[Firehol-support] Re: iChat AV with firehol

John Palkovic scientist at palkovic.org
Wed Dec 28 23:28:23 GMT 2005


Apologies for replying to my own post. After a few iterations with a patient
remote tester, I have iChat AV working to an NAT'ed mac client sitting
behind my debian linux gateway, which is running firehol. Here is my
firehol.conf. I hope someone finds this useful. Happy New Year!

-John

#--8<---------------------
#!/bin/bash
version 5
FIREHOL_LOG_MODE="ULOG"
AL_CLIENT="192.168.0.7"
HOME_LAN="192.168.0.0/24"
HOME_IFACE="eth0"
PUB_IFACE="eth1"
PUB_SERVERS="dns http https smtp ssh"
ICHAT_PORTS="5060 5190 5297 5298 16384:16403"

# Service definitions

server_ichatav_ports="udp/5060 udp/5190 tcp/5190 udp/5297 tcp/5298 udp/5353 udp/5678 udp/16384:16403"
client_ichatav_ports="default"

cd /etc/firehol
dnat to "${AL_CLIENT}" \
 inface "${PUB_IFACE}" \
 proto udp dport "${ICHAT_PORTS}"

# blacklist ...
blacklist this "`cat ./blacklist`"

# rate-limit ssh
. ./ssh.rules
# rules for AIM direct connect
. ./reaim.rules

interface eth0 home
	policy accept

interface eth1 internet
	# The default policy is DROP. You can be more polite with REJECT.
	# Prefer to be polite on your own clients to prevent timeouts.
	policy reject
	protection strong
	server "${PUB_SERVERS}" accept
	server ichatav accept
	client all accept

router i2h inface "${PUB_IFACE}" outface "${HOME_IFACE}"
	masquerade reverse
	client all accept
	route ichatav accept dst "${AL_CLIENT}" loglimit "forward iChatAV"

#--8<---------------------	

--
"The whole problem with the world is that fools and fanatics are always so
certain of themselves, but wiser people so full of doubts."
-- Bertrand Russell




More information about the Firehol-support mailing list