[Shorewall-newbies] H323 and videoconferencing

Tom Eastep teastep at shorewall.net
Tue Dec 9 15:08:44 PST 2003


Gregory,

On Tuesday 09 December 2003 01:35 pm, gregory wrote:
> 
>
> Ok, suppose I somehow do it and manage to install the h323 patch :)
> What does it give me? I mean does it mean I have automatically h323
> support and have to do nothing to be able to enjoy videoconferencing? No
> rules to set up in my firewall etc?

Once you get the module installed, you must still port forward the following 
TCP ports to the computer that is running your H323 client (Netmeeting or 
whatever):

389, 522, 1503, 1720, 1731, 8080 and 1469

WARNING: I got that information from the netfilter list and have not verified 
it myself. Remember that there is no Shorewall support for Netfilter 
Patch-O-Matic features.

> Forgive my questions .. after all this is the newbie mailing list :)
>
> Also on a side note, can you tell me what rules I have to add to allow
> h323 connection in Shorewall? I know it's a security risk, but I would
> like to try it. The firewall isn't running on a mission critical system.
> I know the ports h323 uses, 1720 1731 and dynamic 1024 to 65535. But I
> can't figure out the exact rules to apply in Shorewall.
> ACCEPT  net     loc     tcp     1720
> ACCEPT  loc     net     tcp     1731
> ACCEPT  loc     net     tcp     1024:65535
> ACCEPT  loc     net      udp     1024:65535
>
> Doesn't work. Anyone?
>

If a simple set of rules would work, why in %$#@ would someone go to all of 
the work to build connection-tracking/NAT modules for the kernel?

If you want H323 then:

a) Don't run a packet filtering firewall; or
b) Run one that supports H323.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list