From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mail.toke.dk; spf=pass (mailfrom) smtp.mailfrom=webweaving.org (client-ip=148.251.234.232; helo=weser.webweaving.org; envelope-from=dirkx@webweaving.org; receiver=) Authentication-Results: mail.toke.dk; dkim=pass (1024-bit key; unprotected) header.d=webweaving.org header.i=@webweaving.org header.a=rsa-sha256 header.s=shared header.b=CK3tLwfX Received: from weser.webweaving.org (weser.webweaving.org [148.251.234.232]) by mail.toke.dk (Postfix) with ESMTPS id 78EC7A546F8 for ; Sun, 11 Feb 2024 21:57:41 +0100 (CET) Received: from smtpclient.apple (83-85-39-103.cable.dynamic.v4.ziggo.nl [83.85.39.103]) (authenticated bits=0) by weser.webweaving.org (8.17.1/8.17.1) with ESMTPSA id 41BKrorh009106 (version=TLSv1.2 cipher=ECDHE-ECDSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 11 Feb 2024 21:53:51 +0100 (CET) (envelope-from dirkx@webweaving.org) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=webweaving.org; s=shared; t=1707684831; bh=3wuiIQ4rbHH0e7EvPimibcDQzA3zwCd5cM9qDrc5wjc=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=CK3tLwfXdzIp73zZAEL5gkKcsxKxTeT+9hGFH727AUSVZyLqmifBnYfZ6HocTbwUs vWhTpBEJGh2+/QM/b2j7edeLCuWxcW79UQS3tkNTHg5J5wh/JCrQPGRc2PPsWHFpHK SuGa36e7xSmAnlUX/nesC9vmM1vPE90QOiUlzIe8= X-Authentication-Warning: weser.webweaving.org: Host 83-85-39-103.cable.dynamic.v4.ziggo.nl [83.85.39.103] claimed to be smtpclient.apple Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\)) From: Dirk-Willem van Gulik In-Reply-To: <87o7cmhole.wl-jch@irif.fr> Date: Sun, 11 Feb 2024 21:53:47 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <87o7cmhole.wl-jch@irif.fr> To: Juliusz Chroboczek X-Mailer: Apple Mail (2.3774.300.61.1.2) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.4 (weser.webweaving.org [148.251.234.232]); Sun, 11 Feb 2024 21:53:51 +0100 (CET) Message-ID-Hash: APILLWTXQZWS5773FIUJ2LETW5EIQC4M X-Message-ID-Hash: APILLWTXQZWS5773FIUJ2LETW5EIQC4M X-MailFrom: dirkx@webweaving.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: galene@lists.galene.org X-Mailman-Version: 3.3.9 Precedence: list Subject: [Galene] Re: udp-port range and subsequent "turn" use of ports outside that range List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: > On 11 Feb 2024, at 18:56, Juliusz Chroboczek wrote: >=20 >> I've got a minor puzzle in a fairly simple setup; where galene is = behind >> a reverse proxy & in a freebsd jail (to co-exist with another >> video/blackboard/sip servers). >=20 > This is described in the section "Configure your server's firewall" of = the > documentation. :) which was followed to the letter - and works as advertised with the exception of limiting galene to the (large) range provided. > Galene uses : >=20 > - one TCP port for the web server, as specified by the option "-http" = ; >=20 > - one TCP and one UDP port for the TURN server, as specified by the > option "-turn" ; >=20 > - many UDP ports (one per media stream), which are chosen randomly in > the ephemeral port range of your system, and may be restricted = using > the option "-udp-range". Right - and as per the email - all this was done exactly in this = fashion. > The use of "-udp-range" is not recommended, since giving Galene too = few > ports will cause issues when the range runs out. Correct - but the issue that surprised me was the error: turn ERROR: 2024/02/11 14:26:36 Failed to handle datagram:=20 unable to handle ChannelData from 127.0.1.12:32895:=20 failed writing to socket: write udp4 = 127.0.1.12:24074->DESTINATION_IP:54924:=20 sendto: permission denied for the very first packet ever sent out. I.e where specifically the ports selected are outside the 10.000 (ten = thousand) ports made available. This large, 10k, number was chosen to = prevent Galene from running out. However it appears - even for the very = first connection - to not select from this range. Does something other than the flags: -turn :1194 -udp-range 18100-19100 need to be set to constrain the TURN port choice ? Dw=20=