Shorewall users - May 2003 - Rules for VOIP -Vonage-(UPDATE)

Tom,
A short while ago I bought into the Vonage VOIP telephone via cable.  Shortly 
thereafter I put out my rules file based on what the Vonage Tech told me.  
That rules file was a quick ''n dirty way of getting up and running. 
The
phone system works fine using SuSE 8.2 and Shorewall 1.4.2 using the two 
interface setup as my router/firewall.

I have spent a little time refining the Rules file with the goal being to be 
as restrictive as possible.  I had been root kitted recently so I am a bit 
paranoic.  I changed the Rules file and all seems to be working well so far.  
The purpose of this message is to ask you to review my changes and make any 
suggestons you feel are necessary.  Also if it continues to function well you 
might want to include a little blurb in your documentation so you wont have 
to answer these questions in the future.  I would be happy to write up a 
paragraph on what I have done if you think it might be helpful.

In reviewing what was necessary to make the voip work I decided to direct the 
net access to the Cisco ATA via DNAT.  In the original Rules file I had 
ACCEPTed connections back and forth between the net and loc.  After reviewing 
the Policy file I figured out that it had already allowed all comm from loc 
to net so about 1/2 of my rules file was superfluous.  So here are the two 
Rules files, before and after:
BEFORE:

ACCEPT		loc		fw		udp	53
ACCEPT		fw		loc		udp	53
ACCEPT		loc		net		udp	5060
ACCEPT		net 		loc		udp	5060
ACCEPT		loc		fw		udp	123
ACCEPT		fw 		loc		udp	123
# changed net to loc and loc to net on udp port 123 to test the voip
ACCEPT		loc		net		udp	5061
ACCEPT		net 		loc		udp	5061
ACCEPT		loc		fw		udp	69
ACCEPT		fw		loc		udp	69
ACCEPT		net		loc		udp	10100:10500
ACCEPT		loc		net		udp	10100:10500

AFTER:

ACCEPT		loc		fw		udp	53
ACCEPT		fw		loc		udp	53
ACCEPT		loc		fw		udp	69
ACCEPT		fw		loc		udp	69
ACCEPT		loc		fw		udp	123
ACCEPT		fw 		loc		udp	123
# changed net to loc and loc to net on udp port 123 to test the voip
DNAT		net 		loc:192.168.1.147		udp	5060
DNAT		net 		loc:192.168.1.147		udp	5061
DNAT		net		loc:192.168.1.147		udp	10100:10500

The phone works fine with the new settings so I didnt do to badly, I guess.  
The burning question is did I improve anything securitywise or am I fooling 
myself?

Also, since I am using DHCP to give the ATA its IP, how do I insure that the 
loc:<IP address> will automatically be the lease address should it change?
I
suspect a script of some sort being run when Shorewall first fires up would 
be in order to make any change necessary. Or is there someway to tie the 
ports to the MAC address?  But that is something I can worry about once the 
basic things work.

I know you are very busy and I appreciate your looking at this.  

Thanks again for making my life a lot easier.  I am still amazed that people 
spend a lot of time trying to get their SuSEFirewall working when Shorewall 
will let idiots like me playlike we have some sense!
Regards,

Richard

Hi Richard,

On Wed, 14 May 2003, Richard wrote:
>Also, since I am using DHCP to give the ATA its IP, how do I insure that the
>loc:<IP address> will automatically be the lease address should it
change? I
>suspect a script of some sort being run when Shorewall first fires up would
>be in order to make any change necessary. Or is there someway to tie the
>ports to the MAC address?  But that is something I can worry about once the
>basic things work.
Are you running your own DHCP server on your LAN for this VoIP box?  If
so, you can probably assign addresses based on the MAC address.  Here is
the syntax for doing it with the ISC ''dhcpd'' server:

   host ltsp-ws-007 {
        hardware ethernet     00:04:5A:49:AC:C6;
        fixed-address         192.168.0.134;
    }

Check the docs for your DHCP server for more info.

Jason

On Wednesday 14 May 2003 14:09, Jason Maas wrote:
> Are you running your own DHCP server on your LAN for this VoIP box?  If
> so, you can probably assign addresses based on the MAC address.  Here is
> the syntax for doing it with the ISC ''dhcpd'' server:
>
>    host ltsp-ws-007 {
>         hardware ethernet     00:04:5A:49:AC:C6;
>         fixed-address         192.168.0.134;
>     }
>
> Check the docs for your DHCP server for more info.
Jason, thanks for the tip.  I went into the dhcpd.conf and added the syntax 
you suggested and now the phone ATA has the permanent IP of 192.168.1.147 and 
all is well in mudville.

For anyone interested in this bit. The lease file no longer shows a lease for 
the phone ATA but the /var/log/messages file shows the reserved IP is 
assigned and received by the device. 

Unless anyone has anymore good info, I am going to use the phone a bunch then 
I can advise anyone who is intrested in this new phone service.  So far the 
Rules I have used plus the DHCP changes have withstood numerous restarts and 
reboots so It looks like I can tell Ma Bell to cut me off.

Thanks Jason,
richard