In message <003601c3a4f2$449210d0$230515ac(a)JOVE>, "jfp" writes:
>Obviously that ISP is not going to do anything, So:
>- Permanently block said ISP to your linux box.
That and/or properly patching/securing the Windows box would be my first
two suggestions. Trying to get "hackers" shut down is a bit like wack a
mole even at the best of times.
>- I assume you are using ipchains on your linux box, I would recommend
>upgrading to iptables which would mean not having to open incoming ports
>above 1024 as the session tracking should take care of that.
H.323 (and friends), as used by NetMeeting, etc, are rather difficult to
firewall well, because it opens connections in arbitrary directions to
arbitrary ports (as negotiated through a control channel) -- a bit like
FTP, but worse. The control channel is encoded via ASN.1 (ie, binary)
rather than being text like FTP. IMHO it's shameful that a "modern"
protocol isn't designed for at least easy state tracking if not to work
easily with outgoing-only firewalls and NAT boxes.
There is an (experimental) H.323 tracking module for Linux iptables
which can be downloaded and compiled up (from some of the netfilter
development sites), but it's a bit of a hack. I've not tried it, but
have read that it works reasonably well for a single H.323 endpoint
behind the firewall.
Alternatively application layer proxying may be more appropriate. GNU
Gatekeeper, Open H.323 Proxy, Asterisk, etc, are capable of proxying
H.323 sessions at the application level. Some of them (eg, Asterisk)
are pretty much voice only (Asterisk is fundamentally PBX software which
supports H.323 amongst other things), and some of them (eg, GNU
Gatekeeper) will proxy video as well.
Ewen
