I'm trying to get firewalling working but I am clueless as to which ports I need to open, I keep opening more ports and it's not working :( Basically I want SIP and IAX2 to work. IAX2 works fine, but SIP is giving me a headache. It seems that the stateless firewall is not able to handle SIP. I'm using shorewall as my firewall with these rules: ACCEPT net fw udp 4569 ACCEPT fw net udp 4569,5060,10000:20000 My rtp.conf says this: rtpstart=10000 rtpend=20000 Whenever I make a call I get these messages: Apr 2 09:18:25 pbx kernel: Shorewall:fw2net:REJECT:IN= OUT=eth1 SRC=myip DST=80.118.132.66 LEN=200 TOS=0x00 PREC=0x00 TTL=64 ID=116 DF PROTO=UDP SPT=17798 DPT=7356 LEN=180 Apr 2 09:18:26 raveon kernel: Shorewall:net2fw:REJECT:IN=eth1 OUT= SRC=80.118.132.66 DST=myip LEN=200 TOS=0x00 PREC=0x00 TTL=53 ID=859 PROTO=UDP SPT=7356 DPT=17798 LEN=180 So it seems that the %&*$*&$^&!!!! server is still trying to out out via a port lower than the range set in rtp.conf What is port 7356 for and what should I open to get it to work? I looked through the wiki but the low level iptables rules posted there do not make any sense to me. Thanks!
On Sat, Apr 02, 2005 at 11:10:28AM +0200, Remco Barende wrote:> I'm trying to get firewalling working but I am clueless as to which ports > I need to open, I keep opening more ports and it's not working :( > > Basically I want SIP and IAX2 to work. IAX2 works fine, but SIP is giving > me a headache. It seems that the stateless firewall is not able to handle > SIP. I'm using shorewall as my firewall with these rules: > > ACCEPT net fw udp 4569 > ACCEPT fw net udp 4569,5060,10000:20000 > > My rtp.conf says this: > rtpstart=10000 > rtpend=20000 > > > Whenever I make a call I get these messages: > > Apr 2 09:18:25 pbx kernel: Shorewall:fw2net:REJECT:IN= OUT=eth1 > SRC=myip DST=80.118.132.66 LEN=200 TOS=0x00 PREC=0x00 TTL=64 ID=116 DF > PROTO=UDP SPT=17798 DPT=7356 LEN=180 > > Apr 2 09:18:26 raveon kernel: Shorewall:net2fw:REJECT:IN=eth1 OUT= > SRC=80.118.132.66 DST=myip LEN=200 TOS=0x00 PREC=0x00 TTL=53 > ID=859 PROTO=UDP SPT=7356 DPT=17798 LEN=180 > > > So it seems that the %&*$*&$^&!!!! server is still trying to out out via a > port lower than the range set in rtp.conf > > What is port 7356 for and what should I open to get it to work? I looked > through the wiki but the low level iptables rules posted there do not make > any sense to me. >Port 7356 is used by the called site to receive rtp packets. I don't think you can have any influence to which port it chooses to use. You will need to allow outgoing udp packets to all ports between 1024 and 65535. For example: ACCEPT net fw udp 4569,5060,10000:20000 ACCEPT fw net udp 1025:65536 /Mikael Magnusson
Remco Barende wrote:> Basically I want SIP and IAX2 to work. IAX2 works fine, but SIP is > giving me a headache. It seems that the stateless firewall is not able > to handle SIP. I'm using shorewall as my firewall with these rules: > > ACCEPT net fw udp 4569 > ACCEPT fw net udp 4569,5060,10000:20000IAX2 will work fine, because you have allowed it in both directions.> Whenever I make a call I get these messages: > > Apr 2 09:18:25 pbx kernel: Shorewall:fw2net:REJECT:IN= OUT=eth1 > SRC=myip DST=80.118.132.66 LEN=200 TOS=0x00 PREC=0x00 TTL=64 ID=116 DF > PROTO=UDP SPT=17798 DPT=7356 LEN=180 > > Apr 2 09:18:26 raveon kernel: Shorewall:net2fw:REJECT:IN=eth1 OUT= > SRC=80.118.132.66 DST=myip LEN=200 TOS=0x00 PREC=0x00 TTL=53 ID=859 > PROTO=UDP SPT=7356 DPT=17798 LEN=180 > > So it seems that the %&*$*&$^&!!!! server is still trying to out out > via a port lower than the range set in rtp.confNot exactly, asterisk is using port 17798. It's the other end that's using 7356, unfortunately you don't really have any control over the remote end's RTP port. You could try specifying the source ports on the outgoing rules with something like: ACCEPT fw net udp - 10000:20000 This would allow any packets from the firewall to the internet originating from ports 10000:20000. You should probably also allow incoming connections to port 5060 and 10000:20000 otherwise you may find that you can't receive inbound calls. ACCEPT net fw udp 5060,10000:20000 should cater for that. I'm using shorewall on our asterisk box at work and it works just fine. I allow all traffic out from the firewall to the net and only allow a very limited amount of incoming ports.> What is port 7356 for and what should I open to get it to work? I > looked through the wiki but the low level iptables rules posted there > do not make any sense to me.Port 7356 is the remote end's RTP port. I hope that helps, Paul
> I'm trying to get firewalling working but I am clueless as to which ports > I need to open, I keep opening more ports and it's not working :( > > Basically I want SIP and IAX2 to work. IAX2 works fine, but SIP is giving > me a headache. It seems that the stateless firewall is not able to handle > SIP. I'm using shorewall as my firewall with these rules: > > ACCEPT net fw udp 4569 > ACCEPT fw net udp 4569,5060,10000:20000 > > My rtp.conf says this: > rtpstart=10000 > rtpend=20000Others have already commented on the above. Here's a couple more items to think about. The udp ports required for rtp "varies" by sip phone vendor. In other words, the exact ports required are not necessarily those shown above. It also makes a difference as to which device initiates the first rtp transmission. As noted, the rtpstart and rtpend are for asterisk only, and are used as its source port when communicating with an exernal sip device (phone or another asterisk). If you look at the Xten documentation, you'll find that soft phone uses rtp udp ports in the low 8000 range. If you look at the Cisco 7960's, you'll find they use 16384 to 32768, and those particular values can be seen/changed in SIPDefault.cnf file. The exact rtp port to be used by each sip device never became a standard in the rfc, so each vendor is allowed to chose whatever udp port range they felt like using as their default. Opening udp ports from 1024 to 64000 will likely help, but you might as well dump the firewall if you're going to open everything like that. Also note that each line/conversation will use another udp port. So, in the case of the xten product, the first line/conversation may use port 8000. If you put that line on hold and start another (second) rtp session, that line/conversation will use something like 8002 (or whatever). Use something like ethereal to sniff the packets on the outside of your firewall, and you'll see the exact udp ports used for whatever device you're trying to communicate with. If you don't feel like implementing ethereal, then open all the ports as someone suggested, then do a "netstat -an" during a real sip call, and you'll see the exact udp ports in use. Once you're comfortable with your understanding of what ports are actually used, then adjust your firewall to support those ports.