RE: [Asterisk-Users] OT: SIP aware firewalls?
Weuse Juniper/Netscreen 5GT's with the latest 5.3 firmware.It is fully sip aware and in a NAT environment it modifies the addresses in the SIP frames according the NAT table.The netscreen also checks the sip frame for the udp ports to be opened for the audiochannels and openn them for the session only. Wehave clients and servers inside and outside, and everything talks SIP and works like a charm. Regards. Andre VinkVink Consultancy - Oorspronkelijk Bericht -Onderwerp:RE: [Asterisk-Users] OT: SIP aware firewalls?Afzender: Chris Bagnall [EMAIL PROTECTED]Aan:\'Asterisk Users Mailing List - Non-Commercial Discussion\' asterisk-users@lists.digium.comDatum:07-01-2006 1:25 I know that I can stay with m0n0. The question still stands; are there circumstances when something more is required? Would something be gained by such a migration.I would think the only real circumstances where true SIP-aware firewallswould be required would be in an environment where one had many SIP devicesbehind a NAT (and by many I mean more than it\'s reasonably practical toassign different port numbers to).I\'m no expert on firewalls, so hopefully someone\'ll correct me if I\'mmistaken.Regards,Chris-- C.M. Bagnall, Director, Minotaur I.T. LimitedThis email is made from 100% recycled electrons___--Bandwidth and Colocation provided by Easynews.com --Asterisk-Users mailing listTo UNSUBSCRIBE or update options visit:http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] OT: SIP aware firewalls?
Michael Graves wrote: Surely there's something more to the truly SIP-aware device, such as the Ingate IX66, that merits their use in some specific circumstances? I know that I can stay with m0n0. The question still stands; are there circumstances when something more is required? Would something be gained by such a migration. Back when SIP was a fairly new protocol and NOTHING had any kind of workaround for running SIP with NAT, then you had to have a SIP aware firewall/NAT box to do it. These days with almost all SIP devices and most SIP servers supporting workarounds for doing it, a SIP aware firewall seldom needed. Some of the SIP endpoints that connect to my servers are behind SIP aware routers (Cisco), but I disable that feature. Why? Because I don't want one configuration for some clients and another configuration for other clients. I also disable any special SIP/NAT features of the SIP clients that connect to my servers (except for MAYBE NAT Keepalive) for the same reasons. VoIP and telecom is complicated enough. I don't want to make things even more complicated. ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] OT: SIP aware firewalls?
On Thu, 5 Jan 2006 17:57:47 +0100, Erwin de Raad wrote: You should be able to run SIP through m0n0wall quite happily - we have a number of client sites with SIP phones offsite which connect to the * server behind a m0n0wall box. You'll need to allow 5060 (UDP) for SIP, then an appropriate port range (as definted in rtp.conf) for the RTP streams. You'll obviously also need to apply any QoS rules to both the SIP and RTP streams. Totally agree. I moved from Kerio WinRoute (claims to be SIP aware not) to Monowall and all SIP/NAT issues went away. It doesn't do QoS but you can do bandwith/traffic shaping which also should work fine. Surely there's something more to the truly SIP-aware device, such as the Ingate IX66, that merits their use in some specific circumstances? I truly love my m0n0wall. It's been 100% solid and totally managable, even for a relative novice such as myself. I don't generally have problems with getting the mechanics of SIP setup through m0n0. But I thought that there must be some advantage to the proxy services provided in SIP aware devices or they simply wouldn't exist. I know that I can stay with m0n0. The question still stands; are there circumstances when something more is required? Would something be gained by such a migration. Michael -- Michael Graves [EMAIL PROTECTED] Sr. Product Specialist www.pixelpower.com Pixel Power Inc. [EMAIL PROTECTED] o713-861-4005 o800-905-6412 c713-201-1262 fwd 54245 ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] OT: SIP aware firewalls?
I know that I can stay with m0n0. The question still stands; are there circumstances when something more is required? Would something be gained by such a migration. I would think the only real circumstances where true SIP-aware firewalls would be required would be in an environment where one had many SIP devices behind a NAT (and by many I mean more than it's reasonably practical to assign different port numbers to). I'm no expert on firewalls, so hopefully someone'll correct me if I'm mistaken. Regards, Chris -- C.M. Bagnall, Director, Minotaur I.T. Limited This email is made from 100% recycled electrons ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] OT: SIP aware firewalls?
Chris Bagnall wrote: I know that I can stay with m0n0. The question still stands; are there circumstances when something more is required? Would something be gained by such a migration. I would think the only real circumstances where true SIP-aware firewalls would be required would be in an environment where one had many SIP devices behind a NAT (and by many I mean more than it's reasonably practical to assign different port numbers to). I'm no expert on firewalls, so hopefully someone'll correct me if I'm mistaken. You want a router with outbound proxy when you have many devices behind nat. The outbound proxy will take care of the RTP port mapping and also be smart eoungh to ensure that RTP packets between proxied endpoints don't leave the LAN. Some outbound proxies can act as a registrar to allow local endpoints to call each other even when there's no connection to the default registrar. Take a look at the Thomson Speedtouch 610 DSL router/firewall with SIP http://www.speedtouchdsl.com/pdf%5Cdatasheet610.pdf ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] OT: SIP aware firewalls?
Hi All, Until now I've only used IAX2 to connect to ITSPs. I've been toying with a SIP connection to Gizmo Project, but not yet successfully. It brings to mind a question. At what point does it make sense to consider a SIP-aware firewall such as those from Ingate? I'd hate to move away from my m0n0wall, which is open source, easy to manage and has served me brilliantly for two years. Thanks, Michael Graves -- Michael Graves [EMAIL PROTECTED] Sr. Product Specialist www.pixelpower.com Pixel Power Inc. [EMAIL PROTECTED] o713-861-4005 o800-905-6412 c713-201-1262 fwd 54245 ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] OT: SIP aware firewalls?
Until now I've only used IAX2 to connect to ITSPs. I've been toying with a SIP connection to Gizmo Project, but not yet successfully. It brings to mind a question. At what point does it make sense to consider a SIP-aware firewall such as those from Ingate? You should be able to run SIP through m0n0wall quite happily - we have a number of client sites with SIP phones offsite which connect to the * server behind a m0n0wall box. You'll need to allow 5060 (UDP) for SIP, then an appropriate port range (as definted in rtp.conf) for the RTP streams. You'll obviously also need to apply any QoS rules to both the SIP and RTP streams. Regards, Chris -- C.M. Bagnall, Director, Minotaur I.T. Limited This email is made from 100% recycled electrons ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] OT: SIP aware firewalls?
- Original Message - From: Chris Bagnall [EMAIL PROTECTED] To: 'Asterisk Users Mailing List - Non-Commercial Discussion' asterisk-users@lists.digium.com Sent: Thursday, January 05, 2006 5:33 PM Subject: RE: [Asterisk-Users] OT: SIP aware firewalls? Until now I've only used IAX2 to connect to ITSPs. I've been toying with a SIP connection to Gizmo Project, but not yet successfully. It brings to mind a question. At what point does it make sense to consider a SIP-aware firewall such as those from Ingate? You should be able to run SIP through m0n0wall quite happily - we have a number of client sites with SIP phones offsite which connect to the * server behind a m0n0wall box. You'll need to allow 5060 (UDP) for SIP, then an appropriate port range (as definted in rtp.conf) for the RTP streams. You'll obviously also need to apply any QoS rules to both the SIP and RTP streams. Totally agree. I moved from Kerio WinRoute (claims to be SIP aware not) to Monowall and all SIP/NAT issues went away. It doesn't do QoS but you can do bandwith/traffic shaping which also should work fine. Erwin ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] OT: SIP aware firewalls?
- Original Message - From: Chris Bagnall [EMAIL PROTECTED] To: 'Asterisk Users Mailing List - Non-Commercial Discussion' asterisk-users@lists.digium.com Sent: Thursday, January 05, 2006 5:33 PM Subject: RE: [Asterisk-Users] OT: SIP aware firewalls? Until now I've only used IAX2 to connect to ITSPs. I've been toying with a SIP connection to Gizmo Project, but not yet successfully. It brings to mind a question. At what point does it make sense to consider a SIP-aware firewall such as those from Ingate? You should be able to run SIP through m0n0wall quite happily - we have a number of client sites with SIP phones offsite which connect to the * server behind a m0n0wall box. You'll need to allow 5060 (UDP) for SIP, then an appropriate port range (as definted in rtp.conf) for the RTP streams. You'll obviously also need to apply any QoS rules to both the SIP and RTP streams. Totally agree. I moved from Kerio WinRoute (claims to be SIP aware not) to Monowall and all SIP/NAT issues went away. It doesn't do QoS but you can do bandwith/traffic shaping which also should work fine. Erwin ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] OT: SIP aware firewalls?
I suspect that there might be more to this question than has been answered so far. Most firewalls will allow you to open and forward a port range; thus they are SIP compliant. However, if you want more than one SIP client behind your firewall, you will want a firewall with a SIP application filter (to intelligently direct the SIP RTP packets to the right client). So if I can rephrase your question for the group, are there any (linux?) firewalls with SIP RTP application filters? We managed to build a rudimentary ISA Server application filter for SIP RTP, but nothing commercial quality. Michelle Dupuis Technical Support Specialist Oxford Consulting Group Ltd. Making IT work for your business... T: (519) 672-8238 E: [EMAIL PROTECTED] W: www.ocg.ca ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] OT: SIP aware firewalls?
Technical Support wrote: So if I can rephrase your question for the group, are there any (linux?) firewalls with SIP RTP application filters? Pretty much any recent one, just load the ip_conntrack_sip module: http://www.iptel.org/sipalg/ Tony ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users