> (Side note, previous versions of the Arno firewall script defaulted to > 'all ports' if none were specified, now if no ports are specified, no > logging occurs.) >
O.K. that's good to know. Still, it seems that something is borked here: > If you add the rule: > > Log Local Out | TCP | Destination: 0/0 | Port: 1 - 65535 > > Then a LOG rule is generated for all ports to all destinations for TCP > going Out from the AstLinux box. I've done that (see attached picture). Still I get no log messages on the status page even if I access sites on my external IF. Furthermore: > >I as a simple user would have expected that disabling a firewall ALLOWS all > >traffic. > > Normally it is so. All traffic is allowed. Maybe there sth. wrong > with your configuration. > It might seem naive, but if I simple disable the firewall, I can no longer access my external IF from any LAN computers. When the firewall is active, traffic is NATed to the outside and the firewall rules are applied. Would disabling the firewall also disable the masquerading (NAT) via the external interface? > > > To answer some of your previous questions... > > To allow all SIP and RTP for an external SIP phone, add something like... > > Pass EXT->Local | UDP | Source: 0/0 | Port: 5060 > > (Restrict more than any host 0/0 Source address if you can) > > Pass EXT->Local | UDP | Source: 0/0 | Port: 10000-20000 > > (The port range here should exactly match your /etc/asterisk/rtp.conf > rtpstart-rtpend port range. Alternatively you can enable the 'sip-voip' > plugin, but personally I keep the 'sip-voip' plugin disabled and use the > above firewall rule.) > > Hope this helps. > > Lonnie > > Thanks. This is very helpful. Of course, only if I really can get the firewall rules to apply. First step would be to make a simple "log all" rule work. Michael > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
<<attachment: FW1.png>>
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
