On Wed, Oct 31, 2007 at 07:55:28AM +0100, Simon Hobson wrote: > > > > This is a SIP device, and you probably have the SIP NAT problem - the > >> problem being that SIP is a stupid protocol. > > <rant>On a matter of personal opinion, it's not the SIP that's > stupid, it works 'just fine' on an unbroken network ! Where NAT is > involved, the network is fundamentally broken and there are no > workarounds for what it does that are 100% reliable - all that can be > said is that it works 'well enough' for enough people enough of the > time for people to be fooled into thinking it's a good idea. > Meanwhile, by 'fixing' the problem of available addresses, it's > delayed the uptake of IPv6 by many, many years and thus delayed for > many years to come the real solution to a lack of addresses. Bear in > mind that I've yet to see a SIP device that supports IPv6 so we're > now stuck with the problem even if every ISP in the world turned on > IPv6 today.</rant>
I subscribe only to the "NAT is awkward" school, not the "NAT is evil" one, but SIP's a pretty stupid protocol even without NAT. There's just no good excuse for the way it scatters traffic through unrelated ports - it would have worked just as well if it had used only one port. Even without NAT, it's a nuisance for stateful firewalls. Also, I have to work with a hardware PBX that scatters the SIP control and audio streams through different IP addresses, and that's just inexcusable. > My guess is that the phone device is doing STUN or something to find > out what address & ports to use in the SIP messages - then the SIP > helper mangles the packet and breaks things. That's not the default configuration for this device, so it wasn't my first guess, but with this extra information it seems likely. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
