Hi All, Until now I've only used IAX2 to connect to ITSPs. I've been toying with a SIP connection to Gizmo Project, but not yet successfully. It brings to mind a question. At what point does it make sense to consider a SIP-aware firewall such as those from Ingate? I'd hate to move away from my m0n0wall, which is open source, easy to manage and has served me brilliantly for two years. Thanks, Michael Graves -- Michael Graves mgraves@pixelpower.com Sr. Product Specialist www.pixelpower.com Pixel Power Inc. mgraves@mstvp.com o713-861-4005 o800-905-6412 c713-201-1262 fwd 54245
> Until now I've only used IAX2 to connect to ITSPs. I've been > toying with a SIP connection to Gizmo Project, but not yet > successfully. It brings to mind a question. At what point > does it make sense to consider a SIP-aware firewall such as > those from Ingate?You should be able to run SIP through m0n0wall quite happily - we have a number of client sites with SIP phones offsite which connect to the * server behind a m0n0wall box. You'll need to allow 5060 (UDP) for SIP, then an appropriate port range (as definted in rtp.conf) for the RTP streams. You'll obviously also need to apply any QoS rules to both the SIP and RTP streams. Regards, Chris -- C.M. Bagnall, Director, Minotaur I.T. Limited This email is made from 100% recycled electrons
----- Original Message ----- From: "Chris Bagnall" <asterisk@minotaur.cc> To: "'Asterisk Users Mailing List - Non-Commercial Discussion'" <asterisk-users@lists.digium.com> Sent: Thursday, January 05, 2006 5:33 PM Subject: RE: [Asterisk-Users] OT: SIP aware firewalls?> > Until now I've only used IAX2 to connect to ITSPs. I've been > > toying with a SIP connection to Gizmo Project, but not yet > > successfully. It brings to mind a question. At what point > > does it make sense to consider a SIP-aware firewall such as > > those from Ingate? > > You should be able to run SIP through m0n0wall quite happily - we have a > number of client sites with SIP phones offsite which connect to the *server> behind a m0n0wall box. You'll need to allow 5060 (UDP) for SIP, then an > appropriate port range (as definted in rtp.conf) for the RTP streams. > > You'll obviously also need to apply any QoS rules to both the SIP and RTP > streams. >Totally agree. I moved from Kerio WinRoute (claims to be SIP aware > not) to Monowall and all SIP/NAT issues went away. It doesn't do QoS but you can do bandwith/traffic shaping which also should work fine. Erwin
I suspect that there might be more to this question than has been answered so far. Most firewalls will allow you to open and forward a port range; thus they are "SIP" compliant. However, if you want more than one SIP client behind your firewall, you will want a firewall with a SIP application filter (to intelligently direct the SIP & RTP packets to the right client). So if I can rephrase your question for the group, are there any (linux?) firewalls with SIP & RTP application filters? We managed to build a rudimentary ISA Server application filter for SIP & RTP, but nothing commercial quality. Michelle Dupuis Technical Support Specialist Oxford Consulting Group Ltd. Making IT work for your business... T: (519) 672-8238 E: support@ocg.ca W: www.ocg.ca
Technical Support wrote:> So if I can rephrase your question for the group, are there any (linux?) > firewalls with SIP & RTP application filters? >Pretty much any recent one, just load the ip_conntrack_sip module: http://www.iptel.org/sipalg/ Tony
We use Juniper/Netscreen 5GT's with the latest 5.3 firmware. It is fully sip aware and in a NAT environment it modifies the addresses in the SIP frames according the NAT table. The netscreen also checks the sip frame for the udp ports to be opened for the audiochannels and openn them for the session only. We have clients and servers inside and outside, and everything talks SIP and works like a charm. Regards. Andre Vink Vink Consultancy ----- Oorspronkelijk Bericht ----- Onderwerp: RE: [Asterisk-Users] OT: SIP aware firewalls? Afzender: Chris Bagnall Aan: "'Asterisk Users Mailing List - Non-Commercial Discussion'" Datum: 07-01-2006 1:25> I know that I can stay with m0n0. The question still stands; > are there circumstances when something more is required? > Would something be gained by such a migration.I would think the only real circumstances where true SIP-aware firewalls would be required would be in an environment where one had many SIP devices behind a NAT (and by many I mean more than it's reasonably practical to assign different port numbers to). I'm no expert on firewalls, so hopefully someone'll correct me if I'm mistaken. Regards, Chris -- C.M. Bagnall, Director, Minotaur I.T. Limited This email is made from 100% recycled electrons _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20060109/777eb591/attachment.htm