Dan, I recently replaced a long working m0n0wall firewall/router setup with AstLinux, allowing SIP to be directly off a public IP address. I have not looked back.
I am using a custom build of trunk, too bad 0.7 is not quite available. There have been a lot of improvements with Arno's firewall in trunk (0.7), and an older Arno version is in 0.6.x. Regardless 0.6.x should work for you as well. Firewall Rules: If you are not accepting remote SIP peers, then "Pass EXT->Local UDP 5060" is not generally necessary, between your registrations to remote providers and 'qualify=yes' of outbound peers, firewall states will be automatically maintained. Ditto for "Pass EXT->Local UDP 10000-20000" (hopefully a smaller rtp.conf range than that). If you are accepting remote SIP peers (as it seems you are) then the above Firewall rules are required. If you can further restrict the 5060 by source IP address all the better. The "Pass EXT->Local UDP 10000-20000" can possibly be skipped by using the sip-voip Arno Plugin, but you can experiment with that after things are working with the firewall rule in place. Both the above two firewall rules are independent of Traffic Shaping. All of the AstLinux web interface system configuration .conf files are saved in the directory /mnt/kd/rc.conf.d/ . The Firewall sub-tab's data is saved in gui.firewall.conf in that directory. The gui.firewall.conf file contains the variable GUI_FIREWALL_RULES which saves the firewall rules in a generic format that only the web interface uses. Following the GUI_FIREWALL_RULES definition, are the Arno Firewall variables that get generated. Note: The Arno firewall variable format has changed from 0.6.x to 0.7, though the GUI_FIREWALL_RULES has not, so a Firewall "Save Settings" of a 0.6.x config on a 0.7 system will automatically generate the proper Arno Firewall variables. Hope this helps. Lonnie On Sep 9, 2009, at 9:02 AM, Dan Ryson wrote: > All, > > After many years, I've finally decided to brave the elements and > move Astlinux out from behind my NAT firewall and onto a public IP > address. Since this system is presently in service, if I don't get > this right the first time, I'll risk facing an angry mob. This > brings me to a basic question regarding the proper configuration of > Arno's firewall in the AstLinux environment: > > In Google-ing around, I found plenty of documentation of Arno's > firewall on his web site and forum. I also found a helpful > paragraph and screen-shot of the AstLinux GUI firewall settings on > Lonnie's web site. However, I couldn't find an answer to this > feeble-minded question: > > Other than the settings for Traffic Shaping, Lonnie's screen-shot > doesn't show any Firewall Rules that pass VoIP UDP ports to Asterisk > (EXT->Local). Does this action need to be explicitly set in the > Firewall Rules or is it inherent from the Traffic Shaping settings? > > If feasible, it would be very helpful if someone could provide > example settings from their working Firewill Configuration page. > Our system is pretty "normal" with a few SIP VoIP providers and a > mixture of SIP and IAX2 extensions located both on the LAN and at > distant WAN locations on the Internet. > > Also, it would be helpful to be able to inspect the GUI-generated > firewall configuration so I can make the effort to understand what > the GUI is doing from the perspective of Arno's firewall - and > leverage the documentation and discussions provided on his site. Is > there such a file? If so, where does it reside? > > During some limited testing over the Labor Day weekend, I had > troubles with no-audio (in either direction) with calls from > internal LAN extensions to distant WAN extensions. I'm not certain, > but this problem appeared to be solved by passing ports 10000-20000 > from EXT->Local. > > The entire purpose of this exercise is to get re-invites working. > Hopefully, this will permit us to shift some RTP traffic from > distant WAN stations directly to the VoIP providers, in the effort > to reduce latency and traffic on this server. > > Any insight and advice would be greatly appreciated. > > Dan ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
