Hi, My customer has a outdated firewall that is also presenting a NAT nightmare for getting the Asterisk server reachable from the internet. What firewalls work good with VOIP? I really want to steer away from any ALG supported firewall. I just want a good firewall that works well with Asterisk. Thanks, David Wathen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20091013/f44209a5/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 145 bytes Desc: not available Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20091013/f44209a5/attachment.gif
David Wathen wrote:> > Hi, > > My customer has a outdated firewall that is also presenting a NAT > nightmare for getting the Asterisk server reachable from the internet. > > What firewalls work good with VOIP? I really want to steer away from > any ALG supported firewall. I just want a good firewall that works > well with Asterisk. >I'd suggest a Linux based firewall (pf or iptables) along with Firewall Builder: http://www.fwbuilder.org Doug -- Ben Franklin quote: "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety."
Cisco PIX and/or ASA work great. Buy them used on eBay. From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of David Wathen Sent: Tuesday, October 13, 2009 11:04 AM To: 'Asterisk Users Mailing List - Non-Commercial Discussion' Subject: [asterisk-users] Best Firewall Suggestions? Hi, My customer has a outdated firewall that is also presenting a NAT nightmare for getting the Asterisk server reachable from the internet. What firewalls work good with VOIP? I really want to steer away from any ALG supported firewall. I just want a good firewall that works well with Asterisk. Thanks, David Wathen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20091013/1812f0fc/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 145 bytes Desc: not available Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20091013/1812f0fc/attachment.gif
On Tue, 13 Oct 2009, David Wathen wrote:> Hi, > > My customer has a outdated firewall that is also presenting a NAT nightmare > for getting the Asterisk server reachable from the internet. > > What firewalls work good with VOIP? I really want to steer away from any ALG > supported firewall. I just want a good firewall that works well with > Asterisk.I use Draytek Vigor 2820's these days. Mostly (when not having something more "corporate" or dealing with geeks who want a Linux based one) Built in hardware assist VPN too. They do have a SIP ALG, but it's turned off by default (the earlier ones had it turned on) Port forwarding works as you'd expect it to, and the traffic shaping is better than no traffic shaping. Gordon
David Wathen wrote:> > Hi, > > My customer has a outdated firewall that is also presenting a NAT > nightmare for getting the Asterisk server reachable from the internet. > > What firewalls work good with VOIP? I really want to steer away from > any ALG supported firewall. I just want a good firewall that works > well with Asterisk. > > Thanks, > > David Wathen >Depends on what level of firewall you're looking for. For a full firewall on either a dedicated system or one of your own, I cannot strongly enough recommend Astaro Linux firewall. Better throughput than a pix, worlds easier to operate and configure, and comparable in price. Very SIP/VoIP friendly. Loads of optional modules (we use its mail filter module to filter spam/viruses for several hundred thousand user mailboxes, for instance) to limit the cost to what you need. Also has a built in SIP Proxy, although I've never used it. Excellent platform. Of course, at home, I just use a little Linksys WRT box. It's hardly a corporate-grade firewall, but it's quite SIP-friendly. N.
BlankI think one of the very best options is pfSense. Free Open-source, but it's BSD based, rather than LINUX based. As such it has a lower risk of external exploits. The user-interface makes it incredibly simple to set up and maintain. There is an embedded versions of it available to run on affordable/reliable solid-state, diskless, fanless Soekris/PCEngines embedded system boards. It's incredibly powerful, and It's ROCK SOLID. I find the traffic shaping engine to work without a hitch. PFSense can do anything you want including VPN (PPTP, IPSec, OpenVPN), failover (Multi-WAN), IDS/IPS (snort) The NEWEST embedded version 1.2.3 rc3 (1.2.3-release is very close) can run the sipproxd package as well as many other packages that previously required the FULL version. Goodbye one-way audio! :-) -Karl ----- Original Message ----- From: David Wathen To: 'Asterisk Users Mailing List - Non-Commercial Discussion' Sent: Tuesday, October 13, 2009 11:04 AM Subject: [asterisk-users] Best Firewall Suggestions? Hi, My customer has a outdated firewall that is also presenting a NAT nightmare for getting the Asterisk server reachable from the internet. What firewalls work good with VOIP? I really want to steer away from any ALG supported firewall. I just want a good firewall that works well with Asterisk. Thanks, David Wathen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20091013/9a2b8bc4/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 145 bytes Desc: not available Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20091013/9a2b8bc4/attachment.gif
Allmost your solutions require second server or some hardware, why do you use shorewall ? Its a iptables rule generator with a friendly config files. Mine was up and running in 30 min or reading some docs. And you can trace all traffic live. Good day. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20091013/cd3db44f/attachment.htm
On Tue, Oct 13, 2009 at 3:53 PM, Grygoriy Dobrovolskyy <megahohol at gmail.com>wrote:> Allmost your solutions require second server or some hardware, why do you > use shorewall ? Its a iptables rule generator with a friendly config files. > Mine was up and running in 30 min or reading some docs. And you can trace > all traffic live. > Good day. > >I was able to get Asterisk installed on a Vyatta image on an R200 with some hackery, it worked, just have yet to try it in production. Thanks, Steve T -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20091013/7232979d/attachment.htm
On 10:04, Tue 13 Oct 09, David Wathen wrote:> Hi, > > My customer has a outdated firewall that is also presenting a NAT nightmare > for getting the Asterisk server reachable from the internet. > > What firewalls work good with VOIP? I really want to steer away from any ALG > supported firewall. I just want a good firewall that works well with > Asterisk.We use OpenBSD with the built-in pf and it works great. -- Michiel van Baak michiel at vanbaak.eu http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD "Why is it drug addicts and computer aficionados are both called users?"
Interesting on my asterisk box I have installed Virtualbox and I run my firewall/router in a vm, stripped down linux box with iptables, I have snapshoted the image to a working image. it only does ip forwading/vpn/iptable stuff ends up being a low foot print, 256M + 8G / Alex On Tue, Oct 13, 2009 at 09:53:54PM +0200, Grygoriy Dobrovolskyy wrote:> Allmost your solutions require second server or some hardware, why do you > use shorewall ? Its a iptables rule generator with a friendly config files. > Mine was up and running in 30 min or reading some docs. And you can trace > all traffic live. > Good day.> _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > AstriCon 2009 - October 13 - 15 Phoenix, Arizona > Register Now: http://www.astricon.net > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-- A prisoner of war is a man who tries to kill you and fails, and then asks you not to kill him. -- Sir Winston Churchill, 1952 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20091014/990fbdb3/attachment.pgp
>> My customer has a outdated firewall that is also presenting a NATnightmare > for getting the Asterisk server reachable from the internet. > > What firewalls work good with VOIP? I really want to steer away from any ALG > supported firewall. I just want a good firewall that works well with > Asterisk. We're running IPCop (Linux based, open source, 100% free), and its been fantastic for us. www.ipcop.org I spent weeks trialing many others. Even had Astaro send me out a trial box to use. I think we short-listed this down to pfSense, SmoothWall, Astaro and IPCop. Its been a while since we did this, so newer versions might have different test results now, but (if I remember correctly): 1. pfSense - Solid, but was a bit picky on network adapters (we wanted to use a Quad NIC for this). Also was a bit cryptic for setup, but that's probably just us being too lazy to RTFM. 2. Shorewall - this worked out of the box, looked easy to setup, etc. But when it came down to supporting multiple external WAN IP addresses that we had, it fell short and was dismissed as an option. I believe that their commercial version did support this, but had a hard time trying to find who to buy the damn thing from. 3. Astaro - great company to work with. Really helpful, great tech support, etc. Loving all of that. Not loving the $2K+ price tag for what we needed. But then we are stingy and cheap. That's just us. If you have commercial clients, and budget this looked really good. 4. IPCop - its free. Was a dream to install and setup. Support via their mailing list was awesome. The people there didn't make us feel like newbs when we had basic questions to ask. Feature set rivaled all other products, and there is a pretty healthy add-on market for it. QoS was decent, although there are add-ons for better QoS granularity. We chose IPCop. Been running it with Asterisk and our other network apps, servers, etc. for about 4 months straight. Never needed a reboot. Never crashed. Low footprint, and runs on some old dog hardware we had lying around. Like I said, this review is about 6 months old, so things change. That's our biz. Go figure. Of course, your mileage may vary. Myles -- ======================Myles Wakeham Director of Engineering Tech Solutions USA, Inc. Scottsdale, Arizona USA http://www.techsolusa.com Phone +1-480-451-7440
Hello, we are using vyatta, a linux based router. the software is more focused on routing capabilities, than on firewall rules, but it works fine an there is a very good support. for ha you can use it in a cluster. bye, patrick -- Niemann + Frey GmbH Bischofstra?e 80 47809 Krefeld Tel. +49 2151 5554-263 Gesch?ftsf?hrer: Gerd Frey Sitz und Registergericht: Krefeld HRB 10851