Tom: I have two macro''s that you may want to add to the new versions of Shorewall. Hope this helps! macro.Phone works for IP Phones (example Asterisk etc.) macro.Prelude works for Prelude IDS -- Eric Teeter ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
On Fri, 16 Mar 2012 12:58:07 -0500 (CDT) Eric Teeter <teetere@charter.net> wrote:> Tom: > > I have two macro''s that you may want to add to the new versions of > Shorewall. > > Hope this helps! > > macro.Phone works for IP Phones (example Asterisk etc.)Phone is a very bad name for this. Macro names generally are for protocols or software.> macro.Prelude works for Prelude IDSThis makes more sense in naming point. -- Tuomo Soini <tis@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <http://foobar.fi/> ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
Tuomo: I know but there is more than Asterisk out there. that is why is was more generic,then maybe macro.IPPhone would work. Eric ----- Original Message ----- From: "Tuomo Soini" <tis@foobar.fi> To: shorewall-users@lists.sourceforge.net Sent: Saturday, March 17, 2012 3:25:02 AM Subject: Re: [Shorewall-users] new macros I use On Fri, 16 Mar 2012 12:58:07 -0500 (CDT) Eric Teeter <teetere@charter.net> wrote:> Tom: > > I have two macro''s that you may want to add to the new versions of > Shorewall. > > Hope this helps! > > macro.Phone works for IP Phones (example Asterisk etc.)Phone is a very bad name for this. Macro names generally are for protocols or software.> macro.Prelude works for Prelude IDSThis makes more sense in naming point. -- Tuomo Soini <tis@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <http://foobar.fi/> ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
On 16 Mar 2012, at 17:58, Eric Teeter <teetere@charter.net> wrote:> Tom: > > I have two macro''s that you may want to add to the new versions of Shorewall. > > Hope this helps! > > macro.Phone works for IP Phones (example Asterisk etc.) > > macro.Prelude works for Prelude IDSI can''t comment on the Prelude macro, but the Phone one seems wrong to me. I wouldn''t want to open SIP, IAX, RTP _and_ MGCP for phones - in fact I''m only really likely to want one or two at a time. Separate SIP, IAX and MGCP macros make more sense to me. Also, you only need RTP for SIP unless I''m mistaken (definitely not IAX, no idea about MGCP), and the ''sip'' conntrack helper is usually clever enough to classify RTP as ''related'' so it automatically flows through. Maybe a separate RTP macro as well? HTH, Chris -- Chris Boot bootc@bootc.net ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
Chris: On prelusde I use to open to the inside not the outside, if you have like snort on your firewall. I found that if I did not it would not work otherwise. If you have no sensors on your firewall you will not need it. On the Phone it makes it easier for me to follow what I have open. The nice thing is anyone then can comment out what they want to keep closed. It is just a personal pref. I would edit down the SIP for your application as you only need one Port, but this way it will work if you have 5090 instead of 5060. I just place all possible in the macro so those who do not know the port numbers have a referance to work with. Eric ----- Original Message ----- From: "Chris Boot" <bootc@bootc.net> To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Sent: Saturday, March 17, 2012 10:01:57 AM Subject: Re: [Shorewall-users] new macros I use On 16 Mar 2012, at 17:58, Eric Teeter <teetere@charter.net> wrote:> Tom: > > I have two macro''s that you may want to add to the new versions of Shorewall. > > Hope this helps! > > macro.Phone works for IP Phones (example Asterisk etc.) > > macro.Prelude works for Prelude IDSI can''t comment on the Prelude macro, but the Phone one seems wrong to me. I wouldn''t want to open SIP, IAX, RTP _and_ MGCP for phones - in fact I''m only really likely to want one or two at a time. Separate SIP, IAX and MGCP macros make more sense to me. Also, you only need RTP for SIP unless I''m mistaken (definitely not IAX, no idea about MGCP), and the ''sip'' conntrack helper is usually clever enough to classify RTP as ''related'' so it automatically flows through. Maybe a separate RTP macro as well? HTH, Chris -- Chris Boot bootc@bootc.net ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
On 03/17/2012 09:28 AM, Eric Teeter wrote:> Chris: > > On prelusde I use to open to the inside not the outside, if you have > like snort on your firewall. I found that if I did not it would not > work otherwise. If you have no sensors on your firewall you will not > need it. > > On the Phone it makes it easier for me to follow what I have open. > The nice thing is anyone then can comment out what they want to keep > closed. It is just a personal pref. I would edit down the SIP for > your application as you only need one Port, but this way it will work > if you have 5090 instead of 5060. I just place all possible in the > macro so those who do not know the port numbers have a referance to > work with. >I would much rather see a VOIP HOWTO from those of you who use it than a Swiss Army Knife macro that opens way too much for most folks. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
Chris Boot wrote:>I can''t comment on the Prelude macro, but the Phone one seems wrong >to me. I wouldn''t want to open SIP, IAX, RTP _and_ MGCP for phonesIndeed. Other issies : SIP can use TCP as well as UDP RTP range is VERY system dependent. 10001-20000 is just the default for Asterisk. NB - IIRC they changed the start to avoid confusion with Webmin on port 10000. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure