My firewall: Debian kernel 2.6.18-5-686 shorewall version: 4.0.7 iptables v1.3.6 I have shorewall with this config: DMZ----FW----Router DMZ is a proxyarped network. All udp is accepted from net to the interested host. This is my problem: when i capture the sip trace from the firewall, I get this #EZ@:SQOyEINVITE sip:02030057940@79.121.222.69 SIP/2.0 Max-Forwards: 69 Session-Expires: 3600;Refresher=uac Supported: timer To: <sip:237602030057940@83.245.6.81:5060> From: "anonymous" <sip:38585001789@83.245.6.81>;tag=3418971446-91877 Contact: <sip:38585001789@83.245.6.81:5060> Remote-Party-Id: <sip:38585001789@83.245.6.81>;party=calling;screen=yes;privacy=full Call-ID: 179396-3418971446-91833@msw4.mydomain.com CSeq: 1 INVITE Via: SIP/2.0/UDP 83.245.6.81:5060;branch=z9hG4bK3642dc75d81f0fdea5c2172f98e2a7e2 Allow-Events: telephone-event Content-Type: application/sdp Content-Length: 305 v=0 o=msw 5063 8671 IN IP4 83.245.6.81 s=sip call *c=IN IP4 83.245.6.82* t=0 0 m=audio 28548 RTP/AVP 8 0 18 100 101 a=fmtp:101 0-16 a=rtpmap:101 telephone-event/8000 a=fmtp:100 192-194 a=rtpmap:100 X-NSE/8000 a=fmtp:18 annexb=no a=rtpmap:18 G729/8000 a=rtpmap:0 PCMU/8000 a=rtpmap:8 PCMA/8000 After the firewall (on my asterisk box) the SAME packet looks identical at ip level except from the bold line which becomes 83.245.6.81 0H"]DEZ@9SQOyEINVITE sip:02030057940@79.121.222.69 SIP/2.0 Max-Forwards: 69 Session-Expires: 3600;Refresher=uac Supported: timer To: <sip:237602030057940@83.245.6.81:5060> From: "anonymous" <sip:38585001789@83.245.6.81>;tag=3418971446-91877 Contact: <sip:38585001789@83.245.6.81:5060> Remote-Party-Id: <sip:38585001789@83.245.6.81>;party=calling;screen=yes;privacy=full Call-ID: 179396-3418971446-91833@msw4.mydomain.com CSeq: 1 INVITE Via: SIP/2.0/UDP 83.245.6.81:5060;branch=z9hG4bK3642dc75d81f0fdea5c2172f98e2a7e2 Allow-Events: telephone-event Content-Type: application/sdp Content-Length: 305 v=0 o=msw 5063 8671 IN IP4 83.245.6.81 s=sip call *c=IN IP4 83.245.6.81* t=0 0 m=audio 28548 RTP/AVP 8 0 18 100 101 a=fmtp:101 0-16 a=rtpmap:101 telephone-event/8000 a=fmtp:100 192-194 a=rtpmap:100 X-NSE/8000 a=fmtp:18 annexb=no a=rtpmap:18 G729/8000 a=rtpmap:0 PCMU/8000 a=rtpmap:8 PCMA/8000 Of course there''s nothing between the firewall and the server. So it looks like shorewall is forging this udp packet. How can it be possible? Can it be caused by proxyarp? How can I sort this out? This is getting me mad, please help! Tommaso Calosi ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
It looks like you have the SIP nat / conntrack modules loaded. Please look at this post: http://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg01254.html I just hit a similar problem, after a firewall replacement on one side of an OpenVPN and an Astersk server at the other end; the old server had an older version of Shorewall which did not load the SIP helper modules by default, and a local SIP phone was correctly connecting to the Asterisk on the remote endpoint; after the installation of the new server with a current Shorewall version (Fedora 8) it stopped working, and I found a lot of SIP rejected packets on the firewall net interface: the remote firewall with Asterisk was sending the packets to the external interface instead of through the VPN. I unloaded the modules on the local side and the phone immediately registered. Then I followed Tom''s advice: a) Copy /usr/share/shorewall/modules to /etc/shorewall/modules b) Edit the copy and remove the appropriate lines. It is a good idea to prune the list of modules anyway -- see Shorewall FAQ 59. on both firewalls, to avoid further problems. Hope that helps. Elio _____ Tommaso Calosi wrote:> My firewall: > > > Debian kernel 2.6.18-5-686 > shorewall version: 4.0.7 > iptables v1.3.6 > > I have shorewall with this config: > > > > DMZ----FW----Router > > DMZ is a proxyarped network. > > All udp is accepted from net to the interested host. > > This is my problem: when i capture the sip trace from the firewall, I > get this > > > #EZ@:SQOyEINVITE sip:02030057940@79.121.222.69 SIP/2.0 > Max-Forwards: 69 > Session-Expires: 3600;Refresher=uac > Supported: timer > To: <sip:237602030057940@83.245.6.81:5060> > From: "anonymous" <sip:38585001789@83.245.6.81>;tag=3418971446-91877 > Contact: <sip:38585001789@83.245.6.81:5060> > Remote-Party-Id: > <sip:38585001789@83.245.6.81>;party=calling;screen=yes;privacy=full > Call-ID: 179396-3418971446-91833@msw4.mydomain.com > CSeq: 1 INVITE > Via: SIP/2.0/UDP > 83.245.6.81:5060;branch=z9hG4bK3642dc75d81f0fdea5c2172f98e2a7e2 > Allow-Events: telephone-event > Content-Type: application/sdp > Content-Length: 305 > > v=0 > o=msw 5063 8671 IN IP4 83.245.6.81 > s=sip call > *c=IN IP4 83.245.6.82* > t=0 0 > m=audio 28548 RTP/AVP 8 0 18 100 101 > a=fmtp:101 0-16 > a=rtpmap:101 telephone-event/8000 > a=fmtp:100 192-194 > a=rtpmap:100 X-NSE/8000 > a=fmtp:18 annexb=no > a=rtpmap:18 G729/8000 > a=rtpmap:0 PCMU/8000 > a=rtpmap:8 PCMA/8000 > > > > > After the firewall (on my asterisk box) the SAME packet looks identical > at ip level except from the bold line which becomes 83.245.6.81 > > > > 0H"]DEZ@9SQOyEINVITE sip:02030057940@79.121.222.69 SIP/2.0 > Max-Forwards: 69 > Session-Expires: 3600;Refresher=uac > Supported: timer > To: <sip:237602030057940@83.245.6.81:5060> > From: "anonymous" <sip:38585001789@83.245.6.81>;tag=3418971446-91877 > Contact: <sip:38585001789@83.245.6.81:5060> > Remote-Party-Id: > <sip:38585001789@83.245.6.81>;party=calling;screen=yes;privacy=full > Call-ID: 179396-3418971446-91833@msw4.mydomain.com > CSeq: 1 INVITE > Via: SIP/2.0/UDP > 83.245.6.81:5060;branch=z9hG4bK3642dc75d81f0fdea5c2172f98e2a7e2 > Allow-Events: telephone-event > Content-Type: application/sdp > Content-Length: 305 > > v=0 > o=msw 5063 8671 IN IP4 83.245.6.81 > s=sip call > *c=IN IP4 83.245.6.81* > t=0 0 > m=audio 28548 RTP/AVP 8 0 18 100 101 > a=fmtp:101 0-16 > a=rtpmap:101 telephone-event/8000 > a=fmtp:100 192-194 > a=rtpmap:100 X-NSE/8000 > a=fmtp:18 annexb=no > a=rtpmap:18 G729/8000 > a=rtpmap:0 PCMU/8000 > a=rtpmap:8 PCMA/8000 > > Of course there''s nothing between the firewall and the server. > > > So it looks like shorewall is forging this udp packet. How can it be > possible? Can it be caused by proxyarp? How can I sort this out? This > is getting me mad, please help! > > > Tommaso Calosi > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don''t miss this year''s exciting event. There''s still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tommaso Calosi
2008-May-05 12:20 UTC
Re: UDP sip/sdp packet forged by shorewall - Please help
Thanks Elio, It works like charm! Elio Tondo wrote:> It looks like you have the SIP nat / conntrack modules loaded. > > Please look at this post: > > http://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg01254.html > > I just hit a similar problem, after a firewall replacement on one side of an > OpenVPN and an Astersk server at the other end; the old server had an older > version of Shorewall which did not load the SIP helper modules by default, and > a local SIP phone was correctly connecting to the Asterisk on the remote > endpoint; after the installation of the new server with a current Shorewall > version (Fedora 8) it stopped working, and I found a lot of SIP rejected > packets on the firewall net interface: the remote firewall with Asterisk was > sending the packets to the external interface instead of through the VPN. > > I unloaded the modules on the local side and the phone immediately registered. > Then I followed Tom''s advice: > > a) Copy /usr/share/shorewall/modules to /etc/shorewall/modules > b) Edit the copy and remove the appropriate lines. It is a good idea to > prune the list of modules anyway -- see Shorewall FAQ 59. > > on both firewalls, to avoid further problems. > > Hope that helps. > > Elio > > _____ > > > Tommaso Calosi wrote: > > >> My firewall: >> >> >> Debian kernel 2.6.18-5-686 >> shorewall version: 4.0.7 >> iptables v1.3.6 >> >> I have shorewall with this config: >> >> >> >> DMZ----FW----Router >> >> DMZ is a proxyarped network. >> >> All udp is accepted from net to the interested host. >> >> This is my problem: when i capture the sip trace from the firewall, I >> get this >> >> >> #EZ@:SQOyEINVITE sip:02030057940@79.121.222.69 SIP/2.0 >> Max-Forwards: 69 >> Session-Expires: 3600;Refresher=uac >> Supported: timer >> To: <sip:237602030057940@83.245.6.81:5060> >> From: "anonymous" <sip:38585001789@83.245.6.81>;tag=3418971446-91877 >> Contact: <sip:38585001789@83.245.6.81:5060> >> Remote-Party-Id: >> <sip:38585001789@83.245.6.81>;party=calling;screen=yes;privacy=full >> Call-ID: 179396-3418971446-91833@msw4.mydomain.com >> CSeq: 1 INVITE >> Via: SIP/2.0/UDP >> 83.245.6.81:5060;branch=z9hG4bK3642dc75d81f0fdea5c2172f98e2a7e2 >> Allow-Events: telephone-event >> Content-Type: application/sdp >> Content-Length: 305 >> >> v=0 >> o=msw 5063 8671 IN IP4 83.245.6.81 >> s=sip call >> *c=IN IP4 83.245.6.82* >> t=0 0 >> m=audio 28548 RTP/AVP 8 0 18 100 101 >> a=fmtp:101 0-16 >> a=rtpmap:101 telephone-event/8000 >> a=fmtp:100 192-194 >> a=rtpmap:100 X-NSE/8000 >> a=fmtp:18 annexb=no >> a=rtpmap:18 G729/8000 >> a=rtpmap:0 PCMU/8000 >> a=rtpmap:8 PCMA/8000 >> >> >> >> >> After the firewall (on my asterisk box) the SAME packet looks identical >> at ip level except from the bold line which becomes 83.245.6.81 >> >> >> >> 0H"]DEZ@9SQOyEINVITE sip:02030057940@79.121.222.69 SIP/2.0 >> Max-Forwards: 69 >> Session-Expires: 3600;Refresher=uac >> Supported: timer >> To: <sip:237602030057940@83.245.6.81:5060> >> From: "anonymous" <sip:38585001789@83.245.6.81>;tag=3418971446-91877 >> Contact: <sip:38585001789@83.245.6.81:5060> >> Remote-Party-Id: >> <sip:38585001789@83.245.6.81>;party=calling;screen=yes;privacy=full >> Call-ID: 179396-3418971446-91833@msw4.mydomain.com >> CSeq: 1 INVITE >> Via: SIP/2.0/UDP >> 83.245.6.81:5060;branch=z9hG4bK3642dc75d81f0fdea5c2172f98e2a7e2 >> Allow-Events: telephone-event >> Content-Type: application/sdp >> Content-Length: 305 >> >> v=0 >> o=msw 5063 8671 IN IP4 83.245.6.81 >> s=sip call >> *c=IN IP4 83.245.6.81* >> t=0 0 >> m=audio 28548 RTP/AVP 8 0 18 100 101 >> a=fmtp:101 0-16 >> a=rtpmap:101 telephone-event/8000 >> a=fmtp:100 192-194 >> a=rtpmap:100 X-NSE/8000 >> a=fmtp:18 annexb=no >> a=rtpmap:18 G729/8000 >> a=rtpmap:0 PCMU/8000 >> a=rtpmap:8 PCMA/8000 >> >> Of course there''s nothing between the firewall and the server. >> >> >> So it looks like shorewall is forging this udp packet. How can it be >> possible? Can it be caused by proxyarp? How can I sort this out? This >> is getting me mad, please help! >> >> >> Tommaso Calosi >> >> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference >> Don''t miss this year''s exciting event. There''s still time to save $100. >> Use priority code J8TL2D2. >> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don''t miss this year''s exciting event. There''s still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Elio Tondo wrote:> I unloaded the modules on the local side and the phone immediately registered. > Then I followed Tom''s advice: > > a) Copy /usr/share/shorewall/modules to /etc/shorewall/modules > b) Edit the copy and remove the appropriate lines. It is a good idea to > prune the list of modules anyway -- see Shorewall FAQ 59. > > on both firewalls, to avoid further problems.Note that beginning with Shorewall 4.0.6, you can also use the DONT_LOAD option in shorewall.conf: DONT_LOAD=nf_nat_sip,nf_conntrack_sip -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom Eastep wrote:> Note that beginning with Shorewall 4.0.6, you can also use the DONT_LOAD > option in shorewall.conf: > > DONT_LOAD=nf_nat_sip,nf_conntrack_sipThanks, Tom! I''ll use this option. Thank you for making Shorewall even better (and it''s a wonderful piece of software since the very beginning). Elio ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone