I come across ---- http://www.shorewall.net/FAQ.htm VOIP (FAQ 77) Shorewall is eating my Asterisk egress traffic! Somehow, my firewall config is causing a one-way audio problem in Asterisk. If a person calls into the PBX, they cannot hear me speaking, but I can hear them. If I plug the Asterisk server directly into the router, bypassing the firewall, the problem goes away. Answer (requires Shorewall 4.0.6 or later): If your kernel version is 2.6.20 or earlier: rmmod ip_nat_sip rmmod ip_conntrack_sip ---- Which works great. Though I''m running a remote box with Shorewall 4.4.4-2 pushing the a config via ''shorewall reload -c ip_address'' with the line ''DONT_LOAD=ip_nat_sip,ip_conntrack_sip'' added to the shorewall.conf file to a box running Shorewall-lite 4.4.4-2. When the push is done ip_nat_sip and ip_conntrack_sip are loaded again. How do I resolve this? -- Steven Galante Network Engineer Manhattan College 4513 Manhattan College Parkway Riverdale, NY 10471 P: (718) 862-7499 F: (718) 862-8024 steven.galante@manhattan.edu ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev
Steven Galante wrote:> I come across > > ---- > > http://www.shorewall.net/FAQ.htm > > VOIP > (FAQ 77) Shorewall is eating my Asterisk egress traffic! > > Somehow, my firewall config is causing a one-way audio problem in > Asterisk. If a person calls into the PBX, they cannot hear me speaking, > but I can hear them. If I plug the Asterisk server directly into the > router, bypassing the firewall, the problem goes away. > > Answer (requires Shorewall 4.0.6 or later): If your kernel version is > 2.6.20 or earlier: > > rmmod ip_nat_sip > rmmod ip_conntrack_sip > > ---- > > Which works great. Though I''m running a remote box with Shorewall > 4.4.4-2 pushing the a config via ''shorewall reload -c ip_address'' with > the line > ''DONT_LOAD=ip_nat_sip,ip_conntrack_sip'' added to the shorewall.conf file > to a box running Shorewall-lite 4.4.4-2. When the push is done > ip_nat_sip and ip_conntrack_sip are loaded again. > > How do I resolve this?Please try the attached patch on your administrative system: patch /usr/share/shorewall/Shorewall/Config.pm < dont_load.diff Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev
Tom Eastep wrote:> Steven Galante wrote: >> I come across >> >> ---- >> >> http://www.shorewall.net/FAQ.htm >> >> VOIP >> (FAQ 77) Shorewall is eating my Asterisk egress traffic! >> >> Somehow, my firewall config is causing a one-way audio problem in >> Asterisk. If a person calls into the PBX, they cannot hear me speaking, >> but I can hear them. If I plug the Asterisk server directly into the >> router, bypassing the firewall, the problem goes away. >> >> Answer (requires Shorewall 4.0.6 or later): If your kernel version is >> 2.6.20 or earlier: >> >> rmmod ip_nat_sip >> rmmod ip_conntrack_sip >> >> ---- >> >> Which works great. Though I''m running a remote box with Shorewall >> 4.4.4-2 pushing the a config via ''shorewall reload -c ip_address'' with >> the line >> ''DONT_LOAD=ip_nat_sip,ip_conntrack_sip'' added to the shorewall.conf file >> to a box running Shorewall-lite 4.4.4-2. When the push is done >> ip_nat_sip and ip_conntrack_sip are loaded again. >> >> How do I resolve this? > > Please try the attached patch on your administrative system: > > patch /usr/share/shorewall/Shorewall/Config.pm < dont_load.diff >Please disregard this suggested patch. As far as I can see, if you set DONT_LOAD in the remote firewall''s shorewall.conf file, it should be applied on the remote system. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev
On Mon, 2009-12-07 at 13:00 -0800, Tom Eastep wrote:> > Please disregard this suggested patch. As far as I can see, if you set > DONT_LOAD in the remote firewall''s shorewall.conf file, it should be > applied on the remote system.Yeah. Hrm. I had the similar issue with LOGFILE and the remote''s shorewall-lite.conf. But it would be good to be able to control these sorts of options from the local (i.e. full) shorewall installations and treat the remotes like appliances with no configurable knobs and switches. Not a showstopper for me to be sure, but just a thought for future implementations if you happen to be grubbing around in the code that would achieve that. b. ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
Brian J. Murrell wrote:> On Mon, 2009-12-07 at 13:00 -0800, Tom Eastep wrote: >> Please disregard this suggested patch. As far as I can see, if you set >> DONT_LOAD in the remote firewall''s shorewall.conf file, it should be >> applied on the remote system. > > Yeah. Hrm. I had the similar issue with LOGFILE and the remote''s > shorewall-lite.conf. But it would be good to be able to control these > sorts of options from the local (i.e. full) shorewall installations and > treat the remotes like appliances with no configurable knobs and > switches. > > Not a showstopper for me to be sure, but just a thought for future > implementations if you happen to be grubbing around in the code that > would achieve that.By ''remote firewall''s shorewall.conf'', I meant the one on the one in the firewall''s directory on the administrative system (not /etc/shorewall-lite/shorewall-lite.conf). In other words, it should work the way that you would want it to. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
Tom Eastep wrote:> Tom Eastep wrote: >> Steven Galante wrote: >>> I come across >>> >>> ---- >>> >>> http://www.shorewall.net/FAQ.htm >>> >>> VOIP >>> (FAQ 77) Shorewall is eating my Asterisk egress traffic! >>> >>> Somehow, my firewall config is causing a one-way audio problem in >>> Asterisk. If a person calls into the PBX, they cannot hear me speaking, >>> but I can hear them. If I plug the Asterisk server directly into the >>> router, bypassing the firewall, the problem goes away. >>> >>> Answer (requires Shorewall 4.0.6 or later): If your kernel version is >>> 2.6.20 or earlier: >>> >>> rmmod ip_nat_sip >>> rmmod ip_conntrack_sip >>> >>> ---- >>> >>> Which works great. Though I''m running a remote box with Shorewall >>> 4.4.4-2 pushing the a config via ''shorewall reload -c ip_address'' with >>> the line >>> ''DONT_LOAD=ip_nat_sip,ip_conntrack_sip'' added to the shorewall.conf file >>> to a box running Shorewall-lite 4.4.4-2. When the push is done >>> ip_nat_sip and ip_conntrack_sip are loaded again. >>> >>> How do I resolve this? >> Please try the attached patch on your administrative system: >> >> patch /usr/share/shorewall/Shorewall/Config.pm < dont_load.diff >> > > Please disregard this suggested patch. As far as I can see, if you set > DONT_LOAD in the remote firewall''s shorewall.conf file, it should be > applied on the remote system.The problem is the use if ''-c'' in the reload command. That runs the shorecap program on the remote firewall system which does not honor the DONT_LOAD setting on the local system; it loads all modules listed in /usr/share/shorewall-lite/modules. You should be able to work around the problem on the firewall system by copying /usr/share/shorewall-lite/modules to /etc/shorewall-lite/ and modifying the copy to remove ip_nat_sip and ip_conntrack_sip. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
Tom Eastep wrote:> Tom Eastep wrote: >> Tom Eastep wrote: >>> Steven Galante wrote: >>>> I come across >>>> >>>> ---- >>>> >>>> http://www.shorewall.net/FAQ.htm >>>> >>>> VOIP >>>> (FAQ 77) Shorewall is eating my Asterisk egress traffic! >>>> >>>> Somehow, my firewall config is causing a one-way audio problem in >>>> Asterisk. If a person calls into the PBX, they cannot hear me speaking, >>>> but I can hear them. If I plug the Asterisk server directly into the >>>> router, bypassing the firewall, the problem goes away. >>>> >>>> Answer (requires Shorewall 4.0.6 or later): If your kernel version is >>>> 2.6.20 or earlier: >>>> >>>> rmmod ip_nat_sip >>>> rmmod ip_conntrack_sip >>>> >>>> ---- >>>> >>>> Which works great. Though I''m running a remote box with Shorewall >>>> 4.4.4-2 pushing the a config via ''shorewall reload -c ip_address'' with >>>> the line >>>> ''DONT_LOAD=ip_nat_sip,ip_conntrack_sip'' added to the shorewall.conf file >>>> to a box running Shorewall-lite 4.4.4-2. When the push is done >>>> ip_nat_sip and ip_conntrack_sip are loaded again. >>>> >>>> How do I resolve this? >>> Please try the attached patch on your administrative system: >>> >>> patch /usr/share/shorewall/Shorewall/Config.pm < dont_load.diff >>> >> Please disregard this suggested patch. As far as I can see, if you set >> DONT_LOAD in the remote firewall''s shorewall.conf file, it should be >> applied on the remote system. > > The problem is the use if ''-c'' in the reload command. That runs the > shorecap program on the remote firewall system which does not honor the > DONT_LOAD setting on the local system; it loads all modules listed in > /usr/share/shorewall-lite/modules. > > You should be able to work around the problem on the firewall system by > copying /usr/share/shorewall-lite/modules to /etc/shorewall-lite/ and > modifying the copy to remove ip_nat_sip and ip_conntrack_sip.Here is a tested patch for /sbin/shorewall that you can apply on your administrative system: patch /sbin/shorewall < dont_load1.diff -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
On Mon, 2009-12-07 at 14:10 -0800, Tom Eastep wrote:> > By ''remote firewall''s shorewall.conf'', I meant the one on the one in the > firewall''s directory on the administrative system (not > /etc/shorewall-lite/shorewall-lite.conf).Ahh. I see. Indeed, I do have a shorewall.conf on the administrative system, in the directory for the remote node, but I also have one physically on the remote node in /etc/shorewall-lite/shorewall-lite.conf. Is one an augmentation of the other? In my case, could I have just as easily put LOGFILE=/dev/null in the shorewall.conf on the administrative system?> In other words, it should work the way that you would want it to.Sounds like it is so. Excellent. b. ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
Brian J. Murrell wrote:> On Mon, 2009-12-07 at 14:10 -0800, Tom Eastep wrote: >> By ''remote firewall''s shorewall.conf'', I meant the one on the one in the >> firewall''s directory on the administrative system (not >> /etc/shorewall-lite/shorewall-lite.conf). > > Ahh. I see. Indeed, I do have a shorewall.conf on the administrative > system, in the directory for the remote node, but I also have one > physically on the remote node > in /etc/shorewall-lite/shorewall-lite.conf. Is one an augmentation of > the other?The local one (shorewall-lite.conf) can be used to override the settings on the administrative system.> In my case, could I have just as easily put > LOGFILE=/dev/null in the shorewall.conf on the administrative system?Yes. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev