It''s been a long day and I''m at my wits end with Shoreline and Trixbox. I''m hoping someone here can help me whip up a config that will actually work. I have my Trixbox on the internet and am trying to secure it now. I have a SIP trunk provider. Here''s my config. Cable modem with multiple IPs. One goes to the ASA, one to the Trixbox. The ASA connects to a switch and handles the entire network, PCs and phones. Private lan (phones, servers, pcs, tribox) is 10.1.0.0/255.255.255.0 Trixbox interface eth1 - public interface with ip 208.xxx.xxx.163, gateway 208.xxx.xxx.161 Trixbox interface eth0 - private interface IP of 10.1.0.15, no gateway assigned At this point I''ve tried every configuration I can think of with no real success. It always end up so that inside callers can hear the outside caller, but outside can''t hear inside. Since it''s a SIP trunk, I tried setting it up to allow all packets to and from the two sip trunk IPs. No luck. I tried allowing UDP 5060 and UDP 10000-20000 inbound. Allowed all access from LOC -> FW, LOC -> NET, FW -> NET, FW -> LOC. Same one way audio results. No matter what configuration I chose, once I enable the firewall, some of the phones drop their registration to Trixbox, but SIP/RTP still goes through (I can dial in/out). All I know is that when the firewall is off, everything works fine. Can someone people help me keep my head sane...it''s only Monday. Thanks. Max ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Max DiOrio wrote:>Cable modem with multiple IPs. One goes to the ASA, one to the >Trixbox. The ASA connects to a switch and handles the entire >network, PCs and phones. > >Private lan (phones, servers, pcs, tribox) is 10.1.0.0/255.255.255.0 > >Trixbox interface eth1 - public interface with ip 208.xxx.xxx.163, >gateway 208.xxx.xxx.161 >Trixbox interface eth0 - private interface IP of 10.1.0.15, no >gateway assigned > >At this point I''ve tried every configuration I can think of with no >real success. It always end up so that inside callers can hear the >outside caller, but outside can''t hear inside.Not too dissimilar to what I have at work. You''ve already probably done all these, but here''s a list of hints : - Configure the phones to connect to the inside interface on the Trixbox - Set "can reinvite" to no on each extension and trunk - this stops Asterisk trying to get the two endpoints talking RTP directly to each other. - Use the outside IP address for connecting to the SIP provider. - Turn off/disable the SIP helper module(s) in any Linux boxes and routers - this last bit has caught me out several times. In particular, check if Shorewall is loading any SIP modules. /etc/shorewall/modules, or more likely it''ll be using a deafult file from somewhere else (/usr/share/shorewall on Debian systems). -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
You''re right. I have done all that. My problem isn''t with the trixbox setup since it was working before. I just can''t get the firewall rules set up properly. I think I need to see someone elses config files that are similar to mine to sort this out. Thanks. Max DiOrio IT Coordinator University Ear, Nose & Throat (518) 262-2251 On Sep 22, 2009, at 5:07 AM, "Simon Hobson" <linux@thehobsons.co.uk> wrote:> Max DiOrio wrote: > >> Cable modem with multiple IPs. One goes to the ASA, one to the >> Trixbox. The ASA connects to a switch and handles the entire >> network, PCs and phones. >> >> Private lan (phones, servers, pcs, tribox) is 10.1.0.0/255.255.255.0 >> >> Trixbox interface eth1 - public interface with ip 208.xxx.xxx.163, >> gateway 208.xxx.xxx.161 >> Trixbox interface eth0 - private interface IP of 10.1.0.15, no >> gateway assigned >> >> At this point I''ve tried every configuration I can think of with no >> real success. It always end up so that inside callers can hear the >> outside caller, but outside can''t hear inside. > > Not too dissimilar to what I have at work. > > You''ve already probably done all these, but here''s a list of hints : > - Configure the phones to connect to the inside interface on the > Trixbox > - Set "can reinvite" to no on each extension and trunk - this stops > Asterisk trying to get the two endpoints talking RTP directly to each > other. > - Use the outside IP address for connecting to the SIP provider. > - Turn off/disable the SIP helper module(s) in any Linux boxes and > routers - this last bit has caught me out several times. In > particular, check if Shorewall is loading any SIP modules. > /etc/shorewall/modules, or more likely it''ll be using a deafult file > from somewhere else (/usr/share/shorewall on Debian systems). > > > -- > Simon Hobson > > Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed > author Gladys Hobson. Novels - poetry - short stories - ideal as > Christmas stocking fillers. Some available as e-books. > > --- > --- > --- > --------------------------------------------------------------------- > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart > your > developing skills, take BlackBerry mobile applications to market and > stay > ahead of the curve. Join us from November 9-12, 2009. Register > now! > http://p.sf.net/sfu/devconf > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Robert K Coffman Jr. -Info From Data Corp.
2009-Sep-22 11:05 UTC
Re: Losing my mind after a long day
I don''t have to support SIP so I may be out of line here, but couldn''t you enable logging on everything and see what the firewall is blocking? ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Max DiOrio wrote:>You''re right. I have done all that. My problem isn''t with the trixbox >setup since it was working before. I just can''t get the firewall rules >set up properly. > >I think I need to see someone elses config files that are similar to >mine to sort this out.All I have in my Shorewall config is : ACCEPT net $FW udp 4569,5060,10240:11263 10240:11263 is the port range configured in /etc/asterisk/rtp.conf. Policy is permit for FW->net, FW->Lan, and Lan->FW (I build them a bit more locked down these days). You might also want to permit TCP for 4569 (IAX2) and SIP (5060). -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Also, tshark is a very useful tool - have a look at the packets on the two networks. Of particular interest might be a full decode (-V option) of the SIP packets to see what address/port Asterisk is telling the remote system to use for RDP/ -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
My SIP provider is asking me to open all UDP ports, which is a huge security risk. What rule can I use to allow all traffic two and from a particular IP? This might be easiest, as the provider only uses two IP addresses. This way I can block all traffic inbound except from those IPs. -----Original Message----- From: Simon Hobson [mailto:linux@thehobsons.co.uk] Sent: Tuesday, September 22, 2009 8:31 AM To: Shorewall Users Subject: Re: [Shorewall-users] Losing my mind after a long day Max DiOrio wrote:>You''re right. I have done all that. My problem isn''t with the trixbox >setup since it was working before. I just can''t get the firewall rules >set up properly. > >I think I need to see someone elses config files that are similar to >mine to sort this out.All I have in my Shorewall config is : ACCEPT net $FW udp 4569,5060,10240:11263 10240:11263 is the port range configured in /etc/asterisk/rtp.conf. Policy is permit for FW->net, FW->Lan, and Lan->FW (I build them a bit more locked down these days). You might also want to permit TCP for 4569 (IAX2) and SIP (5060). -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------ ------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Max DiOrio wrote:>My SIP provider is asking me to open all UDP ports, which is a huge >security risk.Then they are a bunch of ignorant tools ! The only ports you need to open are the signalling ports (eg 5060 for SIP) and the ports specified in /etc/asterisk/rtp.conf - those are the only ports that will be used.>What rule can I use to allow all traffic two and from a particular IP? >This might be easiest, as the provider only uses two IP addresses. > >This way I can block all traffic inbound except from those IPs.ACCEPT net:1.2.3.4 $FW or to just allow UDP, ACCEPT net:1.2.3.4 $FW udp For multiple addresses I think you can do : ACCEPT net:1.2.3.4,5.6.7.8 $FW These are for inbound traffic, outbound just swap net:... and $FW. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Still not working for me. In fact, this time it was worse. Everything stays registered, but this time I get no audio in either direction, and although it was working after I enabled the firewall, web access stopped working after a few minutes. I can see the calls come in, but the RTP stream just isn''t being set up right. I also tried putting in the dont_load sip helper as per the shorewall website, no help. Here''s my config, maybe someone can spot something that''s wrong. zones: fw firewall net ipv4 loc ipv4 interfaces: loc eth0 detect net eth1 detect policies: loc all ACCEPT fw all ACCEPT net all DROP all all REJECT rules: Ping/ACCEPT net $FW Webmin/ACCEPT net $FW ACCEPT net:204.11.116.47,204.11.119.47,67.242.xx.xx $FW all ACCEPT $FW:204.11.116.47,204.11.119.47,67.242.xx.xx net all ACCEPT net fw all The third IP in the accept statement is my public IP at home...I didn''t want to lock myself out of the box. I don''t see any reason why the above won''t work. It should be allowing all packets in to and out of the Firewall to the SIP Trunk provider''s IPs. Max -----Original Message----- From: Simon Hobson [mailto:linux@thehobsons.co.uk] Sent: Tue 9/22/2009 2:34 PM To: Shorewall Users Subject: Re: [Shorewall-users] Losing my mind after a long day Max DiOrio wrote:>My SIP provider is asking me to open all UDP ports, which is a huge >security risk.Then they are a bunch of ignorant tools ! The only ports you need to open are the signalling ports (eg 5060 for SIP) and the ports specified in /etc/asterisk/rtp.conf - those are the only ports that will be used.>What rule can I use to allow all traffic two and from a particular IP? >This might be easiest, as the provider only uses two IP addresses. > >This way I can block all traffic inbound except from those IPs.ACCEPT net:1.2.3.4 $FW or to just allow UDP, ACCEPT net:1.2.3.4 $FW udp For multiple addresses I think you can do : ACCEPT net:1.2.3.4,5.6.7.8 $FW These are for inbound traffic, outbound just swap net:... and $FW. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
On Tue, Sep 22, 2009 at 06:51:14PM -0400, Max DiOrio wrote:> Here''s my config, maybe someone can spot something that''s wrong.> rules: > ACCEPT net:204.11.116.47,204.11.119.47,67.242.xx.xx $FW all > ACCEPT $FW:204.11.116.47,204.11.119.47,67.242.xx.xx net allThe 2nd line doesn''t make sense, unless the 204 and 67 addresses are associated with some interface on the fw. Move them to the third column with "net:" prefix. You can of course look at the output of "iptables -L -v -n -t filter" for testing how shorewall is interpretting its configuration input. Justin ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
On Tue, 2009-09-22 at 18:51 -0400, Max DiOrio wrote:> Still not working for me. In fact, this time it was worse. Everything stays registered, but this time I get no audio in either direction, and although it was working after I enabled the firewall, web access stopped working after a few minutes. I can see the calls come in, but the RTP stream just isn''t being set up right. I also tried putting in the dont_load sip helper as per the shorewall website, no help. > > Here''s my config, maybe someone can spot something that''s wrong. > > zones: > fw firewall > net ipv4 > loc ipv4 > > interfaces: > loc eth0 detect > net eth1 detect > > policies: > loc all ACCEPT > fw all ACCEPT > net all DROP > all all REJECT > > rules: > Ping/ACCEPT net $FW > Webmin/ACCEPT net $FW > ACCEPT net:204.11.116.47,204.11.119.47,67.242.xx.xx $FW all > ACCEPT $FW:204.11.116.47,204.11.119.47,67.242.xx.xx net all > ACCEPT net fw all > > > The third IP in the accept statement is my public IP at home...I didn''t want to lock myself out of the box. > > I don''t see any reason why the above won''t work. It should be allowing all packets in to and out of the Firewall to the SIP Trunk provider''s IPs. > > Max >Think it time for you to summit a shorewall dump... http://www.shorewall.net/support.htm#Guidelines Jerry ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Thank you for correcting my stupidity. This is the first Linux based firewall I''ve configured (well, tried to). I''m used to working with Cisco ASA devices. This was quite a learning experience, but I think I''m starting to get the hang of it now. I can place calls in just fine and leave a voicemail...since I don''t have an extension here to use at the moment, the acid test will come tomorrow morning when I get into the office. Thanks again. Max -----Original Message----- From: Justin Pryzby [mailto:justinpryzby@users.sourceforge.net] Sent: Tue 9/22/2009 9:05 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Losing my mind after a long day On Tue, Sep 22, 2009 at 06:51:14PM -0400, Max DiOrio wrote:> Here''s my config, maybe someone can spot something that''s wrong.> rules: > ACCEPT net:204.11.116.47,204.11.119.47,67.242.xx.xx $FW all > ACCEPT $FW:204.11.116.47,204.11.119.47,67.242.xx.xx net allThe 2nd line doesn''t make sense, unless the 204 and 67 addresses are associated with some interface on the fw. Move them to the third column with "net:" prefix. You can of course look at the output of "iptables -L -v -n -t filter" for testing how shorewall is interpretting its configuration input. Justin ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
On Tue, 2009-09-22 at 18:51 -0400, Max DiOrio wrote:> Still not working for me. In fact, this time it was worse. Everything stays registered, but this time I get no audio in either direction, and although it was working after I enabled the firewall, web access stopped working after a few minutes. I can see the calls come in, but the RTP stream just isn''t being set up right. I also tried putting in the dont_load sip helper as per the shorewall website, no help. > > Here''s my config, maybe someone can spot something that''s wrong. > > zones: > fw firewall > net ipv4 > loc ipv4 > > interfaces: > loc eth0 detect > net eth1 detect > > policies: > loc all ACCEPT > fw all ACCEPT > net all DROP > all all REJECT > > rules: > Ping/ACCEPT net $FW > Webmin/ACCEPT net $FW > ACCEPT net:204.11.116.47,204.11.119.47,67.242.xx.xx $FW all > ACCEPT $FW:204.11.116.47,204.11.119.47,67.242.xx.xx net allThe only time that this would make sense is if $FW and net were the same interface Maybe you meant this.. ACCEPT net:204.11.116.47,204.11.119.47,67.242.xx.xx $FW all ACCEPT $FW net:204.11.116.47,204.11.119.47,67.242.xx.xx all> ACCEPT net fw all > > > The third IP in the accept statement is my public IP at home...I didn''t want to lock myself out of the box. > > I don''t see any reason why the above won''t work. It should be allowing all packets in to and out of the Firewall to the SIP Trunk provider''s IPs. > > Max >------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf