David:
Heya. What Todd said is pretty much my understanding as
well; NetMeeting is a disaster of a protocol in so far as how
it interacts with NAT'ing firewalls. In addition to all of the
problems Todd mentioned, I believe that the source-IP of a
NetMeeting client is embedded within the datagram of the IP
packet, requiring the use of the ip_masq_h232 module to "NAT"
these embedded addresses appropriately. Tricky.
I was hoping, though, that you could run an experiment.
The echoWall package (you can find it on leaf.sf.net, or even
on freshmeat.net) allows you to set "all" as the destination
of a port-forwarded connection. In this mode, it forwards the
packets to the *broadcast* address of your LAN. I use this
setting to allow multiple VPN clients behind my LEAF box to
connect to different external VPN servers. Evidently, the
higher-level software in the VPN client can handle the confusion.
So, I was hoping you might be able to try the echoWall
package, which has a section for NetMeeting, to see what the
"all" piece does for you, to see if it allows more than one of
your LAN's PCs to make NetMeeting connections. I'd be very
interested in hearing if it helped things out at all.
cheers,
Scott
> It's not do-able in a masquerade environment. Say you have 5 Netmeeting
> users behind the firewall and a connection request comes in to the firewall
> with your external IP address on it. The firewall has no way to know which
> of the 5 users it is supposed to go to. With the ip_masq_h232 module you
> can initiate connections because then the firewall can keep track of who you
> are talking to and route incoming packets properly.
>
> A variation that should work is if you only have one Netmeeting client.
> Then you can tell the firewall to pass any h323 traffic to a specific user
> IP address and are actually port-forwarding instead of masquerading. The
> only problem if I recall correctly is that the h323 protocol or Netmeeting
> (not sure which) requires a ton of ports to be open because it selection
> ports dynamically. This means you've left a lot of opportunities to go
> through your firewall and attack you PC directly.
>
> If you have only specific users you need to have Netmeetings with then
> setting up VPN connections solves this problem since you no longer
> masquerade the traffic and Netmeeting works fine. But VPNs are discussion
> for a different thread :)
>
> - Todd
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of David Fallin
> > Sent: Friday, November 02, 2001 10:07 AM
> > To: [EMAIL PROTECTED]
> > Subject: [Leaf-user] h323
> >
> >
> > Anyone had any luck getting this to work on incoming connections
> > (primarily
> > with NetMeeting)?
> >
> > dwf
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
