msn behind NAT?

msn behind NAT?

Post by Lijun Zho » Sat, 01 Feb 2003 19:31:18



hi there,

i am a ADSL user and use OBSD + pf as my home network firewall. it works
fine so far. now my gf want to use MSN with voice and video conversation on
her w2k box. it is said that NAT setting mad it impossible. i searched in
Google, there is an article says that all the ports between 5004 and 65535
must be open, sux!  more than 90% ports should be open only for the stupid
msn.

is that true? or if there are alternative solutions?

thanks in advance.

Lijun

 
 
 

msn behind NAT?

Post by Lijun Zho » Sat, 01 Feb 2003 19:35:30


LZ> i am a ADSL user and use OBSD + pf as my home network firewall. it works
LZ> fine so far. now my gf want to use MSN with voice and video conversation on

i forgot to mention, it's an OBSD 3.1 box.

 
 
 

msn behind NAT?

Post by Keith Matthew » Sat, 01 Feb 2003 21:25:08



> hi there,

> i am a ADSL user and use OBSD + pf as my home network firewall. it works
> fine so far. now my gf want to use MSN with voice and video conversation
> on her w2k box. it is said that NAT setting mad it impossible. i searched
> in Google, there is an article says that all the ports between 5004 and
> 65535
> must be open, sux!  more than 90% ports should be open only for the stupid
> msn.

MSN uses the H.323 protocol which was designed by a bunch of ITU engineers
that thought security didn't matter. Netmeeting and Gnomemeeting are in the
same boat.

The protocol requires establishment of udp streams on dynamically assigned
ports between each host involved in the conversation (it also requires the
'real' host address to be coded into the packets at application level).

This makes uses of any firewall a problem and NAT a further problem. Some
firewalls have got around the problems by including special modules to
handle H.323 traffic. I know such has been attempted for ipfilter, but am
not aware of it being completed. Pf is in the same boat AFAIK. I believe
iptables has a suitable module but that requires a change that I would not
make myself.

You are probably better off trying to get your gf to change away from
Windoze (but not much I would say).

Why the industry insists on developing and adopting these stupidly insecure
protocols is a matter I cannot understand - SOAP is almost as bad.

 
 
 

msn behind NAT?

Post by John Sloa » Sat, 01 Feb 2003 22:10:15



Quote:> hi there,

> i am a ADSL user and use OBSD + pf as my home network firewall. it
works
> fine so far. now my gf want to use MSN with voice and video
conversation on
> her w2k box. it is said that NAT setting mad it impossible. i
searched in
> Google, there is an article says that all the ports between 5004 and
65535
> must be open, sux!  more than 90% ports should be open only for the
stupid
> msn.

> is that true? or if there are alternative solutions?

> thanks in advance.

> Lijun

MSN Messenger 4.x and 5.0 support SOCKS, and there is a SOCKS server
in the ports tree called "Dante". I installed this on OpenBSD 3.1 for
a client and it worked OK with MSN Messenger.

JS

 
 
 

msn behind NAT?

Post by Lijun Zho » Sun, 02 Feb 2003 01:37:48


KM> MSN uses the H.323 protocol which was designed by a bunch of ITU engineers
KM> that thought security didn't matter. Netmeeting and Gnomemeeting are in the
KM> same boat.
[...snip...]

thanks Keith! i do learn lots of technique detail from you...

KM> You are probably better off trying to get your gf to change away from
KM> Windoze (but not much I would say).

maybe. but it's as difficult as to separate IE from windoze... ;)  ... (she
is even a windoze noob, i'd say)

regards

Lijun

 
 
 

msn behind NAT?

Post by Lijun Zho » Sun, 02 Feb 2003 01:43:55


JS>
JS> MSN Messenger 4.x and 5.0 support SOCKS, and there is a SOCKS server
JS> in the ports tree called "Dante". I installed this on OpenBSD 3.1 for
JS> a client and it worked OK with MSN Messenger.

Oh man, it's a great tool! i just installed and it works! except that the
stupid .NET voice phone still require valid public IPs.

thanx John!

Lijun

 
 
 

msn behind NAT?

Post by Keith Matthew » Sun, 02 Feb 2003 05:09:47



> maybe. but it's as difficult as to separate IE from windoze... ;)  ...
> (she is even a windoze noob, i'd say)

They are often the easiest to convert - few preconcieved notions. Try
getting a dual-boot situation.

There is a much better (from the security angle at least) Voice over IP
setup called asterisk. Uses just one standard port (5000 if I recall
correctly) so is easy to firewall. Unfortunately it is only available for
Linux AFAIK.

 
 
 

msn behind NAT?

Post by Lijun Zho » Sun, 02 Feb 2003 17:49:20



>> maybe. but it's as difficult as to separate IE from windoze... ;)  ...
>> (she is even a windoze noob, i'd say)

KM>
KM> They are often the easiest to convert - few preconcieved notions. Try
KM> getting a dual-boot situation.
KM>
KM> There is a much better (from the security angle at least) Voice over IP
KM> setup called asterisk. Uses just one standard port (5000 if I recall
KM> correctly) so is easy to firewall. Unfortunately it is only available for
KM> Linux AFAIK.

thanks Keith, u are so kindly. have a nice day!

Lijun

 
 
 

msn behind NAT?

Post by Jose Nazari » Mon, 03 Feb 2003 00:39:46


you can also start looking at adding upnp support to your firewall:

        http://linux-igd.sourceforge.net/
        http://upnp.sourceforge.net/

both of these can be modified to support openbsd. i'm slowly working on
them, but haven't worked too much on them lately. upnp needs to be
modified to deal without wchar support, and linux-igd needs to add pfctl
support (i have patches i need to coordinate with the author).

both of these are supported in freebsd ports, if you're up for switching.
i dont know if they are in netbsd packages.

in the meantime a socks proxy can work for you, as others have noted.

____________________________

                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

 
 
 

msn behind NAT?

Post by Lijun Zho » Mon, 03 Feb 2003 03:02:45


JN> you can also start looking at adding upnp support to your firewall:
JN>
JN>  http://linux-igd.sourceforge.net/
JN>  http://upnp.sourceforge.net/
JN>
JN> both of these can be modified to support openbsd. i'm slowly working on
JN> them, but haven't worked too much on them lately. upnp needs to be
[snip]

thank u too, Jose. looking forward postive news form your project...

regards

Lijun

 
 
 

1. MSN messenger behind Firewall+NAT

I have a Linux box with a Firewall and behind windows clients aiming to use
MSN messenger, I am using NAT so the LAN has private IP's, I just want to
allow the instant messaging services, I don't care by now about the file and
video/voice transfers.

Which rules should I configure in the Firewall ?
I checked a Windows XP SP2 firewall configured to let MSN messenger go
through and it was allowing the following ports:

TCP->8653 and UDP->8661

I tried with these ports and it didn't work, I cheked in the Internet and I
found out that instant messaging uses 1863 and TCP, I tried with this but it
didn't work either. So does anybody know which ports to configure and how
(which direction) ?

Thanks a lot !

2. config wu-ftpd

3. MSN Messenger behind IPCHAINS

4. ipchains/snmpd question

5. Netmeeting / MSN voice chat from behind ipchains firewall

6. More Licencing Woes

7. How to use MSN messenger+voicechat behind a linuxbox with internet sharing

8. Lilo stops with L

9. MSN Messenger Behind a NATting IPtables Firewall

10. msn behind firewall

11. IPTables/NAT & MSN Messenger Voice

12. FreeBSD, NAT and MSN Messenger/IRC?

13. NAT helper module for MSN