[Firehol-support] Re: iChat AV with firehol
John Palkovic
scientist at palkovic.org
Wed Dec 28 23:28:23 GMT 2005
Apologies for replying to my own post. After a few iterations with a patient
remote tester, I have iChat AV working to an NAT'ed mac client sitting
behind my debian linux gateway, which is running firehol. Here is my
firehol.conf. I hope someone finds this useful. Happy New Year!
-John
#--8<---------------------
#!/bin/bash
version 5
FIREHOL_LOG_MODE="ULOG"
AL_CLIENT="192.168.0.7"
HOME_LAN="192.168.0.0/24"
HOME_IFACE="eth0"
PUB_IFACE="eth1"
PUB_SERVERS="dns http https smtp ssh"
ICHAT_PORTS="5060 5190 5297 5298 16384:16403"
# Service definitions
server_ichatav_ports="udp/5060 udp/5190 tcp/5190 udp/5297 tcp/5298 udp/5353 udp/5678 udp/16384:16403"
client_ichatav_ports="default"
cd /etc/firehol
dnat to "${AL_CLIENT}" \
inface "${PUB_IFACE}" \
proto udp dport "${ICHAT_PORTS}"
# blacklist ...
blacklist this "`cat ./blacklist`"
# rate-limit ssh
. ./ssh.rules
# rules for AIM direct connect
. ./reaim.rules
interface eth0 home
policy accept
interface eth1 internet
# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy reject
protection strong
server "${PUB_SERVERS}" accept
server ichatav accept
client all accept
router i2h inface "${PUB_IFACE}" outface "${HOME_IFACE}"
masquerade reverse
client all accept
route ichatav accept dst "${AL_CLIENT}" loglimit "forward iChatAV"
#--8<---------------------
--
"The whole problem with the world is that fools and fanatics are always so
certain of themselves, but wiser people so full of doubts."
-- Bertrand Russell
More information about the Firehol-support
mailing list