msn voice chat

msn voice chat

[Guanglei Cui]

Dear all, 
    I've set up IP NAT in my redhat 8.0 (kernel-2.4.18.19.8.0, 
iptables-1.2.6a-a). The following modules are loaded, 
ip_nat_irc
ip_nat_ftp
iptable_nat
ip_conntrack_irc
ip_conntrack_ftp
ip_conntrack
ip_tables

It seems almost everything works just fine in my local network, except MSN 
voice chat (instant message works fine). Do I need other modules to make it 
work, something like ip_nat_h323? Thanks in advance. 

cuigl

RE: msn voice chat

[Glover George]

No you need this, 

http://linux-igd.sourceforge.net.  Be aware however that if you're
intention is completely security, then you should be warned by the
SECURITY documentation.  

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Guanglei Cui
Sent: Thursday, December 26, 2002 11:48 AM
To: netfilter@lists.netfilter.org
Subject: msn voice chat

Dear all, 
    I've set up IP NAT in my redhat 8.0 (kernel-2.4.18.19.8.0, 
iptables-1.2.6a-a). The following modules are loaded, 
ip_nat_irc
ip_nat_ftp
iptable_nat
ip_conntrack_irc
ip_conntrack_ftp
ip_conntrack
ip_tables

It seems almost everything works just fine in my local network, except
MSN 
voice chat (instant message works fine). Do I need other modules to make
it 
work, something like ip_nat_h323? Thanks in advance. 

cuigl

Re: msn voice chat

[Roy Sigurd Karlsbakk]

As far as I'm concerned, MSN telephony, and voice chat, uses SIP, not 
h.323, and SIP also needs a helper module the same way as pptp, ftp, 
irc etc

roy

On Tuesday, December 31, 2002, at 07:34 PM, Glover George wrote:

> No you need this,
>
> http://linux-igd.sourceforge.net.  Be aware however that if you're
> intention is completely security, then you should be warned by the
> SECURITY documentation.
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Guanglei Cui
> Sent: Thursday, December 26, 2002 11:48 AM
> To: netfilter@lists.netfilter.org
> Subject: msn voice chat
>
> Dear all,
>     I've set up IP NAT in my redhat 8.0 (kernel-2.4.18.19.8.0,
> iptables-1.2.6a-a). The following modules are loaded,
> ip_nat_irc
> ip_nat_ftp
> iptable_nat
> ip_conntrack_irc
> ip_conntrack_ftp
> ip_conntrack
> ip_tables
>
> It seems almost everything works just fine in my local network, except
> MSN
> voice chat (instant message works fine). Do I need other modules to 
> make
> it
> work, something like ip_nat_h323? Thanks in advance.
>
> cuigl
>
>
>

Re: msn voice chat

[CUI, Guanglei]

Thanks for the response. I'm only a home user and don't care much about
security. My network knowledge is rather limited too. So what's the
different between SIP and UPnP? Which one should I use and where can I
get SIP modules? 

cuigl

On Tue, 31 Dec 2002, Roy Sigurd Karlsbakk wrote:

> As far as I'm concerned, MSN telephony, and voice chat, uses SIP, not 
> h.323, and SIP also needs a helper module the same way as pptp, ftp, 
> irc etc
> 
> roy
> 
> On Tuesday, December 31, 2002, at 07:34 PM, Glover George wrote:
> 
> > No you need this,
> >
> > http://linux-igd.sourceforge.net.  Be aware however that if you're
> > intention is completely security, then you should be warned by the
> > SECURITY documentation.
> >
> > -----Original Message-----
> > From: netfilter-admin@lists.netfilter.org
> > [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Guanglei Cui
> > Sent: Thursday, December 26, 2002 11:48 AM
> > To: netfilter@lists.netfilter.org
> > Subject: msn voice chat
> >
> > Dear all,
> >     I've set up IP NAT in my redhat 8.0 (kernel-2.4.18.19.8.0,
> > iptables-1.2.6a-a). The following modules are loaded,
> > ip_nat_irc
> > ip_nat_ftp
> > iptable_nat
> > ip_conntrack_irc
> > ip_conntrack_ftp
> > ip_conntrack
> > ip_tables
> >
> > It seems almost everything works just fine in my local network, except
> > MSN
> > voice chat (instant message works fine). Do I need other modules to 
> > make
> > it
> > work, something like ip_nat_h323? Thanks in advance.
> >
> > cuigl
> >
> >
> >
> 
> 

-- 
Guanglei Cui
Dept. of Chemistry
SUNY at Stony Brook
Stony Brook, NY 11790

RE: msn voice chat

[Glover George]

I'm not aware that there actually are any SIP helper modules. Universal
Plug N Play (UPnP) is not actually used for the transmission, it has
nothing to do with the actual communication.  What it does, using an
IGD, is allows MSN messenger to ask the firewall what it's external ip
address is, and encapsulate that ip into the SIP packets.  As the SIP is
too unpredictable really to translate it, not to mention that it's high
text processing overhead for iptables to do this for EVERY SINGLE packet
on a video or voice transmission, this solves the problem.

I described this a while back, and there's more information on
Micro$ofts site and www.upnp.org, but here we go.  When MSN gets this ip
address from the UPnP IGD, whenever it asks the receiver for a
connection, it puts this packet in the payload, and asks the firewall to
open up some PortMappings to itself for the receiver to get back into
the local user.  In this way the packets are never modified by the
firewall.  

Herein lies the security problem, UPnP in it's current spec (soon to be
surpassed by version 2.0), doesn't specify authentication, so any
program can ask the firewall for any port to be portmapped to any
internal client.  No one can talk to the IGD from the outside, so if you
can trust every machine and every user inside (usually the case at home)
you can be relatively ok.  But just know this about using it in small
business, or large ones.  IT's NOT secure from the inside.  From the
outside, you simply block port 1900 and the port the igd runs on and
you'll be ok. Since all the daemon does is talk UpnP with the clients
inside, and places DNAT rules in the iptables, all you need is to worry
about the FORWARD chain being open for those ports.

Any rate, that was a really quick and dirty way of explaining it.  But
to make this all work on a linux firewall, you need a UPnP Compliant IGD
on the linux machine.  This is the only one.  And I'm currently one of
the more active projects on sourceforge, so you can expect lots of
little things to be tweaked.

MSN is also not the only thing that uses it.  Any DirectPlay games that
you use in windows will also work from behind a linux firewall using
this, without a need for a specific helper module (they must be
directplay games however). 

Supposedly XP will even set up the internet connection automatically
using this, but I have yet to verify that.  Take a look if anyone's
interested.  Just be aware I ONLY advise this in a trusted network.

Cheers. 

Glover George


-----Original Message-----
From: CUI, Guanglei [mailto:cuigl@morita.chem.sunysb.edu] 
Sent: Tuesday, December 31, 2002 1:16 PM
To: Roy Sigurd Karlsbakk
Cc: Glover George; cuigl@ilion.bio.sunysb.edu;
netfilter@lists.netfilter.org
Subject: Re: msn voice chat

Thanks for the response. I'm only a home user and don't care much about
security. My network knowledge is rather limited too. So what's the
different between SIP and UPnP? Which one should I use and where can I
get SIP modules? 

cuigl

On Tue, 31 Dec 2002, Roy Sigurd Karlsbakk wrote:

> As far as I'm concerned, MSN telephony, and voice chat, uses SIP, not 
> h.323, and SIP also needs a helper module the same way as pptp, ftp, 
> irc etc
> 
> roy
> 
> On Tuesday, December 31, 2002, at 07:34 PM, Glover George wrote:
> 
> > No you need this,
> >
> > http://linux-igd.sourceforge.net.  Be aware however that if you're
> > intention is completely security, then you should be warned by the
> > SECURITY documentation.
> >
> > -----Original Message-----
> > From: netfilter-admin@lists.netfilter.org
> > [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Guanglei
Cui
> > Sent: Thursday, December 26, 2002 11:48 AM
> > To: netfilter@lists.netfilter.org
> > Subject: msn voice chat
> >
> > Dear all,
> >     I've set up IP NAT in my redhat 8.0 (kernel-2.4.18.19.8.0,
> > iptables-1.2.6a-a). The following modules are loaded,
> > ip_nat_irc
> > ip_nat_ftp
> > iptable_nat
> > ip_conntrack_irc
> > ip_conntrack_ftp
> > ip_conntrack
> > ip_tables
> >
> > It seems almost everything works just fine in my local network,
except
> > MSN
> > voice chat (instant message works fine). Do I need other modules to 
> > make
> > it
> > work, something like ip_nat_h323? Thanks in advance.
> >
> > cuigl
> >
> >
> >
> 
> 

-- 
Guanglei Cui
Dept. of Chemistry
SUNY at Stony Brook
Stony Brook, NY 11790

RE: msn voice chat

[Glover George]

Yes and no.  Yes it does use that and a helper module might work, but
it's entirely too much (it uses a lot of things, not just SIP).  What it
does use however, is Universal Plug N Play.  And EVERY single feature of
Windows and MSN Messenger uses UPnP, except the phone call thing.
Voice/Video, Remote Assistance, File Transfer (MSN 5.0 and up) and
whiteboard, all the others work with a UPnP IGD.  I'm actually the
author, and started this trying to make a helper module, but this was
actually the more correct way to deal with it. 


-----Original Message-----
From: Roy Sigurd Karlsbakk [mailto:roy@karlsbakk.net] 
Sent: Tuesday, December 31, 2002 12:57 PM
To: Glover George
Cc: cuigl@ilion.bio.sunysb.edu; netfilter@lists.netfilter.org
Subject: Re: msn voice chat

As far as I'm concerned, MSN telephony, and voice chat, uses SIP, not 
h.323, and SIP also needs a helper module the same way as pptp, ftp, 
irc etc

roy

On Tuesday, December 31, 2002, at 07:34 PM, Glover George wrote:

> No you need this,
>
> http://linux-igd.sourceforge.net.  Be aware however that if you're
> intention is completely security, then you should be warned by the
> SECURITY documentation.
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Guanglei Cui
> Sent: Thursday, December 26, 2002 11:48 AM
> To: netfilter@lists.netfilter.org
> Subject: msn voice chat
>
> Dear all,
>     I've set up IP NAT in my redhat 8.0 (kernel-2.4.18.19.8.0,
> iptables-1.2.6a-a). The following modules are loaded,
> ip_nat_irc
> ip_nat_ftp
> iptable_nat
> ip_conntrack_irc
> ip_conntrack_ftp
> ip_conntrack
> ip_tables
>
> It seems almost everything works just fine in my local network, except
> MSN
> voice chat (instant message works fine). Do I need other modules to 
> make
> it
> work, something like ip_nat_h323? Thanks in advance.
>
> cuigl
>
>
>

Re: msn voice chat

[Kevin McConnell]

--- Roy Sigurd Karlsbakk <roy@karlsbakk.net> wrote:
> As far as I'm concerned, MSN telephony, and voice
> chat, uses SIP, not 
> h.323, and SIP also needs a helper module the same
> way as pptp, ftp, 
> irc etc

I am fairly sure that cronos has written a helper
module that can be downloaded and tested if one was
curious. Check out the listman's history for a link to
the patch he designed.


=====
Kevin C. McConnell --RHCE-- <Red Hat Certified Engineer>

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

RE: msn voice chat

[Glover George]

Forgot to post this.  I point you to what Harold recommended back when I
first started.

http://lists.netfilter.org/pipermail/netfilter-devel/2002-April/007420.h
tml 

And other than google, it's been a while.  How would I search for this?
I tried google and came up with nothing.  I'd like to look at this
patch, although this would only solve the SIP problem right?  Is RTP in
there as well?  Even if this did fix the problem it only fixes it for
SIP programs, which may be all you care about.  But like I said, the
overhead of this on something like a 386 to do all that translation,
especially when the ip address is never in the same place, that's a lot
of text matching to do for something like a high speed video and voice
conversation while running a remote assistance, or something of the
like.  

UPnP is just another solution to the problem, that happens to solve a
lot of other problems with clients that are UPnP aware at the same time.
(And being a sysadmin myself, I must say a lot easier to set up than
recompiling your kernel with these experimental helpers).  But then I'm
thinking of the users and myself on that one ;-)

Cheers.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Kevin
McConnell
Sent: Tuesday, December 31, 2002 2:51 PM
To: Roy Sigurd Karlsbakk; Glover George
Cc: cuigl@ilion.bio.sunysb.edu; netfilter@lists.netfilter.org
Subject: Re: msn voice chat


--- Roy Sigurd Karlsbakk <roy@karlsbakk.net> wrote:
> As far as I'm concerned, MSN telephony, and voice
> chat, uses SIP, not 
> h.323, and SIP also needs a helper module the same
> way as pptp, ftp, 
> irc etc

I am fairly sure that cronos has written a helper
module that can be downloaded and tested if one was
curious. Check out the listman's history for a link to
the patch he designed.


=====
Kevin C. McConnell --RHCE-- <Red Hat Certified Engineer>

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

RE: msn voice chat

[Kevin McConnell]

--- Glover George <dime@gulfsales.com> wrote:
> I'd like
> to look at this
> patch, although this would only solve the SIP
> problem right?  Is RTP in
> there as well?  

You would have to take a look at the patch. I'm not
really a developer. More like just a plain old
sysadmin. I think that you should bring this
discussion onto the netfilter-devel list, as I am not
sure if cronos (Filip Sneppe is his real name I
believe) reads this list.
 
> UPnP is just another solution to the problem, that
> happens to solve a
> lot of other problems with clients that are UPnP
> aware at the same time.
> (And being a sysadmin myself, I must say a lot
> easier to set up than
> recompiling your kernel with these experimental
> helpers).  But then I'm
> thinking of the users and myself on that one ;-)

I didn't really run into too much trouble when
applying patch-o-matic to my kernel for some reason. I
read all these people having problems, yet all I did
was to get the vanilla source from kernel.org (like
the docs said) and then I applied the pom to it and
enabled all kinds of extra functionality to test a few
things out. Then I recompiled iptables and voila... it
just worked.


=====
Kevin C. McConnell --RHCE-- <Red Hat Certified Engineer>

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Re: msn voice chat

[Rasmus Reinholdt Nielsen]

Hi

I have the linux-igd installed and it works very well, all my users can 
voice and video chat. The MSN Telephony is not Upnp capable so it doesn't 
work, anybody knows how to make this work (or what protokol it uses - 
RTP?), it works with my cisco router, but not with my linux/netfilter one.

Thanks

/Rasmus

At 14:15 31-12-2002 -0500, CUI, Guanglei wrote:
>Thanks for the response. I'm only a home user and don't care much about
>security. My network knowledge is rather limited too. So what's the
>different between SIP and UPnP? Which one should I use and where can I
>get SIP modules?
>
>cuigl
>
>On Tue, 31 Dec 2002, Roy Sigurd Karlsbakk wrote:
>
> > As far as I'm concerned, MSN telephony, and voice chat, uses SIP, not
> > h.323, and SIP also needs a helper module the same way as pptp, ftp,
> > irc etc
> >
> > roy
> >
> > On Tuesday, December 31, 2002, at 07:34 PM, Glover George wrote:
> >
> > > No you need this,
> > >
> > > http://linux-igd.sourceforge.net.  Be aware however that if you're
> > > intention is completely security, then you should be warned by the
> > > SECURITY documentation.
> > >
> > > -----Original Message-----
> > > From: netfilter-admin@lists.netfilter.org
> > > [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Guanglei Cui
> > > Sent: Thursday, December 26, 2002 11:48 AM
> > > To: netfilter@lists.netfilter.org
> > > Subject: msn voice chat
> > >
> > > Dear all,
> > >     I've set up IP NAT in my redhat 8.0 (kernel-2.4.18.19.8.0,
> > > iptables-1.2.6a-a). The following modules are loaded,
> > > ip_nat_irc
> > > ip_nat_ftp
> > > iptable_nat
> > > ip_conntrack_irc
> > > ip_conntrack_ftp
> > > ip_conntrack
> > > ip_tables
> > >
> > > It seems almost everything works just fine in my local network, except
> > > MSN
> > > voice chat (instant message works fine). Do I need other modules to
> > > make
> > > it
> > > work, something like ip_nat_h323? Thanks in advance.
> > >
> > > cuigl
> > >
> > >
> > >
> >
> >
>
>--
>Guanglei Cui
>Dept. of Chemistry
>SUNY at Stony Brook
>Stony Brook, NY 11790