From: Thomas Heinz <creatix@hipac.org>
To: vincent blondel <vincent.blondel@chello.be>
Cc: netfilter@lists.netfilter.org
Subject: Re: h.323 firewall
Date: Fri, 15 Nov 2002 11:57:25 +0100 [thread overview]
Message-ID: <3DD4D315.9040100@hipac.org> (raw)
In-Reply-To: 000d01c28c0a$473ff290$057ba8c0@wxcsmtp450
Hi Vincent
You wrote:
> The current situation incorporates :
>
> 10.66.0.xxx
> +---------------+
> | SMC7008BR |
> +---------------+
> 10.66.1.xxx
> DEV2
> | |
> +---------+-+ +--+--------+
> | slack 8.0 | | Slack 8.0 |
> +-----------+ +-----------+
> 192.168.0.xxx +-----+ 10.66.0.xxx
> | pp0 | +---------------+
> +--+--+ | switch |
> | +---------------+
> | DMZ
> +-------+ +-------------+
> | NS2 | | NS1
> |
> 10.66.0.xxx | HTTP2| | HTT1 |
> +---------------+ +-------+ | FTP +--ISP
> | SMC7008BR| | SMTP |
> +---------------+ +-------------+
> 192.168.0.xxx 192.168.0.xxx
> DEV1
> | |
> +-----------+-+ +-+---------+
> | linux | .... | w2k |
> +-------------+ +-----------+
> GnomeMeeting NetMeeting
The formatting is somewhat broken ;-)
> - I read yesterday that it is possible to concentrate h.323 connections on a
> gatekeeper as OpenH323 Gatekeeper
> ... do you think I have to use a gatekeeper with iptables ???
Yes, I'd recommend it. You might want to take a look at
http://www.gnugk.org. I'm using it in my private lan and it works just
fine although my lan's topology is a little simpler than yours ;-)
> So maybe you can find my questions stupid or without any sense but I repeat
> it I got no experience with this.
Your questions are definitely not stupid.
> So, with information I received I imagine to impelement my h.323
> infrastructure as mentionned below.
>
> - configuring iptables on NS1 (10.66.0.1) with the script mentionned above
> and replacing PCA_HOST with ip adress of NS2 (10.66.0.2)
> - installing OpenH323 gatekeeper on NS2 (10.66.0.2)
> - configuring all clients with gatekeeper NS2 (10.66.0.2).
What about using gatekeepers only? You can use gk's on NS1 and NS2 which
define each other as neighbours. Although I haven't tested this, it
should work.
With gnugk you can restrict the dynamic udp and tcp ports to stay
within a certain range whereby the range also restricts the number
of parallel connections. Anyway this solution implies that you have
to open all ports within the given ranges on NS1 in order to allow
incoming calls. This is not necessary for external calls.
Using netfilter's h323 module on NS1 would be a better solution
if you don't want to open the dynamic ports but I'm not sure whether
it works in your case. Just try it.
Please post your results as I believe that there are a lot of users
out there with similar problems.
Thomas
prev parent reply other threads:[~2002-11-15 10:57 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-11-14 18:18 h.323 firewall vincent blondel
2002-11-14 20:18 ` Rasmus Reinholdt Nielsen
2002-11-15 5:34 ` Some go through, some don't Tomasz Korycki
2002-11-15 13:55 ` Arnt Karlsen
2002-11-25 19:57 ` Tomasz Korycki
2002-11-25 23:44 ` Arnt Karlsen
2002-11-14 20:37 ` h.323 firewall Arnt Karlsen
2002-11-15 10:57 ` Thomas Heinz [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3DD4D315.9040100@hipac.org \
--to=creatix@hipac.org \
--cc=netfilter@lists.netfilter.org \
--cc=vincent.blondel@chello.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.