From owner-freebsd-questions  Thu Oct 21  7:21:13 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from Samizdat.uucom.com (samizdat.uucom.com [198.202.217.54])
	by hub.freebsd.org (Postfix) with ESMTP id 562BE14E23
	for <freebsd-questions@FreeBSD.ORG>; Thu, 21 Oct 1999 07:20:42 -0700 (PDT)
	(envelope-from cshenton@uucom.com)
Received: (from cshenton@localhost)
	by Samizdat.uucom.com (8.9.3/8.9.3) id KAA05042;
	Thu, 21 Oct 1999 10:20:34 -0400 (EDT)
To: <darryl@osborne-ind.com>
Cc: <freebsd-questions@FreeBSD.ORG>
Subject: Re: Freebsd + Netmeeting = Possible ?
References: <000501bf1b1a$ec7678b0$070101c0@ruraltel.net>
User-Agent: SEMI/1.13.3 (Komaiko) FLIM/1.12.5 (Hirahata) Emacs/20.3 (i386-pc-solaris2.7) MULE/4.0 (HANANOEN)
MIME-Version: 1.0 (generated by SEMI 1.13.3 - "Komaiko")
Content-Type: text/plain; charset=US-ASCII
From: Chris Shenton <cshenton@uucom.com>
Date: 21 Oct 1999 10:20:34 -0400
In-Reply-To: "Darryl Hoar"'s message of "Wed, 20 Oct 1999 11:48:23 -0500"
Message-ID: <lfiu40re19.fsf@Samizdat.uucom.com>
Lines: 35
X-Mailer: Gnus v5.6.45/Emacs 20.3
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, 20 Oct 1999 11:48:23 -0500, "Darryl Hoar" <darryl@osborne-ind.com> said:

Darryl> Greetings, I am running Freebsd 3.2 on a gateway machine (ppp
Darryl> -auto -alias isp).  I have a couple of Win9x boxes on my lan
Darryl> that use the freebsd box for internet access.  The Win9x box
Darryl> needs to use Microsoft Net Meeting for some collabrative work.
Darryl> Unfortunately, I can't choose a different application, as that
Darryl> is out of my control.  Anybody do this already ?

Darryl> I'm stuck.  How do I get this to work.

NetMeeting implements H.323 protocols which bury client and server
information in the payload rather than just leaving them in the
header. This -- like any other application which does this -- makes
NAT or Proxy very hard. H.323 also has a very complex negotiation
phase: the client and server rendesvous on one well known port, then
agree to meet on another random port, then do this once more -- for no
sane reason I can understand. It was designed by committee, a
committee that never had to actually implement it or make it work on
modern networks that have any security concerns. 

I wrote a paper on its security implications a while back; you might
find it helpful to understanding how it works and it might point you
to other resources.

http://www.shenton.org/~chris/nasa-hq/netmeeting/

But sorry, I don't have a solution for you unless someone's written a
proxy which tracks the complex port negotiation. I understand Raptor
and Checkpoint now do this in their firewalls but it still presents an
astounding security risk to the end user workstations: giving remote
users with no decent authentication keyboard/mouse access to your
machine and anything it has access to.

Good luck.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message