On 10/13/10 7:44 AM, Lonnie Abelbeck wrote: > On Oct 13, 2010, at 9:15 AM, Dan Ryson wrote: > >> All, >> >> I wonder if I may, once again, ask for your help. >> >> Using the GUI to configure the firewall, my intent was to open only one >> "Source IP" to port 5060, for an off-site IP phone. I'm depending on >> frequent& regular registration traffic to keep port 5060 open to >> providers. Despite this, I see the occasional registration attempt from >> elsewhere, as shown below. >> >> Oct 13 04:23:36 sip local0.notice asterisk[2776]: NOTICE[2776]: >> chan_sip.c:16474 in handle_request_register: Registration from >> '"1010161682"<sip:1010161...@169.25.161.29>' failed for '140.117.176.226' - >> No matching peer found >> >> >> So, with all other source IPs closed to port 5060, how might a >> registration request from '140.117.176.226' be reaching Asterisk? >> >> The only thing that looked a bit suspicious in iptables, is this: >> >> Chain EXT_INPUT_CHAIN (2 references) >> target prot opt source destination >> ACCEPT udp -- anywhere anywhere udp >> dpts:5060:5080 >> >> >> However, it looks like the above is merely the result of settings in the >> SIP-VOIP plugin, which specifies ports 5060:5080. When disabling >> SIP-VOIP, the above entry goes away. >> >> Your thoughts? >> >> Thanks for considering my question. >> >> Dan > Don't enable the sip-voip plugin. :-) > > The sip-voip plugin may have it's place, (it basically automatically opens > the RTP voice ports) but I personally don't enable it. > > So, if you disable the sip-voip plugin you will need to allow a UDP range > matching your asterisk rtp.conf range. (make it smaller than the default) > > Or, keep the sip-voip plugin enabled and also enable the adaptive-ban plugin > to ban the attack probes. > > Lonnie > > PS: A better long term solution would be to add a SIP_VOIP_SOURCE="0/0" > variable to the sip-voip plugin, so you can limit by the source address... > I'll try to get that in the next version of AIF.
That would be redundant. There's already a generic way to limit UDP traffic to the firewall. Adding a second method to do the same would create ambiguity and confusion. All the sip plugin does--all it's supposed to do--is maintain a NAT hole for the SDP (media) stream open based on the information it sees in the SIP transactions (since the SDP endpoints talk to each other, but the SIP stream goes through one or more intermediaries). Given the asymmetry of SIP to SDP, you can't have SDP maintain its own associations in NAT, especially not if you use short timers and VAD or muting. The SIP plugin is a hook for a NAT helper. Period. It doesn't do access control because it doesn't need to. Dan: I'd try using $HOST_OPEN_UDP. The interface is your $EXTIF. The source-ip is whatever source address you want, the destination port is 5060. Also, in sip-voip.conf, set: SIP_VOIP_PORTS="5060" You only need addition ports if your Asterisk is listening on alternate ports, which it probably isn't. Lonnie: I might have stepped out of Astlinux, but not from AIF. Please don't be modifying my plugins without my consent. -Philip ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
