Hello Asterisk sits in a Vserver guest (192.168.3.9) on the firewall. I can''t seem to get the sip helper to mark the SIP packets though. I have an ftp client on a different Vserver guest on the firewall. If I put ftp in the HELPER column of tcrules I can mark those packets. With sip in the HELPER column though nothing happens. Attached is a "shorewall dump > dump.txt" that was taken while Asterisk was making a SIP call. You''ll see that under "Chain tcout" there are 0 packets. When "helper match "ftp" MARK set 0x1", that is not the case. Any ideas as to why sip packets don''t get marked? Regards Fog_Watch. -- "A. Because it breaks the logical order of conversation. Q. Why is top posting bad?" ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 06/17/2012 03:04 AM, Fog_Watch wrote:> Hello > > Asterisk sits in a Vserver guest (192.168.3.9) on the firewall. I can''t > seem to get the sip helper to mark the SIP packets though. > > I have an ftp client on a different Vserver guest on the firewall. If > I put ftp in the HELPER column of tcrules I can mark those packets. > With sip in the HELPER column though nothing happens. > > Attached is a "shorewall dump> dump.txt" that was taken while Asterisk > was making a SIP call. You''ll see that under "Chain tcout" there are 0 > packets. When "helper match "ftp" MARK set 0x1", that is not the > case. Any ideas as to why sip packets don''t get marked?No I don''t. While Linux-vserver has odd IPv6 operational quirks which led me to switch to LXC, I don''t recall seeing this type of problem while using it; but then I don''t do VOIP. My only suggestion would be to change your marking rule to: #MARK SOURCE DEST ... HELPER 1:T - - sip and see if that makes any difference. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Sun, 17 Jun 2012 08:14:19 -0700 Tom Eastep <teastep@shorewall.net> wrote:> My only suggestion would be to change your marking rule to: > > #MARK SOURCE DEST ... HELPER > 1:T - - sip > > and see if that makes any difference.It doesn''t. Bother. It looks like I might be migrating to LXC too. Regards Fog_Watch. -- "A. Because it breaks the logical order of conversation. Q. Why is top posting bad?" ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/