NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] NetMeeting 3.x



Aloha Tom and Dan.

Dan is correct those are the service definitions for H.323 and LDAP you will
also need T.120 and you also need to add some code to the base.def file
located in the $FWDIR/lib directory. Try this at your own risk

T.120 is defined as TCP service Port:1503

I can't guarantee this will work on the NT platform since I have never tried
it. Please be inteligent and backup your files before you try anything like
edting the base.def.

Ryan Joffs
CCSA/CCSE
Field Network Engineer
Fujitsu Systems Business of America, Inc.
560 N. Nimitz Hwy #214
Honolulu Hi, 96817

here is the section of code from the base.def file.

***********************begin copy after this line**********************
#ifndef NO_H323
/***************************************************************************
**
 *
*
 *       H.323 - General Protocol Support                       *
 *                                                              *

****************************************************************************
/

/* Protocol Name: H.323
 * Protocol Description:
 * client starts H.225 TCP connection on port 1720 to server.
 * server sends "port" command to client, for the H.245 TCP connection.
 * On the H.245 connection, each side send the other its port numbers, and
the
 * other side acknolodge with its port numbers for the RTP connections.
 */

/* Added to allow the Bay/Nortel platforms to function - they only filter
 * in the inbound direction.
 */
#ifdef FWEMBEDED
#define H323DIRECTION_IN  0
#define H323DIRECTION_OUT 0
#else
#define H323DIRECTION_IN  0
#define H323DIRECTION_OUT 1
#endif

#define H245_MAGIC 0x48323435  /* "H245" */
#define HRTP_MAGIC 0x48525450  /* "HRTP" */
#define H225_PORT 1720     /* static port of H225 */
#define H245_TIMEOUT 600      /* 10 minutes */
#define RTP_TIMEOUT 600      /* 10 minutes */

/*
 * Possible return values after h.245 tracing.
 */
#define H_NOTHING_FOUND               0x01
#define H_EST_LOG_CHAN_ACK            0x02
#define H_EST_LOG_CHAN                0x04
#define H_EST_LOG_CHAN_ACK_2          0x08
#define H_EST_LOG_CHAN_2              0x10
#define H_BAD_PACKET                  0x00

/*
 * kernel function parameter value, indicating
 * what port the inspect wants to retreive.
 */
#define H_REQ_RTCP           0
#define H_ACK_RTCP           1
#define H_ACK_RTP            2
#define H_ACK_RTCP_2         3
#define H_ACK_RTP_2          4
#define H_REQ_RTCP_2         5

deffunc GET_H245_PORT(WhatDetected, WhatPort) {
(sr14 & WhatDetected) = WhatDetected,
set sr13 (call KFUNC_GET_RTP<WhatPort>),
set sr1 ((sr13.[0:1]) << 8) + sr13.[1:1],
NOTSERVER_UDP_PORT(sr1) or reject
};

deffunc SAVE_H245_PORT(port,dir,key,type,flags) {
(
(dir = H323DIRECTION_OUT,
record <src,port,dst,HRTP_MAGIC,PROTO_udp;key,type,flags
@RTP_TIMEOUT> in pending,
(ENTRY_TRACKED(flags),
record <0,src,port,dst,HRTP_MAGIC,PROTO_udp;sr3,sr4,sr5,sr6,sr7
@RTP_TIMEOUT> in tracked)
or 1
)
or
(
record <dst,HRTP_MAGIC,src,port,PROTO_udp;key,type,flags
@RTP_TIMEOUT> in pending,
(ENTRY_TRACKED(flags),
record <0,dst,HRTP_MAGIC,src,port,PROTO_udp;sr3,sr4,sr5,sr6,sr7
@RTP_TIMEOUT> in tracked)
or 1
)
)
};


/* KFUNC_FOLLOW_H225 returns a number which can either consist of the two
 * desired ports of the setup message - sport in the upper 16 bits, dport
 * in the lower 16 bits.
 * If the packet is a Connect message, we only have lower 16 bits.
 */
#define SPLIT_PORT(offset) \
(set sr4 (offset >> 16), \
set sr3 (offset & 0x0000ffff))


#ifndef NO_XLATION

/* This is for the Connect message - the port command. */
#define TRANSLATE_H225(port) \
(call KFUNC_XLATE_ANTICIPATE <dst,0,0,port,PROTO_tcp, \
BUILD_CONT_REV(0,1), RTP_TIMEOUT,0,sr3,sr3 - 4>)

/* This is for the Setup message - we need to change the identifiers
 * of the connection inside the data of the packet.
 */
#define CHANGE_SETUP \
(call KFUNC_XLATE_ANTICIPATE <conn, \
BUILD_CONT_REV(1,0), RTP_TIMEOUT,0,sr3,sr3 - 4>, \
call KFUNC_XLATE_ANTICIPATE <conn, \
BUILD_CONT_REV(2,0), RTP_TIMEOUT,0,sr4,sr4 - 4>)

#define TRANSLATE_FIRST(port) \
(set sr3 sr13 - 4, \
((r_cdir=2,call KFUNC_XLATE_ANTICIPATE <dst,0,0,port,PROTO_udp,\
BUILD_CONT_REV(0,1), RTP_TIMEOUT,0,sr13,sr13 - 4>) or \
(call KFUNC_XLATE_ANTICIPATE <src,port,dst,0,PROTO_udp, \
BUILD_CONT_REV(0,0), RTP_TIMEOUT,0,sr13,sr13 - 4>)))

#define TRANSLATE_SECOND(port) \
(set sr3 sr13 + 3, \
set sr4 sr3 + 4, \
    ((r_cdir=2,call KFUNC_XLATE_ANTICIPATE <dst,0,0,port,PROTO_udp, \
BUILD_CONT_REV(0,1), RTP_TIMEOUT,0,sr13 + 7,sr13 + 3>) or \
(call KFUNC_XLATE_ANTICIPATE <src,port,dst,0,PROTO_udp, \
BUILD_CONT_REV(0,0), RTP_TIMEOUT,0,sr13 + 7,sr13 + 3>)))
#else
#define TRANSLATE_H225(port) 1
#define CHANGE_SETUP 1
#define TRANSLATE_FIRST(port) 1
#define TRANSLATE_SECOND(port) 1
#endif



/*
 * intercept H.225 CONNECT/SETUP message, and record the
 * H.245 dynamic connection that we should accept.
 * If the H.225 connection started from A to B, We are only
 * interested in tracking packets going from B to A, since the
 * CONNECT/SETUP message is in that direction.
 * For first packet of H.225 (B->A) we init the align machine.
 * For every packet of H.225 (B->A) we call the align machine.
 * KFUNC_FOLLOW_H225 return values:
 * 0 = Bad Packet
 * 1 = H.225 connect not found in packet
 * not 0, not 1 - the offset of the port in CONNECT/SETUP message
 */


#define FIND_SETUP \
( \
tcp, first, dport = H225_PORT, direction = H323DIRECTION_OUT, \
call KFUNC_INIT_H225<direction> \
)

#define RECORD_H245_1         \
( \
(r_cdir = 2, sport = H225_PORT) or (r_cdir =1,dport = H225_PORT), \
tcp, ((syn, ack, direction = H323DIRECTION_IN, \
call KFUNC_INIT_H225<direction> ) or 1), \
set sr1 call KFUNC_FOLLOW_H225<direction>, \
(sr1 != H_BAD_PACKET) or reject,         \
( \
sr1 != H_NOTHING_FOUND,         \
SPLIT_PORT(sr1),                                    \
set sr2 (((sr3.[0:1]) << 8) + sr3.[1:1]),
#define RECORD_H245_2         \
NOTSERVER_TCP_PORT(sr2) or reject, \
((sr4=0, record <dst,H245_MAGIC,src,sr2,ip_p;DUP_KEY(r_ckey), \
r_ctype, r_cflags@H245_TIMEOUT> in pending, \
TRANSLATE_H225(sr2)) or CHANGE_SETUP), \
(ENTRY_TRACKED(r_cflags), \
record <0,dst,H245_MAGIC,src,sr2,ip_p;rconn@H245_TIMEOUT> \
in tracked) \
or 1 \
) or 1, \
accept_fwz_as_clear(r_ctype) \
)

#define RECORD_H245 FIND_SETUP; RECORD_H245_1 RECORD_H245_2


/*
 * on first H.245 packet move the connection to connections table
 * with key and type of H.225 (they are in the same direction).
 * Keep the H.245 connection in pending table - to intercept the
 * ESTABLISH_LOGICAL_CHANNEL_ACK commands.
 * Initialize the align machine that will look for ESTABLISH_LOGICAL_CHANNEL
 * req/ack
 * This packet is accepted by  IS_ACCEPTED_A  if clear, or connection table
 *  if encrypted
 */

#define ACCEPT_H245_FWD1 \
tcp, first, \
TABLE_NOT_EMPTY(pending), \
get <src,H245_MAGIC,dst,dport,ip_p> from pending to sr10, \
NOT_TCP_FASTMODE_PORT(sport,0) or reject, \
record <conn;DUP_KEY(sr10),ENTRY_TYPE(sr11),SPOOF_CACHE_EMPTY | \
  IS_ACCEPTED_A|TRACKED_TRANS(sr12)|MORE_INSPECTION|RECORD_SRC(0x88)\
@TCP_TIMEOUT> in connections, \
(ENTRY_TRACKED(sr12),
#define ACCEPT_H245_FWD2 \
ACCOUNT_MATCH(H245_MAGIC,0,TCP_TIMEOUT)) or 1, \
(direction=H323DIRECTION_OUT,call KFUNC_INIT_H245<direction>) or 1, \
       update_tcp_flags(sr11,1)

#define ACCEPT_H245_FWD ACCEPT_H245_FWD1 ACCEPT_H245_FWD2

#define ACCEPT_H245_BAK \
tcp, syn, ack, \
TABLE_NOT_EMPTY(pending), \
get <dst,H245_MAGIC,src,sport,ip_p> from pending to sr10,           \
(direction=H323DIRECTION_IN,call KFUNC_INIT_H245<direction>) or 1


#define ACCEPT_H245 ACCEPT_H245_FWD; ACCEPT_H245_BAK

/* RECORD_RTP macro broken to A few macros
 * intercept the ESTABLISH_LOGICAL_CHANNEL_ACK command (on the H.245
 * connection).
 * Record both the RTP (audio/video) and RTCP (control) (+1) connections.
 * The align machine looks for ESTABLISH_LOGICAL_CHANNEL_ACK in both
direction.
 * KFUNC_FOLLOW_H245 return codes:
 * 0 Bad packet
 * 1 Nothing found in packet
 * EST_LOG_CHAN_ACK (2)- Establish logical channel ack found in packet
 * EST_LOG_CHAN (4) - Establish logical channel found in packet
 * the last 2 may arrive together!
 * KFUNC_GET_RTP first argument:
 * 0 - get offset of RTCP port in open logical channel msg
 * 1 - get offset of RTCP port in open logical chan ack msg
 * 2 - get offset of RTP port in open logical chan ack msg
 */

#define FOLLOW_H245 \
( \
set sr14 (call KFUNC_FOLLOW_H245<direction>), \
(sr14 != H_BAD_PACKET) or reject, \
sr14 != H_NOTHING_FOUND,                                            \
(ENTRY_TYPE(sr11) = CONN_TCP, set sr9 CONN_UDP) \
  or \
(set sr9 ENTRY_TYPE(sr11))         \
)


#define GET_SAVE_PORT_1 \
( GET_H245_PORT(H_EST_LOG_CHAN_ACK_2, H_ACK_RTP_2), \
SAVE_H245_PORT(sr1,sr8,DUP_KEY(sr10),sr9,sr12), \
TRANSLATE_FIRST(sr1), \
SAVE_H245_PORT(sr1+1,sr8,DUP_KEY(sr10),sr9,sr12), \
TRANSLATE_SECOND(sr1+1) \
 )



#define GET_SAVE_PORT_2
\
( GET_H245_PORT(H_EST_LOG_CHAN, H_REQ_RTCP), \
SAVE_H245_PORT(sr1,sr8,DUP_KEY(sr10),sr9,sr12), \
TRANSLATE_FIRST(sr1), \
GET_H245_PORT(H_EST_LOG_CHAN_2, H_REQ_RTCP_2), \
SAVE_H245_PORT(sr1,sr8,DUP_KEY(sr10),sr9,sr12), \
TRANSLATE_FIRST(sr1) \
 )


#define RECORD_RTP1                        \
( \
r_cdir, tcp, not_first, TABLE_NOT_EMPTY(pending), \
( \
get <src,H245_MAGIC,dst,dport,ip_p> from pending to sr10, \
set sr8 1 \
) or ( \
get <dst,H245_MAGIC,src,sport,ip_p> from pending to sr10, \
set sr8 2 \
),
#define RECORD_RTP2 \
( \
FOLLOW_H245,                        \
(ENTRY_TRACKED(sr12), \
(sr8 = 1, get <0,conn> from tracked to sr3) \
  or \
(get <0,rconn> from tracked to sr3)) or 1, \
    ( \
(                                                    \
GET_H245_PORT(H_EST_LOG_CHAN_ACK, H_ACK_RTP),    \
SAVE_H245_PORT(sr1,sr8,DUP_KEY(sr10),sr9,sr12), \
TRANSLATE_FIRST(sr1),
#define RECORD_RTP3 \
SAVE_H245_PORT(sr1+1,sr8,DUP_KEY(sr10),sr9,sr12), \
TRANSLATE_SECOND(sr1+1), \
GET_SAVE_PORT_1, \
0                                                    \
) or (                                                      \
GET_SAVE_PORT_2 \
) \
) \
) or 1, \
accept_fwz_as_clear(r_ctype) \
)

#define RECORD_RTP RECORD_RTP1 RECORD_RTP2 RECORD_RTP3

/*
 * accept RTP and RTCP connections
 *
 */

#define ACCEPT_RTP1 \
udp, \
TABLE_NOT_EMPTY(pending), \
(get <src,HRTP_MAGIC,dst,dport,ip_p> from pending to sr10, \
UDP_RECORD(conn,0,sr11 | _UDP_ESTABLISHED, \
TRACKED_TRANS(sr12)|RECORD_SRC(0xa8)), \
UDP_RECORD(udpconn,DUP_KEY(sr10),sr11 | _UDP_ESTABLISHED, \
   TRACKED_TRANS(sr12)|RECORD_SRC(0xa8)), \
delete <src,HRTP_MAGIC,dst,dport,ip_p> from pending, \
set sr9 1, \
(ENTRY_TRACKED(sr12), \
ACCOUNT_MATCH(HRTP_MAGIC,0,RTP_TIMEOUT)) or 1) \
or
#define ACCEPT_RTP2 \
(get <dst,dport,src,HRTP_MAGIC,ip_p> from pending to sr10, \
UDP_RECORD(rconn,0,sr11 | _UDP_ESTABLISHED, \
TRACKED_TRANS(sr12)|RECORD_SRC(0xa8)), \
UDP_RECORD(udprconn,DUP_KEY(sr10),sr11 | _UDP_ESTABLISHED, \
   TRACKED_TRANS(sr12)|RECORD_SRC(0xa8)), \
delete <dst,dport,src,HRTP_MAGIC,ip_p> from pending, \
set sr9 2, \
(ENTRY_TRACKED(sr12), \
RACCOUNT_MATCH(HRTP_MAGIC,0,RTP_TIMEOUT)) or 1),                    \
   accept_udp_noncrypt(sr11,sr9)


#define ACCEPT_RTP ACCEPT_RTP1 ACCEPT_RTP2

#define h323_prolog RECORD_H245; ACCEPT_H245; RECORD_RTP;
#define h323_prematch ACCEPT_RTP;

#else /* NO_H323 */
#define h323_prolog 1;
#define h323_prematch 1;
#endif

**********************copy upto the line before thisone. ************

----- Original Message -----
From: "Dan Hitchcock" <[email protected]>
To: "'Pellowski, Tom'" <[email protected]>; <[email protected]>
Cc: "fw-1-mailinglist@lists. us. checkpoint. com (E-mail)"
<[email protected]>
Sent: Monday, September 18, 2000 8:32 AM
Subject: RE: [FW1] NetMeeting 3.x


>
> The predefined service is just H.323 and LDAP.
>
> The LDAP service is easy - TCP port 389.
>
> H.323 is an "other" service (INSPECT-based).  The predefined service on my
> 4.1 box is:
>
> Match: tcp, dport=1720
> Prematch: H323_prematch;
> Prologue: H323_prologue;
>
> Hope that helps...
>
> Dan Hitchcock
> CCNA, MCSE
> Network Engineer
> Xylo, Inc. (formerly employeesavings.com)
>> The work/life solution for corporate thought leaders
>
>
> -----Original Message-----
> From: Pellowski, Tom [mailto:[email protected]]
> Sent: Monday, September 18, 2000 10:34 AM
> To: '[email protected]'
> Cc: fw-1-mailinglist@lists. us. checkpoint. com (E-mail)
> Subject: RE: [FW1] NetMeeting 3.x
>
>
>
> Ok,
> Well, the box in question is a 3.0b on NT
> next quesiton:
>
> Is there a way to manually configure the ports for net meeting?
>
> Thanks...
>
> Tom
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> Sent: Monday, September 18, 2000 13:26
> To: [email protected]
> Subject: RE: [FW1] NetMeeting 3.x
>
>
> If you have version 4.0 sp3 or later, the services are predefined.
> Netmeeting and NAT do not work with version 3.0b or earlier on Checkpoint.
>
>
>
> -----Original Message-----
> From: Pellowski, Tom [mailto:[email protected]]
> Sent: Monday, September 18, 2000 1:08 PM
> To: fw-1-mailinglist@lists. us. checkpoint. com (E-mail)
> Subject: [FW1] NetMeeting 3.x
>
>
>
> Greetings:
>
> I just received tasking to allow netmeeting thru for some "live" training
> that the bean counter folks will be going thru.
>
> Can anyone give me an idea about what ports or any special concerns I
should
> be having with this???
>
> Thanks!
>
> Tom
>
>
>
>
============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
> ====
>
>
>
============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
> ====
>
>
>
============================================================================
====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents � 2003 Network Presence, LLC. All rights reserved.