On Mon, 11 Feb 2002, Brad Hards wrote:
> I remain unconvinced. That site is "last updated 2000", and also contains > this: > "It is worth noting that 2.4.x kernels might just WORK where as 2.0.x and > 2.2.x kernels required special modules. Please report back to us of your > findings on 2.4.x kernel. Please see the Description/Notes section for > availability of 2.4.x modules." I remain unconvinced. :-) I don't see how any of the protocols which have multiple associated protocols or connections can "just work". Yes, netfilter does have support for "related connections", but there is still the need for per protocol "protocol helpers" which understand the protocol to determine which connections are related. > A bit of google showed some other sites (nothing very authoritative, so you > get to do this yourself) that reported variable successes. So this is going > to need some serious application support testing. Indeed. > Also (to badly quote Rusty from a talk he gave last Wednesday), "don't do it > in the kernel if you don't have to". Netmeeting looks like one of the key > applications that might or might not need extra NAT support. Even if it > doesn't work in a vanilla 2.4 kernel, kernel modules might not be the right > idea (since IIRC, you wouldn't be able to netmeeting direct from one client > behind a SME G+S to a client behind another G+S). Maybe part of the upgrade > to 2.4 should include "is there another way to do it" - in this particular > case a H.323 gatekeeper (eg. http://openh323proxy.sourceforge.net/) might > make more a more productive system, without concern for kernel version. Note first that a H323 gatekeeper is different from a proxy. Then note that the H323 proxy is not a transparent proxy, as the 2.2.x masquerade module is. It can do the same job, with some applications, but requires specific application support. OTOH, it may be possible to build a transparent proxy in user space, using the QUEUE target and libipq. -- Charlie Brady [EMAIL PROTECTED] Lead Product Developer Network Server Solutions Group http://www.e-smith.com/ Mitel Networks Corporation http://www.mitel.com/ Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
