Re: Firewalls

Bill Woodland (wcw@bga.com)
Mon, 02 Dec 1996 15:23:53 -0600


At 09:43 AM 12/2/96 -0500, you wrote:
>On Tue, 26 Nov 1996, Todd Kent wrote:
>
>> I'm a graduate student at the University of Virginia and we are piloting
>> a project that is using the Internet to link teachers from various
>> school sites around the state. We are trying to use CU-SeeMe but have
>> run into problems with one school system being behind a firewall. I
>> know very little about firewalls and would greatly appreciate any
>> information you can provide on how to work through a firewall with
>> CU-SeeMe, assuming it can be done. At this point, I don't know enough
>> to even ask a good question. The school's administrators are open to
>> suggestions, but say it can't be done without disabling the firewall.
>> However, some of the postings I see on the CU-SeeMe archives lead me to
>> believe you can direct the CU-SeeMe packets through a port in the
>> firewall. Again, I know nothing about the technical side of firewalls,
>> but any information/suggestions you could give me to take to the
>> administrators would help tremendously.
>
>I have the same problem here at my company, and from what I've found out
>after an examination of the issue is that there's no real way for internal
>systems to do CU-SeeMe with external reflectors. The issue lies in the
>use of the UDP protocol, from what I understand. This protocol is
>datagram-oriented, not connection-oriented, and thus is a problem for the
>security model of a firewall.
>
>One possibility would be setting up a reflector on the firewall itself, so
>that both internal and external users could connect directly to it, but
>then the bandwidth would be limited by the internet link you have, both on
>the incoming and outgoing side. Not sure that'd make the firewall admins
>terribly happy, though.
>
> -Mike Pelletier.
>
>
>
>

Your admin should know how to do this...if he doesn't, send him to school.
Some firewalls might use a slightly different syntax, but the gist of it is
to allow UDP ports 7640-7652 to be passed thru the firewall:

permit udp 0.0.0.0 255.255.255.255 xxx.xxx.xxx.xxx 0.0.0.0 eq 7640
permit udp 0.0.0.0 255.255.255.255 xxx.xxx.xxx.xxx 0.0.0.0 eq 7641
.
.
.
permit udp 0.0.0.0 255.255.255.255 xxx.xxx.xxx.xxx 0.0.0.0 eq 7651
permit udp 0.0.0.0 255.255.255.255 xxx.xxx.xxx.xxx 0.0.0.0 eq 7652

where xxx.xxx.xxx.xxx would be the broadcast address of your LAN.

Bill Woodland (Squeek)
Email: wcw@bga.com
PowWow:wcw@bga.com
URL:http://cu-seeme.cornell.edu/~WCW