I just got Shorewall up and running on a Centos box with the aid of Webmin.
I have the luxury of 64 public addresses and thus both sides of this firewall have routable addresses. No NATing! (I am a co-author of RFC 1918). This particular firewalls' life purpose is protecting my Asterisk servers (one is also an NTP server). I **thought** I was setting up the rules right. It looks like I have a SIP registration with my VoIP provider (Broadvoice), but calling is not working. Here is what I have: cat interfaces # Pub eth0 detect VoIP eth1 detect cat zones # fw firewall Pub ipv4 # VoIP ipv4 # cat cat rules # #SECTION ESTABLISHED #SECTION RELATED SECTION NEW ACCEPT all all icmp ACCEPT all all udp 53 ACCEPT Pub VoIP tcp 80 ACCEPT Pub VoIP tcp 443 # SIP on UDP port 5060. Other SIP servers may need TCP port 5060 as well ACCEPT all- all- udp 5004:5082 ACCEPT all- all- tcp 5060 # RTP - the media stream ACCEPT all- all- udp 10000:20000 # IAX2- the IAX protocol ACCEPT all- all- udp 4569 # IAX - most have switched to IAX v2, or ought to ACCEPT all- all- udp 5036 See anything obvious here? Other than wireshark on the firewall, how might I figure out what is being blocked? All I get is a fast busy on a call. On a related note, I want a low-overhead reporting on usage and through-put on this firewall. The box is low end (per /proc/cpuinfo - bogomips : 731.66, and 256Mb memory) and I don't want to steal cycles from the voice traffic to measure any firewall induced voice degradation. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
