I am running astlinux-0.7.7 (Asterisk 1.4.40) on a Soekris box behind my ISP's cable router on my LAN. I am forwarding all SIP & RTP packets from this router to the external interface of astlinux. All of my phones connect to astlinux through the external interface of the Soekris box as well. Using Arno, I setup rules to allow inbound SIP/RTP from my LAN clients and my SIP provider. In the rules for the SIP provider, I used the hostname of their server as opposed to an IP address. While my system was booting, I saw the following messages displayed on the console:
------------------------------ Allowing 0/0 for TCP port(s): 22 Allowing 0/0 for TCP port(s): 443 Allowing 192.168.1.0/24 for UDP port(s): 10000:10100 Allowing 192.168.1.0/24 for UDP port(s): 4569 Allowing 192.168.1.0/24 for UDP port(s): 5060 Allowing inbound23.vitelity.net for UDP port(s): 10000:10100 /usr/sbin/iptables -A EXT_INPUT_CHAIN -i + -s inbound23.vitelity.net -d 0/0 -p udp --dport 10000:10100 -j ACCEPT ERROR (2): iptables v1.4.9: host/network `inbound23.vitelity.net' not found Try `iptables -h' or 'iptables --help' for more information. Allowing inbound23.vitelity.net for UDP port(s): 5060 /usr/sbin/iptables -A EXT_INPUT_CHAIN -i + -s inbound23.vitelity.net -d 0/0 -p udp --dport 5060 -j ACCEPT ERROR (2): iptables v1.4.9: host/network `inbound23.vitelity.net' not found Try `iptables -h' or 'iptables --help' for more information. [cut] Mar 14 19:57:22 WARNING: Not all firewall rules are applied. ------------------------------ There seems to be a problem using hostnames in the rules. Since then I have substituted the IP addresses in my rules to resolve the errors (although I would really prefer to use hostnames). However, it looks like Arno permitted SIP connections from ANY host, because the adaptive ban plugin logged the following messages to /var/log: pbx log # cat messages Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"604"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"605"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"606"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"607"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"608"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"609"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"610"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"611"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"612"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"613"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"614"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: chan_sip.c:16796 in handle_request_register: Registration from '"615"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching peer found ... Apparently, my box was under attack by a system at 173.192.216.91. So if hostnames are not supported in the Arno rules and those rules failed to execute, I would have thought that all SIP connections outside of my LAN would have been blocked, however, it seems that wasn't the case. Is this the expected behavior of the system or have I misconfigured something? -tm ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
