Hello, I am using shorewall+openvpn to bridge 2networks and it works ok. On the left-hand network I have a SIP-server and on the right hand SIP-Phone( 172.16.22.75). This SIP-phone cannot connecto to the SIP-Server(172.16.22.247). On the right-hand firewall(172.16.0.1) I see the correct UDP requests invoking tcpdump -i br0 dst host 172.16.22.247 IP 172.16.22.75.sip > 172.16.22.247.sip: SIP, length: 522 IP 172.16.22.75.sip > 172.16.22.247.sip: SIP, length: 522 left-hand firewall (172.16.0.2) 17:21:59.810074 IP 172.16.0.1.sip > 172.16.22.247.sip: SIP, length: 521 17:22:03.809799 IP 172.16.0.1.sip > 172.16.22.247.sip: SIP, length: 521 looks like left-hand firewall ist not getting the packet from the correct source? doing a Ping from right-side client(172.16.126.8) to a machine on the left-hand-client(172.16.99.2) results in this which looks correct right-side-firewall tcpdump -i br0 dst host 172.16.99.2 IP 172.16.128.8 > 172.16.99.2: ICMP echo request, id 57101... IP 172.16.128.8 > 172.16.99.2: ICMP echo request, id 57101... left-side firewall tcpdump -i br0 dst host 172.16.99.2 IP 172.16.128.8 > 172.16.99.2: ICMP echo request, id 57101... IP 172.16.128.8 > 172.16.99.2: ICMP echo request, id 57101... any idea where I should look at or potential mistake I am making? kind regards claus ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
On 2/9/11 8:44 AM, claus wrote:> Hello, > > I am using shorewall+openvpn to bridge 2networks and it works ok. On the > left-hand network I have a SIP-server and on the right hand SIP-Phone( > 172.16.22.75). This SIP-phone cannot connecto to the > SIP-Server(172.16.22.247). > > > On the right-hand firewall(172.16.0.1) I see the correct UDP requests > invoking > tcpdump -i br0 dst host 172.16.22.247 > IP 172.16.22.75.sip > 172.16.22.247.sip: SIP, length: 522 > IP 172.16.22.75.sip > 172.16.22.247.sip: SIP, length: 522 > > left-hand firewall (172.16.0.2) > 17:21:59.810074 IP 172.16.0.1.sip > 172.16.22.247.sip: SIP, length: 521 > 17:22:03.809799 IP 172.16.0.1.sip > 172.16.22.247.sip: SIP, length: 521 > > looks like left-hand firewall ist not getting the packet from the > correct source? > > > doing a Ping from right-side client(172.16.126.8) to a machine on the > left-hand-client(172.16.99.2) results in this which looks correct > > right-side-firewall > tcpdump -i br0 dst host 172.16.99.2 > IP 172.16.128.8 > 172.16.99.2: ICMP echo request, id 57101... > IP 172.16.128.8 > 172.16.99.2: ICMP echo request, id 57101... > > left-side firewall > tcpdump -i br0 dst host 172.16.99.2 > IP 172.16.128.8 > 172.16.99.2: ICMP echo request, id 57101... > IP 172.16.128.8 > 172.16.99.2: ICMP echo request, id 57101... > > > any idea where I should look at or potential mistake I am making?Try unloading the SIP helper kernel modules. Instructions are in the FAQ. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
Hello Tom, prior my post I followed FAQ77 and verified nf_conntrack_sip is not loaded. both firewalls run ubuntu 2.6.26 or later kind regards claus Am 09.02.2011 18:14, schrieb Tom Eastep:> On 2/9/11 8:44 AM, claus wrote: >> Hello, >> >> I am using shorewall+openvpn to bridge 2networks and it works ok. On the >> left-hand network I have a SIP-server and on the right hand SIP-Phone( >> 172.16.22.75). This SIP-phone cannot connecto to the >> SIP-Server(172.16.22.247). >> >> >> On the right-hand firewall(172.16.0.1) I see the correct UDP requests >> invoking >> tcpdump -i br0 dst host 172.16.22.247 >> IP 172.16.22.75.sip> 172.16.22.247.sip: SIP, length: 522 >> IP 172.16.22.75.sip> 172.16.22.247.sip: SIP, length: 522 >> >> left-hand firewall (172.16.0.2) >> 17:21:59.810074 IP 172.16.0.1.sip> 172.16.22.247.sip: SIP, length: 521 >> 17:22:03.809799 IP 172.16.0.1.sip> 172.16.22.247.sip: SIP, length: 521 >> >> looks like left-hand firewall ist not getting the packet from the >> correct source? >> >> >> doing a Ping from right-side client(172.16.126.8) to a machine on the >> left-hand-client(172.16.99.2) results in this which looks correct >> >> right-side-firewall >> tcpdump -i br0 dst host 172.16.99.2 >> IP 172.16.128.8> 172.16.99.2: ICMP echo request, id 57101... >> IP 172.16.128.8> 172.16.99.2: ICMP echo request, id 57101... >> >> left-side firewall >> tcpdump -i br0 dst host 172.16.99.2 >> IP 172.16.128.8> 172.16.99.2: ICMP echo request, id 57101... >> IP 172.16.128.8> 172.16.99.2: ICMP echo request, id 57101... >> >> >> any idea where I should look at or potential mistake I am making? > Try unloading the SIP helper kernel modules. Instructions are in the FAQ. > > -Tom > > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
On 2/9/11 10:41 AM, claus westerkamp wrote:> Hello Tom, > > prior my post I followed FAQ77 and verified nf_conntrack_sip is not > loaded. both firewalls run ubuntu 2.6.26 or later >We''ll need to see the output of ''shorewall dump'' collected as described in http://www.shorewall.net/support.htm. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
Hello Tom, thanks for your suggestions. It turned out I had to add right-side-network to the left-side-firewall. Everything is ok now, though DHCP still doesnt work but I wont need it anymore. keep the great work going kind regards claus Am 09.02.2011 21:52, schrieb Tom Eastep:> On 2/9/11 10:41 AM, claus westerkamp wrote: >> Hello Tom, >> >> prior my post I followed FAQ77 and verified nf_conntrack_sip is not >> loaded. both firewalls run ubuntu 2.6.26 or later >> > We''ll need to see the output of ''shorewall dump'' collected as described > in http://www.shorewall.net/support.htm. > > Thanks, > -Tom > > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
Surely you just specify DHCP as an option in the interfaces file? On Thu, Feb 10, 2011 at 4:02 PM, claus westerkamp <claus@mrlinux.de> wrote:> Hello Tom, > > thanks for your suggestions. It turned out I had to add > right-side-network to the left-side-firewall. > > Everything is ok now, though DHCP still doesnt work but I wont need it > anymore. > > > > keep the great work going > > kind regards > claus > > Am 09.02.2011 21:52, schrieb Tom Eastep: > > On 2/9/11 10:41 AM, claus westerkamp wrote: > >> Hello Tom, > >> > >> prior my post I followed FAQ77 and verified nf_conntrack_sip is not > >> loaded. both firewalls run ubuntu 2.6.26 or later > >> > > We''ll need to see the output of ''shorewall dump'' collected as described > > in http://www.shorewall.net/support.htm. > > > > Thanks, > > -Tom > > > > > > > ------------------------------------------------------------------------------ > > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > > Pinpoint memory and threading errors before they happen. > > Find and fix more than 250 security defects in the development cycle. > > Locate bottlenecks in serial and parallel code that limit performance. > > http://p.sf.net/sfu/intel-dev2devfeb > > > > > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Scott Ryan http://bonoboslr.wordpress.com/ ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb