[jitsi-users] meet.jit.si behind a firewall (PFSense)


#1

Hello,

at work I can not use meet.jit.si because we are behind a
firewall: I and a colleague of mine can reach the site and each of
us can see himself, but we can not see the other.

Is there something to open/configure on the firewall?

Thanks,
  Matteo


#2

A simple firewall wouldn't prevent you from communicating. Is there a proxy
involved as well?

--sent from my mobile

···

On 13 Nov 2014 1:00 PM, "Matteo Calorio" <matteo.calorio@linux.ors-tech.it> wrote:

Hello,

at work I can not use meet.jit.si because we are behind a firewall: I and
a colleague of mine can reach the site and each of us can see himself, but
we can not see the other.

Is there something to open/configure on the firewall?

Thanks,

Matteo

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#3

Oh, yes, Squid 3.1.20 + SquidGuard 1.5. The site is not blocked.

···

-----------------------------------------------------------------------------
From: Emil Ivov <emcho@jitsi.org>
Sent: giovedì 13 novembre 2014
To: Jitsi Users <users@jitsi.org>
Cc:
Subject: Re: [jitsi-users] meet.jit.si behind a firewall (PFSense)

A simple firewall wouldn't prevent you from communicating. Is there a proxy
involved as well?

--sent from my mobile
On 13 Nov 2014 1:00 PM, "Matteo Calorio" <matteo.calorio@linux.ors-tech.it> wrote:

Hello,

at work I can not use meet.jit.si because we are behind a firewall: I and
a colleague of mine can reach the site and each of us can see himself, but
we can not see the other.

Is there something to open/configure on the firewall?

Thanks,

Matteo

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#4

So I assume any sort of direct traffic to outside destinations is blocled.

You either need to whitelist meet.jit.si in your firewall and allow for
direct connections to it (RECOMMENDED), or you need to at least male sure
your proxy supports and allows HTTP CONNECT

--sent from my mobile

···

On 13 Nov 2014 3:37 PM, "Matteo Calorio" <matteo.calorio@linux.ors-tech.it> wrote:

Oh, yes, Squid 3.1.20 + SquidGuard 1.5. The site is not blocked.

-----------------------------------------------------------------------------

From: Emil Ivov <emcho@jitsi.org>

Sent: giovedì 13 novembre 2014

To: Jitsi Users <users@jitsi.org>

Cc:

Subject: Re: [jitsi-users] meet.jit.si behind a firewall (PFSense)

A simple firewall wouldn't prevent you from communicating. Is there a proxy

involved as well?

--sent from my mobile

On 13 Nov 2014 1:00 PM, "Matteo Calorio" <matteo.calorio@linux.ors-tech.it > > > > wrote:

> Hello,

>

>

>

>

>

> at work I can not use meet.jit.si because we are behind a firewall: I
and

> a colleague of mine can reach the site and each of us can see himself,
but

> we can not see the other.

>

>

>

> Is there something to open/configure on the firewall?

>

>

>

>

>

> Thanks,

>

> Matteo

>

> _______________________________________________

> users mailing list

> users@jitsi.org

> Unsubscribe instructions and other list options:

> http://lists.jitsi.org/mailman/listinfo/users

>


#5

Ciao Emil,

yes, any sort of direct traffic to outside destinations is blocled.

meet.jit.si is not blocked

Can you please tell me more about HTTP CONNECT?

Thanks,
  Matteo

···

-----------------------------------------------------------------------------
From: Emil Ivov <emcho@jitsi.org>
Sent: giovedì 13 novembre 2014, 15:46
To: Matteo Calorio <matteo.calorio@linux.ors-tech.it>
Cc: Jitsi Users <users@jitsi.org>
Subject: Re: [jitsi-users] meet.jit.si behind a firewall (PFSense)

So I assume any sort of direct traffic to outside destinations is blocled.

You either need to whitelist meet.jit.si in your firewall and allow for
direct connections to it (RECOMMENDED), or you need to at least male sure
your proxy supports and allows HTTP CONNECT

--sent from my mobile
On 13 Nov 2014 3:37 PM, "Matteo Calorio" <matteo.calorio@linux.ors-tech.it> wrote:

Oh, yes, Squid 3.1.20 + SquidGuard 1.5. The site is not blocked.

-----------------------------------------------------------------------------

From: Emil Ivov <emcho@jitsi.org>

Sent: giovedì 13 novembre 2014

To: Jitsi Users <users@jitsi.org>

Cc:

Subject: Re: [jitsi-users] meet.jit.si behind a firewall (PFSense)

A simple firewall wouldn't prevent you from communicating. Is there a proxy

involved as well?

--sent from my mobile

On 13 Nov 2014 1:00 PM, "Matteo Calorio" <matteo.calorio@linux.ors-tech.it > > > > wrote:

> Hello,

>

>

>

>

>

> at work I can not use meet.jit.si because we are behind a firewall: I
and

> a colleague of mine can reach the site and each of us can see himself,
but

> we can not see the other.

>

>

>

> Is there something to open/configure on the firewall?

>

>

>

>

>

> Thanks,

>

> Matteo

>

> _______________________________________________

> users mailing list

> users@jitsi.org

> Unsubscribe instructions and other list options:

> http://lists.jitsi.org/mailman/listinfo/users

>


#6

Ciao Emil,

yes, any sort of direct traffic to outside destinations is blocled.

meet.jit.si is not blocked

Can you please tell me more about HTTP CONNECT?

Thanks,
  Matteo

···

-----------------------------------------------------------------------------
From: Emil Ivov <emcho@jitsi.org>
Sent: giovedì 13 novembre 2014, 15:46
To: Matteo Calorio <matteo.calorio@linux.ors-tech.it>
Cc: Jitsi Users <users@jitsi.org>
Subject: Re: [jitsi-users] meet.jit.si behind a firewall (PFSense)

So I assume any sort of direct traffic to outside destinations is blocled.

You either need to whitelist meet.jit.si in your firewall and allow for
direct connections to it (RECOMMENDED), or you need to at least male sure
your proxy supports and allows HTTP CONNECT

--sent from my mobile
On 13 Nov 2014 3:37 PM, "Matteo Calorio" <matteo.calorio@linux.ors-tech.it> wrote:

Oh, yes, Squid 3.1.20 + SquidGuard 1.5. The site is not blocked.

-----------------------------------------------------------------------------

From: Emil Ivov <emcho@jitsi.org>

Sent: giovedì 13 novembre 2014

To: Jitsi Users <users@jitsi.org>

Cc:

Subject: Re: [jitsi-users] meet.jit.si behind a firewall (PFSense)

A simple firewall wouldn't prevent you from communicating. Is there a proxy

involved as well?

--sent from my mobile

On 13 Nov 2014 1:00 PM, "Matteo Calorio" <matteo.calorio@linux.ors-tech.it > > > > wrote:

> Hello,

>

>

>

>

>

> at work I can not use meet.jit.si because we are behind a firewall: I
and

> a colleague of mine can reach the site and each of us can see himself,
but

> we can not see the other.

>

>

>

> Is there something to open/configure on the firewall?

>

>

>

>

>

> Thanks,

>

> Matteo

>

> _______________________________________________

> users mailing list

> users@jitsi.org

> Unsubscribe instructions and other list options:

> http://lists.jitsi.org/mailman/listinfo/users

>


#7

Hey Matteo,

Ciao Emil,

yes, any sort of direct traffic to outside destinations is blocled.

meet.jit.si is not blocked

eeer ... if any sort of direct traffic is blocked then doesn't this
mean that direct traffic to meet.jit.si is also blocked?

If that is the case, my suggestion would be to simply whitelist
meet.jit.si. This would give you the best experience.

Can you please tell me more about HTTP CONNECT?

It allows applications to setup pips through your proxy and exchange
arbitrary data with external http destinations. Many proxies support
this.

Emil

···

On Thu, Nov 13, 2014 at 5:00 PM, Matteo Calorio <matteo.calorio@linux.ors-tech.it> wrote:

-----------------------------------------------------------------------------

From: Emil Ivov <emcho@jitsi.org>

Sent: giovedì 13 novembre 2014, 15:46

To: Matteo Calorio <matteo.calorio@linux.ors-tech.it>

Cc: Jitsi Users <users@jitsi.org>

Subject: Re: [jitsi-users] meet.jit.si behind a firewall (PFSense)

So I assume any sort of direct traffic to outside destinations is blocled.

You either need to whitelist meet.jit.si in your firewall and allow for

direct connections to it (RECOMMENDED), or you need to at least male sure

your proxy supports and allows HTTP CONNECT

--sent from my mobile

On 13 Nov 2014 3:37 PM, "Matteo Calorio" <matteo.calorio@linux.ors-tech.it> > > wrote:

Oh, yes, Squid 3.1.20 + SquidGuard 1.5. The site is not blocked.

-----------------------------------------------------------------------------

From: Emil Ivov <emcho@jitsi.org>

Sent: giovedì 13 novembre 2014

To: Jitsi Users <users@jitsi.org>

Cc:

Subject: Re: [jitsi-users] meet.jit.si behind a firewall (PFSense)

A simple firewall wouldn't prevent you from communicating. Is there a
proxy

involved as well?

--sent from my mobile

On 13 Nov 2014 1:00 PM, "Matteo Calorio" <matteo.calorio@linux.ors-tech.it >
>

wrote:

> Hello,

>

>

>

>

>

> at work I can not use meet.jit.si because we are behind a firewall: I

and

> a colleague of mine can reach the site and each of us can see himself,

but

> we can not see the other.

>

>

>

> Is there something to open/configure on the firewall?

>

>

>

>

>

> Thanks,

>

> Matteo

>

> _______________________________________________

> users mailing list

> users@jitsi.org

> Unsubscribe instructions and other list options:

> http://lists.jitsi.org/mailman/listinfo/users

>

--
https://jitsi.org


#8

Sorry, I mean any sort of direct traffic to outside destinations is blocked but there is an
exception for "meet.jit.si": any user on the LAN can connect to it even without proxy,
on any ports. If I disable proxy on my machine I can reach in effect "meet.jit.si" and
also my colleague does, but we can't see each other. Very strage...

Anyone can help me to configure Squid with "HTTP CONNECT" for "meet.jit.si"?

Thanks,
  Matteo

···

-----------------------------------------------------------------------------
From: Emil Ivov <emcho@jitsi.org>
Sent: giovedì 13 novembre 2014
To: Matteo Calorio <matteo.calorio@linux.ors-tech.it>
Cc: Jitsi Users <users@jitsi.org>
Subject: Re: [jitsi-users] meet.jit.si behind a firewall (PFSense)

Hey Matteo,

On Thu, Nov 13, 2014 at 5:00 PM, Matteo Calorio <matteo.calorio@linux.ors-tech.it> wrote:

Ciao Emil,

yes, any sort of direct traffic to outside destinations is blocled.

meet.jit.si is not blocked

eeer ... if any sort of direct traffic is blocked then doesn't this
mean that direct traffic to meet.jit.si is also blocked?

If that is the case, my suggestion would be to simply whitelist
meet.jit.si. This would give you the best experience.

Can you please tell me more about HTTP CONNECT?

It allows applications to setup pips through your proxy and exchange
arbitrary data with external http destinations. Many proxies support
this.

Emil

-----------------------------------------------------------------------------

From: Emil Ivov <emcho@jitsi.org>

Sent: giovedì 13 novembre 2014, 15:46

To: Matteo Calorio <matteo.calorio@linux.ors-tech.it>

Cc: Jitsi Users <users@jitsi.org>

Subject: Re: [jitsi-users] meet.jit.si behind a firewall (PFSense)

So I assume any sort of direct traffic to outside destinations is blocled.

You either need to whitelist meet.jit.si in your firewall and allow for

direct connections to it (RECOMMENDED), or you need to at least male sure

your proxy supports and allows HTTP CONNECT

--sent from my mobile

On 13 Nov 2014 3:37 PM, "Matteo Calorio" <matteo.calorio@linux.ors-tech.it> > > wrote:

Oh, yes, Squid 3.1.20 + SquidGuard 1.5. The site is not blocked.

-----------------------------------------------------------------------------

From: Emil Ivov <emcho@jitsi.org>

Sent: giovedì 13 novembre 2014

To: Jitsi Users <users@jitsi.org>

Cc:

Subject: Re: [jitsi-users] meet.jit.si behind a firewall (PFSense)

A simple firewall wouldn't prevent you from communicating. Is there a
proxy

involved as well?

--sent from my mobile

On 13 Nov 2014 1:00 PM, "Matteo Calorio" <matteo.calorio@linux.ors-tech.it >
>


#9

Sorry, I mean any sort of direct traffic to outside destinations is blocked
but there is an exception for "meet.jit.si": any user on the LAN can connect
to it even without proxy, on any ports. If I disable proxy on my machine I
can reach in effect "meet.jit.si" and also my colleague does, but we can't
see each other. Very strage...

You need to allow outbound UDP to the Videobridge.

Anyone can help me to configure Squid with "HTTP CONNECT" for "meet.jit.si"?

Squid is not involved in the audio/video streams.

(Unless I missed some development that the bridge now can stream over http.)

Thanks,
Matteo

Ingo


#10

According to our firewall rules we should access to the videobridge. This is what I get
from nmap:

# nmap -sS meet.jit.si

Starting Nmap 6.47 ( http://nmap.org ) at 2014-11-14 11:13 CET
Nmap scan report for meet.jit.si (176.31.40.80)
Host is up (0.027s latency).
rDNS record for 176.31.40.80: lambada.jitsi.net
Not shown: 990 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
443/tcp open https
445/tcp filtered microsoft-ds
4443/tcp open pharos
5222/tcp open xmpp-client
5269/tcp open xmpp-server
5280/tcp open xmpp-bosh
8080/tcp filtered http-proxy

Nmap done: 1 IP address (1 host up) scanned in 279.27 seconds

# nmap -sU meet.jit.si
                                                                                                                                                                                                                                             
Starting Nmap 6.47 ( http://nmap.org ) at 2014-11-14 11:22 CET
Nmap scan report for meet.jit.si (176.31.40.80)
Host is up (0.027s latency).
rDNS record for 176.31.40.80: lambada.jitsi.net
Not shown: 981 closed ports
PORT STATE SERVICE
1008/udp open|filtered ufsd
1020/udp open|filtered unknown
1025/udp open|filtered blackjack
1055/udp open|filtered ansyslmd
5093/udp open|filtered sentinel-lm
6050/udp open|filtered x11
16708/udp open|filtered unknown
19728/udp open|filtered unknown
19935/udp open|filtered unknown
20217/udp open|filtered unknown
25157/udp open|filtered unknown
30365/udp open|filtered unknown
32774/udp open|filtered sometimes-rpc12
35777/udp open|filtered unknown
39632/udp open|filtered unknown
39714/udp open|filtered unknown
42056/udp open|filtered unknown
43195/udp open|filtered unknown
57172/udp open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 1140.90 seconds

Thanks,
  Matteo

···

-----------------------------------------------------------------------------
From: Ingo Bauersachs <ingo@jitsi.org>
Sent: venerdì 14 novembre 2014
To: 'Jitsi Users' <users@jitsi.org>
Cc:
Subject: Re: [jitsi-users] meet.jit.si behind a firewall (PFSense)

Sorry, I mean any sort of direct traffic to outside destinations is blocked
but there is an exception for "meet.jit.si": any user on the LAN can connect
to it even without proxy, on any ports. If I disable proxy on my machine I
can reach in effect "meet.jit.si" and also my colleague does, but we can't
see each other. Very strage...

You need to allow outbound UDP to the Videobridge.

Anyone can help me to configure Squid with "HTTP CONNECT" for "meet.jit.si"?

Squid is not involved in the audio/video streams.

(Unless I missed some development that the bridge now can stream over http.)

Thanks,
Matteo

Ingo

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#11

The bridge can stream over tcp and is configured to listen on 443. So it
should work if squid allows HTTP connect.

--sent from my mobile

···

On 14 Nov 2014 11:06 AM, "Ingo Bauersachs" <ingo@jitsi.org> wrote:

> Sorry, I mean any sort of direct traffic to outside destinations is
blocked
> but there is an exception for "meet.jit.si": any user on the LAN can
connect
> to it even without proxy, on any ports. If I disable proxy on my machine
I
> can reach in effect "meet.jit.si" and also my colleague does, but we
can't
> see each other. Very strage...

You need to allow outbound UDP to the Videobridge.

> Anyone can help me to configure Squid with "HTTP CONNECT" for "
meet.jit.si"?

Squid is not involved in the audio/video streams.

(Unless I missed some development that the bridge now can stream over
http.)

> Thanks,
> Matteo

Ingo

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#12

Hello,

maybe it's not a firewall problem: also at home I can not make two PC with the same
OS and Chrome version communicate each other with meet.jit.si. I have Chrome
Version 38.0.2125.101 Built on jessie/sid, running on Debian jessie/sid (290379) (64-
bit)

Bye,
  Matteo

···

-----------------------------------------------------------------------------
From: Matteo Calorio <matteo.calorio@linux.ors-tech.it>
Sent: venerdì 14 novembre 2014
To: users@jitsi.org
Cc:
Subject: Re: [jitsi-users] meet.jit.si behind a firewall (PFSense)

According to our firewall rules we should access to the videobridge. This is what I get
from nmap:

# nmap -sS meet.jit.si

Starting Nmap 6.47 ( http://nmap.org ) at 2014-11-14 11:13 CET
Nmap scan report for meet.jit.si (176.31.40.80)
Host is up (0.027s latency).
rDNS record for 176.31.40.80: lambada.jitsi.net
Not shown: 990 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
443/tcp open https
445/tcp filtered microsoft-ds
4443/tcp open pharos
5222/tcp open xmpp-client
5269/tcp open xmpp-server
5280/tcp open xmpp-bosh
8080/tcp filtered http-proxy

Nmap done: 1 IP address (1 host up) scanned in 279.27 seconds

# nmap -sU meet.jit.si
                                                                                                                                                                                                                                             
Starting Nmap 6.47 ( http://nmap.org ) at 2014-11-14 11:22 CET
Nmap scan report for meet.jit.si (176.31.40.80)
Host is up (0.027s latency).
rDNS record for 176.31.40.80: lambada.jitsi.net
Not shown: 981 closed ports
PORT STATE SERVICE
1008/udp open|filtered ufsd
1020/udp open|filtered unknown
1025/udp open|filtered blackjack
1055/udp open|filtered ansyslmd
5093/udp open|filtered sentinel-lm
6050/udp open|filtered x11
16708/udp open|filtered unknown
19728/udp open|filtered unknown
19935/udp open|filtered unknown
20217/udp open|filtered unknown
25157/udp open|filtered unknown
30365/udp open|filtered unknown
32774/udp open|filtered sometimes-rpc12
35777/udp open|filtered unknown
39632/udp open|filtered unknown
39714/udp open|filtered unknown
42056/udp open|filtered unknown
43195/udp open|filtered unknown
57172/udp open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 1140.90 seconds

Thanks,
  Matteo

-----------------------------------------------------------------------------
From: Ingo Bauersachs <ingo@jitsi.org>
Sent: venerdì 14 novembre 2014
To: 'Jitsi Users' <users@jitsi.org>
Cc:
Subject: Re: [jitsi-users] meet.jit.si behind a firewall (PFSense)

Sorry, I mean any sort of direct traffic to outside destinations is blocked
but there is an exception for "meet.jit.si": any user on the LAN can connect
to it even without proxy, on any ports. If I disable proxy on my machine I
can reach in effect "meet.jit.si" and also my colleague does, but we can't
see each other. Very strage...

You need to allow outbound UDP to the Videobridge.

Anyone can help me to configure Squid with "HTTP CONNECT" for "meet.jit.si"?

Squid is not involved in the audio/video streams.

(Unless I missed some development that the bridge now can stream over http.)

Thanks,
Matteo

Ingo

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users