My fiance and I have iChat AV cameras on Powerbooks. Can we work around blocked 16384-16403 ports to chat anyway?
August 6, 2004 11:02 AM Subscribe
OK, so my fiance just started med school 2000+ miles away from where I live. To stay in touch and keep our phone bills reasonable, we both got iChat AV cameras for our powerbooks. However, the neccesary ports (16384 to 16403) are not open on her school network. We contacted her IT department and a week later, the guy told her that he couldn't open those ports for security/bandwidth issues, leaving us high and dry. So, what would folks suggest we do in this situation? Is it really a security issue or just bandwidth? Are there any workarounds?
Can you guys use vonage, the VOIP phone company? They have a $30 unlimited US calling option I believe.
posted by mathowie at 11:29 AM on August 6, 2004
posted by mathowie at 11:29 AM on August 6, 2004
I doubt it's a security issue. It's probably not bandwidth, either. I would suspect overzealous administrators.
If you can alter the port numbers used by iChat AV, then you may be able to route around this restriction by selecting a widely used port (80, 21, 23, etc).
Another method that might work is a stateful firewall on both ends of the connection. Basically, you'd want to set up the firewall rules so that it maps the iChatAV ports on your computer to a new port number when they go out to the internet (again, port 80, 21, etc.), and vice-versa. On the other end, your fiance would need a firewall doing the same thing, of course.
There's a short blurb on it at MacOSXHints. I believe the built-in firewall (in Panther, at least) can do this kind of port translation. Just go to the Terminal and type "man ipfw" to read up on it.
posted by Kikkoman at 11:38 AM on August 6, 2004
If you can alter the port numbers used by iChat AV, then you may be able to route around this restriction by selecting a widely used port (80, 21, 23, etc).
Another method that might work is a stateful firewall on both ends of the connection. Basically, you'd want to set up the firewall rules so that it maps the iChatAV ports on your computer to a new port number when they go out to the internet (again, port 80, 21, etc.), and vice-versa. On the other end, your fiance would need a firewall doing the same thing, of course.
There's a short blurb on it at MacOSXHints. I believe the built-in firewall (in Panther, at least) can do this kind of port translation. Just go to the Terminal and type "man ipfw" to read up on it.
posted by Kikkoman at 11:38 AM on August 6, 2004
I've seen Verizon Wireless commercials lately offering unlimited free calls between phones both on their network.
posted by kickingtheground at 11:41 AM on August 6, 2004
posted by kickingtheground at 11:41 AM on August 6, 2004
This is a security issue in the broad sense of deny everything and only open what you need is best practice. What happens when the port you need for this app is the one the worm-du-jour uses to bring down the mail server? The less ports open the better.
It's also a work load issue. Handling this request is an easy man hour spread over at least two people. Remember the person you are requesting this from will have to confer with the firewall admin. The FA will need to document the open port to keep track of things and to be able to contact the user if changes are needed. And also ensure that the port is closed at the end of the semester/yr. He'll also need to verify their isn't a vulnerability already floating around on that port.
At least you know what ports you need opened. Most students who come to me with this kind of request don't and some of them aren't even sure what program they are using("My girlfriend installed it for me. It's runs my Cam! All these programs are the same.") I've got to do this for instructors who need special access to other universities and it is a royal pain.
posted by Mitheral at 12:02 PM on August 6, 2004
It's also a work load issue. Handling this request is an easy man hour spread over at least two people. Remember the person you are requesting this from will have to confer with the firewall admin. The FA will need to document the open port to keep track of things and to be able to contact the user if changes are needed. And also ensure that the port is closed at the end of the semester/yr. He'll also need to verify their isn't a vulnerability already floating around on that port.
At least you know what ports you need opened. Most students who come to me with this kind of request don't and some of them aren't even sure what program they are using("My girlfriend installed it for me. It's runs my Cam! All these programs are the same.") I've got to do this for instructors who need special access to other universities and it is a royal pain.
posted by Mitheral at 12:02 PM on August 6, 2004
Response by poster: thanks for the suggestions, everyone, but what I really want to do is make the damn iChat AV cameras work, as we bought them for this very purpose.
Kikkoman: this sounds like a good start. unfortunately i am quicly out of my league, and the software warns against doing anything you don't understand. so let me get this straght:
-ichat uses 4 of those 20 ports to send and recieve audio and video, ok.
-if i send anything over any of those ports, it gets blocked
-if she tries to send me anything over those ports, it also gets blocked
-so i should setup my computer to send out of different ports, and hers to redirect to the appropriate ports?
-and vice-versa for my computer to recieve her data?
-widely used ports: 80, 21, 23, etc?
-stateful firewall, i think i get it, what do i need to be worried about when setting something like this up? might i screw up other ports in the process?
Terrapin: how could you!? I would never!
Mitheral: the IT guy thanks you for me not thinking that he's a total dick anymore.
I think i'll figure this out, but I could use some more help, you guys rock!
posted by garethspor at 12:15 PM on August 6, 2004
Kikkoman: this sounds like a good start. unfortunately i am quicly out of my league, and the software warns against doing anything you don't understand. so let me get this straght:
-ichat uses 4 of those 20 ports to send and recieve audio and video, ok.
-if i send anything over any of those ports, it gets blocked
-if she tries to send me anything over those ports, it also gets blocked
-so i should setup my computer to send out of different ports, and hers to redirect to the appropriate ports?
-and vice-versa for my computer to recieve her data?
-widely used ports: 80, 21, 23, etc?
-stateful firewall, i think i get it, what do i need to be worried about when setting something like this up? might i screw up other ports in the process?
Terrapin: how could you!? I would never!
Mitheral: the IT guy thanks you for me not thinking that he's a total dick anymore.
I think i'll figure this out, but I could use some more help, you guys rock!
posted by garethspor at 12:15 PM on August 6, 2004
have a look at tunneling over ssh. it sounds like it will solve your problems, but you'll need to read + understand fairly technical details.
[on preview - if the ports are adjustable, and that seems out of your range, this is probably too complex unless you get a local geek friend to help]
posted by andrew cooke at 12:19 PM on August 6, 2004
[on preview - if the ports are adjustable, and that seems out of your range, this is probably too complex unless you get a local geek friend to help]
posted by andrew cooke at 12:19 PM on August 6, 2004
Mitheral's got some good points. Smart sysadmins ensure their networks fail closed. But enough about them -- let's get back to creatively circumventing their restrictions!
Tunnelling over ssh is actually a better idea than doing what I originally suggested. MUCH easier than messing with the firewall rules. Here's (roughly) what you'd need to do:
1. Turn on "remote login" in the network sharing control panel. This should activate the SSH server on your machine.
2. Set up a system account for your fiance to use. Just something she can use to log in to your machine.
3. Your fiance will need to execute the following command on her computer to start an SSH tunnel session to your computer:
ssh portforwardingcommands -g accountname@youripaddress
Where portforwarding commands consists of the following:
-L 16384:127.0.0.1:16384
-L 16385:127.0.0.1:16385
-L 16386:127.0.0.1:16386
...and so on, one after the other in that command line for all the ports iChat needs (no line breaks, of course). These commands will instruct the SSH client to forward a given port on your fiance's machine to a given port on the host machine at the other end of the connection.
accountname should be your fiance's account name on your computer.
youripaddress should be your machine's internet address.
4. She should execute the command. If SSH successfully finds your machine out in the ether, it will probably complain that this is the first time it's logged on and ask her to verify, etc., etc. She should go ahead and confirm the connection and enter her account password.
Once the connection is established, she'll be at a terminal prompt on your machine.
5. You both should launch iChat AV. You will then need to start a "New Chat With Person" at 127.0.0.1 to connect to her.
That ought to do it.
Of course, you could probably get away with making your fiance's machine the server. However, it may be easier for her to SSH out to you (particularly if you're using a decent, relatively non-restrictive ISP) than it will be for you to SSH into that private network.
Now, some notes:
1. If you're behind a firewall/router, remember to open (and forward, if necessary) a port for SSH. SSH uses port 22.
2. You can test all of this at home if you have a LAN. Just substitute your internal IP address in the SSH command above. If it works on the LAN, then it should work over the internet.
3. "man ssh".
posted by Kikkoman at 1:10 PM on August 6, 2004
Tunnelling over ssh is actually a better idea than doing what I originally suggested. MUCH easier than messing with the firewall rules. Here's (roughly) what you'd need to do:
1. Turn on "remote login" in the network sharing control panel. This should activate the SSH server on your machine.
2. Set up a system account for your fiance to use. Just something she can use to log in to your machine.
3. Your fiance will need to execute the following command on her computer to start an SSH tunnel session to your computer:
ssh portforwardingcommands -g accountname@youripaddress
Where portforwarding commands consists of the following:
-L 16384:127.0.0.1:16384
-L 16385:127.0.0.1:16385
-L 16386:127.0.0.1:16386
...and so on, one after the other in that command line for all the ports iChat needs (no line breaks, of course). These commands will instruct the SSH client to forward a given port on your fiance's machine to a given port on the host machine at the other end of the connection.
accountname should be your fiance's account name on your computer.
youripaddress should be your machine's internet address.
4. She should execute the command. If SSH successfully finds your machine out in the ether, it will probably complain that this is the first time it's logged on and ask her to verify, etc., etc. She should go ahead and confirm the connection and enter her account password.
Once the connection is established, she'll be at a terminal prompt on your machine.
5. You both should launch iChat AV. You will then need to start a "New Chat With Person" at 127.0.0.1 to connect to her.
That ought to do it.
Of course, you could probably get away with making your fiance's machine the server. However, it may be easier for her to SSH out to you (particularly if you're using a decent, relatively non-restrictive ISP) than it will be for you to SSH into that private network.
Now, some notes:
1. If you're behind a firewall/router, remember to open (and forward, if necessary) a port for SSH. SSH uses port 22.
2. You can test all of this at home if you have a LAN. Just substitute your internal IP address in the SSH command above. If it works on the LAN, then it should work over the internet.
3. "man ssh".
posted by Kikkoman at 1:10 PM on August 6, 2004
« Older What goes in the fridge and what doesn't? | Boss charging sales rep for customer's bounced... Newer »
This thread is closed to new comments.
Sure it doesn't help with the video sex but it will be less expensive than long distance phone calls.
posted by terrapin at 11:19 AM on August 6, 2004