> hi there,
> i am a ADSL user and use OBSD + pf as my home network firewall. it works
> fine so far. now my gf want to use MSN with voice and video conversation
> on her w2k box. it is said that NAT setting mad it impossible. i searched
> in Google, there is an article says that all the ports between 5004 and
> must be open, sux! more than 90% ports should be open only for the stupid
MSN uses the H.323 protocol which was designed by a bunch of ITU engineers
that thought security didn't matter. Netmeeting and Gnomemeeting are in the
The protocol requires establishment of udp streams on dynamically assigned
ports between each host involved in the conversation (it also requires the
'real' host address to be coded into the packets at application level).
This makes uses of any firewall a problem and NAT a further problem. Some
firewalls have got around the problems by including special modules to
handle H.323 traffic. I know such has been attempted for ipfilter, but am
not aware of it being completed. Pf is in the same boat AFAIK. I believe
iptables has a suitable module but that requires a change that I would not
You are probably better off trying to get your gf to change away from
Windoze (but not much I would say).
Why the industry insists on developing and adopting these stupidly insecure
protocols is a matter I cannot understand - SOAP is almost as bad.