Hello - I am not a subscriber to the mailing, please email me with help at mfabache@yahoo.com My shorewall (v2.0.1) has been working wonderful for the past year. I just added my Vonage and cannot get the Phone Adapter to sync up (2 blinks (looking for IP)) All I have done is run an ethernet cable from the WAN outlet on the phone adapter to a lan port on the router. After googling, I found these for the rules file: ACCEPT loc net udp 5060 ACCEPT net loc udp 5060 ACCEPT loc net udp 123 ACCEPT net loc udp 123 ACCEPT loc net udp 5061 ACCEPT net loc udp 5061 ACCEPT loc fw udp 69 ACCEPT fw loc udp 69 ACCEPT net loc udp 10100:10500 ACCEPT loc net udp 10100:10500 Restarted shorewall (rebooted too) but, still - no sync''ing. I am sure I am doing something wrong, but what? Any ideas? Thanks, Michael mfabache@yahoo.com __________________________________ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail
It would be easier to just allow all traffic directly to ATA. a rule such as ACCEPT net loc:<IP of ATA> should fix the problem. Krishnan On Aug 23, 2004, at 8:45 PM, Michael F wrote:> Hello - I am not a subscriber to the mailing, please > email me with help at mfabache@yahoo.com > > My shorewall (v2.0.1) has been working wonderful for > the past year. I just added my Vonage and cannot get > the Phone Adapter to sync up (2 blinks (looking for > IP)) > > All I have done is run an ethernet cable from the WAN > outlet on the phone adapter to a lan port on the > router. > > After googling, I found these for the rules file: > ACCEPT loc net udp > 5060 > ACCEPT net loc udp > 5060 > ACCEPT loc net udp > 123 > ACCEPT net loc udp > 123 > ACCEPT loc net udp > 5061 > ACCEPT net loc udp > 5061 > ACCEPT loc fw udp > 69 > ACCEPT fw loc udp > 69 > ACCEPT net loc udp > 10100:10500 > ACCEPT loc net udp > 10100:10500 > > Restarted shorewall (rebooted too) but, still - no > sync''ing. I am sure I am doing something wrong, but > what? Any ideas? > > Thanks, > Michael > mfabache@yahoo.com > > > > __________________________________ > Do you Yahoo!? > Yahoo! Mail is new and improved - Check it out! > http://promotions.yahoo.com/new_mail > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 TSV Krishnan wrote: | It would be easier to just allow all traffic directly to ATA. | a rule such as | | ACCEPT net loc:<IP of ATA> | | should fix the problem. | If the OP is using Masquerade or SNAT for loc->net access, the rule you recommend is absolute nonsense. See FAQ #30. With Masquerade/SNAT, all ACCEPT net->loc rules in the original post are equally silly as are those in the post that the OP found by "Googling". I don''t use Vonage so I can''t give you the correct setup. But I know enough about how IP works and how Shorewall works to point out nonsense when I see it. Regardless of what the application is, if you are using SNAT/Masquerade for loc->net then THE ONLY RULES FOR net->loc THAT HAVE A CHANCE OF WORKING ARE DNAT and DNAT- rules. And if the client is running in the ''loc'' zone and you are not running a proxy then any ''fw<->net'' and ''fw<->loc'' rules are equally ineffective for net<->loc communication. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBKqZXO/MAbZfjDLIRAr7/AJ9K0b0ukZnibbwx2OFYSwN5FxkV+ACfX1lB iwZcGyvt+/KYSsSzB1/lu6w=SUWL -----END PGP SIGNATURE-----
On Mon, 2004-08-23 at 19:22 -0700, Tom Eastep wrote:> > With Masquerade/SNAT, all ACCEPT net->loc rules in the original post are > equally silly as are those in the post that the OP found by "Googling". > > I don''t use Vonage so I can''t give you the correct setup. But I know > enough about how IP works and how Shorewall works to point out nonsense > when I see it. > > Regardless of what the application is, if you are using SNAT/Masquerade > for loc->net then THE ONLY RULES FOR net->loc THAT HAVE A CHANCE OF > WORKING ARE DNAT and DNAT- rules. And if the client is running in the > ''loc'' zone and you are not running a proxy then any ''fw<->net'' and > ''fw<->loc'' rules are equally ineffective for net<->loc communication. > > - -TomVonage is using a firmware/configuration with the ATA''s that is supposed to make them operate properly behind NAT devices. Don''t forget - most of them are winding up behind dumb Linksys/Dlink/what-have-you type devices that are simple packet filters with masquerade support. If you are using the default loc->net = ACCEPT policy, the device will work. I would suggest you contact Vonage support to determine if your account has been activated, etc. -- David T Hollis <dhollis@davehollis.com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | | If the OP is using Masquerade or SNAT for loc->net access, the rule you | recommend is absolute nonsense. See FAQ #30. | | With Masquerade/SNAT, all ACCEPT net->loc rules in the original post are | equally silly as are those in the post that the OP found by "Googling". | | I don''t use Vonage so I can''t give you the correct setup. But I know | enough about how IP works and how Shorewall works to point out nonsense | when I see it. | | Regardless of what the application is, if you are using SNAT/Masquerade | for loc->net then THE ONLY RULES FOR net->loc THAT HAVE A CHANCE OF | WORKING ARE DNAT and DNAT- rules. And if the client is running in the | ''loc'' zone and you are not running a proxy then any ''fw<->net'' and | ''fw<->loc'' rules are equally ineffective for net<->loc communication. Folks, I wasn''t trying to be rude with this post but I believe that we should all apply a "plausibility test" to anything that we find on the Internet. And at the time that the Vonage post with the large set of rules was originally made on the Shorewall Users list, I should have pointed out that most of the rules could have had no effect on whether the device worked or not. I regret not having done so... - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBK+0zO/MAbZfjDLIRAgJ4AJoD+qFJ08eFwM70xk6ZCMebAjrPHgCfRrSo 6GQ5g9BuTxXMGfakdE+vrt4=flIV -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David T Hollis wrote: |> |>Regardless of what the application is, if you are using SNAT/Masquerade |>for loc->net then THE ONLY RULES FOR net->loc THAT HAVE A CHANCE OF |>WORKING ARE DNAT and DNAT- rules. And if the client is running in the |>''loc'' zone and you are not running a proxy then any ''fw<->net'' and |>''fw<->loc'' rules are equally ineffective for net<->loc communication. | Vonage is using a firmware/configuration with the ATA''s that is supposed | to make them operate properly behind NAT devices. Don''t forget - most | of them are winding up behind dumb Linksys/Dlink/what-have-you type | devices that are simple packet filters with masquerade support. If you | are using the default loc->net = ACCEPT policy, the device will work. I | would suggest you contact Vonage support to determine if your account | has been activated, etc. | And if one looks at the original set of rules posted and: a) Remove all of the loc->net ACCEPT rules (The normal loc->net ACCEPT policy already does that). b) Remove all of the net->loc ACCEPT rules (Those don''t work with masq/snat) c) Remove all of the rules involving fw (no proxy involved) Then you end up with no rules at all. Just as you say... - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBLAHsO/MAbZfjDLIRAj3hAKDJc2ICfDs0/O3hIyGXSaW6gli0ugCdHA1G vsHDIB5A1o7qBerzF0DWlvw=CgtD -----END PGP SIGNATURE-----
I posted the message seeking help. While, I consider
myself an advanced computer/Linux user, networking has
always been VERY difficult for me, especially
firewalls. Hence, my use of shorewall.
I am guilty of googling for the answer as I am inept
to figure it out myself. It should be simple as I am
merely trying to open ports fro 5060-5061,53,69 (all
UDP). I have found many examples, such as the one I
previously posted and one such as this:
---
iptables -t nat -A PREROUTING -i eth0 -p udp -d
$EXTERNAL_IP \
--dport 53 -j DNAT --to ${VONAGE_IP}:53
iptables -t nat -A PREROUTING -i eth0 -p udp -d
$EXTERNAL_IP \
--dport 69 -j DNAT --to ${VONAGE_IP}:69
iptables -t nat -A PREROUTING -i eth0 -p udp -d
$EXTERNAL_IP \
--dport 5060:5061 -j DNAT \
--to-destination ${VONAGE_IP}:5060-5061
iptables -t nat -A PREROUTING -i eth0 -p udp -d
$EXTERNAL_IP \
--dport 10000:20000 -j DNAT \
--to-destination ${VONAGE_IP}:10000-20000
-----
the solution still eludes me. Is there a better way
to figure it out that someone can point me in the
right direction?
Thanks for reading,
Michael
--- Tom Eastep <teastep@shorewall.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tom Eastep wrote:
>
> |
> | If the OP is using Masquerade or SNAT for loc->net
> access, the rule you
> | recommend is absolute nonsense. See FAQ #30.
> |
> | With Masquerade/SNAT, all ACCEPT net->loc rules in
> the original post are
> | equally silly as are those in the post that the OP
> found by "Googling".
> |
> | I don''t use Vonage so I can''t give you the correct
> setup. But I know
> | enough about how IP works and how Shorewall works
> to point out nonsense
> | when I see it.
> |
> | Regardless of what the application is, if you are
> using SNAT/Masquerade
> | for loc->net then THE ONLY RULES FOR net->loc THAT
> HAVE A CHANCE OF
> | WORKING ARE DNAT and DNAT- rules. And if the
> client is running in the
> | ''loc'' zone and you are not running a proxy then
> any ''fw<->net'' and
> | ''fw<->loc'' rules are equally ineffective for
> net<->loc communication.
>
> Folks,
>
> I wasn''t trying to be rude with this post but I
> believe that we should
> all apply a "plausibility test" to anything that we
> find on the Internet.
>
> And at the time that the Vonage post with the large
> set of rules was
> originally made on the Shorewall Users list, I
> should have pointed out
> that most of the rules could have had no effect on
> whether the device
> worked or not. I regret not having done so...
>
> - -Tom
> - --
> Tom Eastep \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> PGP Public Key \
> https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla -
> http://enigmail.mozdev.org
>
>
iD8DBQFBK+0zO/MAbZfjDLIRAgJ4AJoD+qFJ08eFwM70xk6ZCMebAjrPHgCfRrSo> 6GQ5g9BuTxXMGfakdE+vrt4> =flIV
> -----END PGP SIGNATURE-----
>
_______________________________
Do you Yahoo!?
Win 1 of 4,000 free domain names from Yahoo! Enter now.
http://promotions.yahoo.com/goldrush
On Tue, 2004-08-24 at 20:31 -0700, Michael F wrote:> I posted the message seeking help. While, I consider > myself an advanced computer/Linux user, networking has > always been VERY difficult for me, especially > firewalls. Hence, my use of shorewall. > > I am guilty of googling for the answer as I am inept > to figure it out myself. It should be simple as I am > merely trying to open ports fro 5060-5061,53,69 (all > UDP). I have found many examples, such as the one I > previously posted and one such as this:I think we are seeing another common problem from vendors when they attempt to explain what kinds of firewall rules will be needed to support their application - they never seem to tell you which direction! Ports 53 & 69 above are for DNS and TFTP. The ATA is configured to use Vonages DNS servers (so you can''t try to have it boot off your own TFTP server) and their TFTP server to get it''s configuration. These would be used outbound, and are thus already permitted by the loc->net ACCEPT default policy so you do not need to specify any rules. 5060/5061 are used for SIP (the VOIP protocol used by Vonage). For Vonage, these are outbound only as well. In short - no rules are need for Vonage if you are using the default loc->net ACCEPT policy. I have a friend that has been using Vonage behind a Shorewall that I maintain for almost a year now and it works fine. No rules were added at all. If it is not working, contact Vonage for support. -- David T Hollis <dhollis@davehollis.com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David T Hollis wrote: | | In short - no rules are need for Vonage if you are using the default | loc->net ACCEPT policy. I have a friend that has been using Vonage | behind a Shorewall that I maintain for almost a year now and it works | fine. No rules were added at all. | One way to convince yourself that this is the case is to remove all of the rules that you''ve added having to do with the ports in question. Now try to use the device -- Are you seeing lots of new ''Shorewall'' messages in your log having to do with UDP traffic? If not then there is no inbound traffic that isn''t being handled automatically and hence there could be no possible need for additional rules. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBLKc1O/MAbZfjDLIRArfZAJ93L1AB2h9ffdZEHSomzU4uaVGSKQCgkGh3 4ZEMB8CiBjsYUGc07bMn+10=yvti -----END PGP SIGNATURE-----
David - you are right. After reading your post and talking w/ a network type at work, we discovered the solution to my Vonage VOIP opportunity. My VOIP now works (Hoo-ray for me and others that may find this path) Seems all my rule changes/additions were in vain. The network type mentioned things (over my head) like sip, stateless, etc. No firewall changes are needed. WHAT I WAS MISSING WAS A LOCAL DHCP SERVER. Seems the phone adapter has some sort of router/dhcp ''guts''. I setup a dhcp server on my Linux firewall/router and the phone adapter received its IP and we are now working. In retrospect, this would have been easier if Vonage had a ''howto'' regarding software firewalls (linux based or not) for network-challenged people like myself. The mailing list did solve my issues. Thanks to all. Regards, Michael --- David T Hollis <dhollis@davehollis.com> wrote:> On Tue, 2004-08-24 at 20:31 -0700, Michael F wrote: > > I posted the message seeking help. While, I > consider > > myself an advanced computer/Linux user, networking > has > > always been VERY difficult for me, especially > > firewalls. Hence, my use of shorewall. > > > > I am guilty of googling for the answer as I am > inept > > to figure it out myself. It should be simple as I > am > > merely trying to open ports fro 5060-5061,53,69 > (all > > UDP). I have found many examples, such as the one > I > > previously posted and one such as this: > > I think we are seeing another common problem from > vendors when they > attempt to explain what kinds of firewall rules will > be needed to > support their application - they never seem to tell > you which direction! > Ports 53 & 69 above are for DNS and TFTP. The ATA > is configured to use > Vonages DNS servers (so you can''t try to have it > boot off your own TFTP > server) and their TFTP server to get it''s > configuration. These would be > used outbound, and are thus already permitted by the > loc->net ACCEPT > default policy so you do not need to specify any > rules. 5060/5061 are > used for SIP (the VOIP protocol used by Vonage). > For Vonage, these are > outbound only as well. > > In short - no rules are need for Vonage if you are > using the default > loc->net ACCEPT policy. I have a friend that has > been using Vonage > behind a Shorewall that I maintain for almost a year > now and it works > fine. No rules were added at all. > > If it is not working, contact Vonage for support. > > -- > David T Hollis <dhollis@davehollis.com> >> ATTACHMENT part 2 application/pgp-signaturename=signature.asc _______________________________ Do you Yahoo!? Win 1 of 4,000 free domain names from Yahoo! Enter now. http://promotions.yahoo.com/goldrush
On Wed, 25 Aug 2004, Michael F wrote:> Date: Wed, 25 Aug 2004 16:42:27 -0700 (PDT) > From: Michael F <mfabache@yahoo.com> > To: David T Hollis <dhollis@davehollis.com>, > Mailing List for Shorewall Users <shorewall-users@lists.shorewall.net> > Cc: Tom Eastep <teastep@shorewall.net> > Subject: Re: [Shorewall-users] Shorewall-Linux and Vonage VOIP rules setting+ > > David - you are right. > > After reading your post and talking w/ a network type > at work, we discovered the solution to my Vonage VOIP > opportunity. My VOIP now works (Hoo-ray for me and > others that may find this path) > > Seems all my rule changes/additions were in vain. The > network type mentioned things (over my head) like sip, > stateless, etc. No firewall changes are needed. > > WHAT I WAS MISSING WAS A LOCAL DHCP SERVER. Seems the > phone adapter has some sort of router/dhcp ''guts''. I > setup a dhcp server on my Linux firewall/router and > the phone adapter received its IP and we are now > working. > > In retrospect, this would have been easier if Vonage > had a ''howto'' regarding software firewalls (linux > based or not) for network-challenged people like > myself. > > The mailing list did solve my issues. Thanks to all. > > Regards, > Michael > > > --- David T Hollis <dhollis@davehollis.com> wrote: > >> On Tue, 2004-08-24 at 20:31 -0700, Michael F wrote: >>> I posted the message seeking help. While, I >> consider >>> myself an advanced computer/Linux user, networking >> has >>> always been VERY difficult for me, especially >>> firewalls. Hence, my use of shorewall. >>> >>> I am guilty of googling for the answer as I am >> inept >>> to figure it out myself. It should be simple as I >> am >>> merely trying to open ports fro 5060-5061,53,69 >> (all >>> UDP). I have found many examples, such as the one >> I >>> previously posted and one such as this: >> >> I think we are seeing another common problem from >> vendors when they >> attempt to explain what kinds of firewall rules will >> be needed to >> support their application - they never seem to tell >> you which direction! >> Ports 53 & 69 above are for DNS and TFTP. The ATA >> is configured to use >> Vonages DNS servers (so you can''t try to have it >> boot off your own TFTP >> server) and their TFTP server to get it''s >> configuration. These would be >> used outbound, and are thus already permitted by the >> loc->net ACCEPT >> default policy so you do not need to specify any >> rules. 5060/5061 are >> used for SIP (the VOIP protocol used by Vonage). >> For Vonage, these are >> outbound only as well. >> >> In short - no rules are need for Vonage if you are >> using the default >> loc->net ACCEPT policy. I have a friend that has >> been using Vonage >> behind a Shorewall that I maintain for almost a year >> now and it works >> fine. No rules were added at all. >> >> If it is not working, contact Vonage for support. >> >> -- >> David T Hollis <dhollis@davehollis.com> >> > >> ATTACHMENT part 2 application/pgp-signature > name=signature.asc > > > > > > _______________________________ > Do you Yahoo!? > Win 1 of 4,000 free domain names from Yahoo! Enter now. > http://promotions.yahoo.com/goldrush > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >Michael May I suggest you write a "howto" while is still fresh in your mind. One reason is so you will have something to look at someother time. Other people would be happy for a "howto" to make it easier for them to set the same kind of thing up. I think Tom would be happy to place on his site to help other people. This is just a suggestion has does not a command. Have a great future! Larry Platzek larryp@inow.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Larry Platzek wrote: | May I suggest you write a "howto" while is still fresh in your mind. | One reason is so you will have something to look at someother time. | Other people would be happy for a "howto" to make it easier for them to | set the same kind of thing up. | I think Tom would be happy to place on his site to help other people. | I''ve added a section to the Troubleshooting Guide -- it talks about what to do if a new device "like a VOIP device" doesn''t work. It suggests assuring that the device has been given a proper IP configuration and mentions a DHCP server. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBLS+SO/MAbZfjDLIRAiJrAKCA0Tf5n1Vm1E16bXAOfP1AHX3lkgCfflUy YT7uBu+NYJ3tH55yRB1Ik6U=Upn6 -----END PGP SIGNATURE-----