on the LAN. > > I can't figure how to get MSN special features like VoiceChat, WhiteBoard and > such to work. I know the different ports MSN uses but is there a way to make > it work through the gateway? My ipfilter rules are basically the default, > blocking unused ports below 1024 and invalid stuff and allowing anything dc0 > proto tcp/udp with port > 1023. IIRC, those features use H.323 which uses embedded IPs in the payload of the packet. I don't know why some people still design protocols assuming everyone has a valid, public IP. FTP was made when that (maybe) was true, but h323 came when private nets behind NAT boxes where the rule. Some people never learn. There is an experimental builtin h323 proxy in ipnat, but I haven't tested it myself. Search the ipf mailing list at http://false.net/ipfilter for h323, you may get some useful info there. Hope this helps Fer > Then I tried all kinds of forwarding rules with ipnat such as: > > rdr dc0 0/32 port 6891 -> 192.168.2.21 port 6891 tcp/udp > rdr dc0 0/32 port 3389 -> 192.168.2.21 port 3389 tcp/udp > rdr dc0 0/32 port 1503 -> 192.168.2.21 port 1503 tcp/udp > > to no avail... > > Of course the default NAT rules are active too: > > map dc0 192.168.2.0/24 -> 0/32 proxy port ftp ftp/tcp > map dc0 192.168.2.0/24 -> 0/32 portmap tcp/udp 10000:60000 > map dc0 192.168.2.0/24 -> 0/32 > > I only want this to work with one computer on the LAN (2.21) but it doesnt work. > Is it possible at all with ipfilter/ipnat? How? Or do I need some sort of proxy > to translate the addresses inside the messages MSN sends? If that is the case > what would do the job? > > Any help would be greatly appreciated, I've been looking for an answer for too > long ;-) I wouldn't care about MSN at all, but you know the kind of things > a girlfriend can make you do... *chuckle* > > If there is anything else you need to know about my config, I'll be glad to > provide my config files etc.. > > Thanks a lot for any help! > > -- > Oli > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message