thr3ads.net - Shorewall users - SIP Video failure through shorewall [Sep 2009]

If this information is useful, please help other people find it:
Share via:

Johnson, S

2009-Sep-10 18:42 UTC

SIP Video failure through shorewall

I''m having a hard time getting a video SIP conversation running through
our shorewall 4.2.10 firewall.

 

I can initiate the connection from outside to a SNAT mapped inside
computer.  The ports used are 5060 UDP and dynamic 60000 - 60499 UDP.

 

masq:

eth2                    10.9.6.10/32    xxx.yyy.zzz.aaa   # my outside
ipaddress mapped inside

 

for the sake of testing, I''ve decided to open all ports UDP inside and
out to this computer only.

rules:

ACCEPT  net     loc:10.9.6.10   all

ACCEPT  loc:10.9.6.10   all

 

When I use conntrack to watch the traffic I see this happen:

[DESTROY] udp      17 src=w.x.y.z dst=a.b.c.d sport=60001 dport=60005
packets=77 bytes=4312 [UNREPLIED] src=10.9.6.10 dst=a.b.c.d sport=60001
dport=1193 packets=0 bytes=0

[DESTROY] udp      17 src=w.x.y.z dst=a.b.c.d sport=60003 dport=60007
packets=55 bytes=3104 [UNREPLIED] src=10.9.6.10 dst=a.b.c.d sport=60003
dport=1193 packets=0 bytes=0

 

 

The dynamic port is re-written from 60001 to 1193.  

 

The weird thing is that I can stop and restart the connection and one
out of 30 will work.  The odd thing is that I don''t see the dynamic
ports open when it does work and it looks like this:

 

    [NEW] udp      17 3600 src=w.x.y.z dst=a.b.c.d sport=5060 dport=5060
[UNREPLIED] src=10.9.6.10 dst=64.8.133.51 sport=5060 dport=5060

 [UPDATE] udp      17 3600 src=w.x.y.z dst=a.b.c.d sport=5060 dport=5060
src=10.9.6.10 dst=w.x.y.z sport=5060 dport=5060

 [UPDATE] udp      17 3600 src=w.x.y.z dst=a.b.c.d sport=5060 dport=5060
src=10.9.6.10 dst=w.x.y.z sport=5060 dport=5060 [ASSURED]

 

I read the FAQ and found the section about adding the following line to
shorewall.conf: DONT_LOAD=nf_nat_sip,nf_conntrack_sip  

 

Which I did and it didn''t seem to help any...

 

I tried doing a DNAT instead using the following line:

DNAT   net     loc:10.9.6.10           -       -       -       a.b.c.d

 

I also bumped up the connection tracking memory to see if that would
take care of the problem and it didn''t.

 

I''ve got this problem even if I start this connection from the inside
going out.

 

Has anyone done this before or know what I could look at?  

 

Thanks

  sj



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Shorewall users - Sep 2009 - SIP Video failure through shorewall

SIP Video failure through shorewall