Philip, Darrick, and Lonnie,
This is exactly the information I was hoping to receive. Thank you for
your thoughtful responses.
I'm sure this will help greatly.
With kind regards,
Dan
Lonnie Abelbeck wrote:
Dan,
I recently replaced a long working m0n0wall firewall/router setup with
AstLinux, allowing SIP to be directly off a public IP address. I have
not looked back.
I am using a custom build of trunk, too bad 0.7 is not quite
available. There have been a lot of improvements with Arno's firewall
in trunk (0.7), and an older Arno version is in 0.6.x. Regardless
0.6.x should work for you as well.
Firewall Rules:
If you are not accepting remote SIP peers, then "Pass EXT->Local UDP
5060" is not generally necessary, between your registrations to remote
providers and 'qualify=yes' of outbound peers, firewall states will be
automatically maintained. Ditto for "Pass EXT->Local UDP
10000-20000" (hopefully a smaller rtp.conf range than that).
If you are accepting remote SIP peers (as it seems you are) then the
above Firewall rules are required. If you can further restrict the
5060 by source IP address all the better. The "Pass EXT->Local UDP
10000-20000" can possibly be skipped by using the sip-voip Arno
Plugin, but you can experiment with that after things are working with
the firewall rule in place.
Both the above two firewall rules are independent of Traffic Shaping.
All of the AstLinux web interface system configuration .conf files are
saved in the directory /mnt/kd/rc.conf.d/ . The Firewall sub-tab's
data is saved in gui.firewall.conf in that directory. The
gui.firewall.conf file contains the variable GUI_FIREWALL_RULES which
saves the firewall rules in a generic format that only the web
interface uses. Following the GUI_FIREWALL_RULES definition, are the
Arno Firewall variables that get generated.
Note: The Arno firewall variable format has changed from 0.6.x to
0.7, though the GUI_FIREWALL_RULES has not, so a Firewall "Save
Settings" of a 0.6.x config on a 0.7 system will automatically
generate the proper Arno Firewall variables.
Hope this helps.
Lonnie
On Sep 9, 2009, at 9:02 AM, Dan Ryson wrote:
All,
After many years, I've finally decided to brave the elements and
move Astlinux out from behind my NAT firewall and onto a public IP
address. Since this system is presently in service, if I don't get
this right the first time, I'll risk facing an angry mob. This
brings me to a basic question regarding the proper configuration of
Arno's firewall in the AstLinux environment:
In Google-ing around, I found plenty of documentation of Arno's
firewall on his web site and forum. I also found a helpful
paragraph and screen-shot of the AstLinux GUI firewall settings on
Lonnie's web site. However, I couldn't find an answer to this
feeble-minded question:
Other than the settings for Traffic Shaping, Lonnie's screen-shot
doesn't show any Firewall Rules that pass VoIP UDP ports to Asterisk
(EXT->Local). Does this action need to be explicitly set in the
Firewall Rules or is it inherent from the Traffic Shaping settings?
If feasible, it would be very helpful if someone could provide
example settings from their working Firewill Configuration page.
Our system is pretty "normal" with a few SIP VoIP providers and a
mixture of SIP and IAX2 extensions located both on the LAN and at
distant WAN locations on the Internet.
Also, it would be helpful to be able to inspect the GUI-generated
firewall configuration so I can make the effort to understand what
the GUI is doing from the perspective of Arno's firewall - and
leverage the documentation and discussions provided on his site. Is
there such a file? If so, where does it reside?
During some limited testing over the Labor Day weekend, I had
troubles with no-audio (in either direction) with calls from
internal LAN extensions to distant WAN extensions. I'm not certain,
but this problem appeared to be solved by passing ports 10000-20000
from EXT->Local.
The entire purpose of this exercise is to get re-invites working.
Hopefully, this will permit us to shift some RTP traffic from
distant WAN stations directly to the VoIP providers, in the effort
to reduce latency and traffic on this server.
Any insight and advice would be greatly appreciated.
Dan
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
