Re: [Asterisk-Users] Broken firewall or brain damaged admin?

Sat, 10 Jun 2006 02:01:49 -0700 

Brian Capouch wrote:
I am travelling this week and have had to buy connectivity from a hotel and at a couple of airports. 


For the first time ever, I have had problems (twice out of four 
connections) with IAX traffic going through firewalls.



I'm almost certain I'm looking at a broken firewall, and if it's a 
commercial one that's in use by hotspot/hotel-type operations, I would 
like to follow up and see if I can figure out how to convince them to 
fix it.


In both cases I have been on a NAT connection.


In both cases I have been able trace and see the following behavior, 
identical in both:



1. My packets leave a private IP asking for a UDP connection to my home 
Asterisk server, port 4569.


2. Asterisk reports "<Unregistered>" when I do an iax2 show registry.


3. Sniffing at my home server shows tons of traffic similar to this 
snippet:



21:30:37.829275 ip-66-80-112-58.chi.megapath.net > pbx: icmp: 
ip-66-80-112-58.chi.megapath.net udp port 4569 unreachable (DF)
21:30:37.833965 ip-66-80-112-58.chi.megapath.net > pbx: icmp: 
ip-66-80-112-58.chi.megapath.net udp port 4569 unreachable (DF)



I'd like to ask the list two things: first, is this indeed a broken 
firewall?  It seems like the NAT mapping that sends traffic out should 
accept the return traffic on the port it uses (4569 in this case) as its 
*source* port.



Probably not. If it were broken, then dns and other udp services would 
fail as well.



Second, and more important, anything I can do beyond beating my head 
against doltish ISP customer service reps, who in both cases told me 
that I had something broken "on my end?"



Guess you could try changing the iax port (from 4569) to see if that 
works. If it does, there might be an access list applied somewhere that 
is blocking 4569.



A more complete/detailed sniffer trace might be helpful since the above 
snippet only shows one-way traffic and not much of the actual packet.


R.

_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --

Asterisk-Users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users






















					Reply via email to