Robert Moskowitz wrote: >I just got Shorewall up and running on a Centos box with the aid of Webmin. > >I have the luxury of 64 public addresses and thus both sides of this >firewall have routable addresses. No NATing! (I am a co-author of RFC >1918). > >This particular firewalls' life purpose is protecting my Asterisk >servers (one is also an NTP server). I **thought** I was setting up the >rules right. It looks like I have a SIP registration with my VoIP >provider (Broadvoice), but calling is not working. Here is what I have: > >cat interfaces ># >Pub eth0 detect >VoIP eth1 detect > > >cat zones ># >fw firewall >Pub ipv4 # >VoIP ipv4 # > >cat cat rules ># >#SECTION ESTABLISHED >#SECTION RELATED >SECTION NEW >ACCEPT all all icmp >ACCEPT all all udp 53 >ACCEPT Pub VoIP tcp 80 >ACCEPT Pub VoIP tcp 443 ># SIP on UDP port 5060. Other SIP servers may need TCP port 5060 as well >ACCEPT all- all- udp 5004:5082
I would suggest limiting that to just dport 5060. >ACCEPT all- all- tcp 5060 I've never heard of SIP using TCP ># RTP - the media stream >ACCEPT all- all- udp 10000:20000 I would cut that down a bit - do you really need 10,000 simultaneous call capacity ! Don't forget to alter /etc/asterisk/rtp.conf (IIRC) to suit. Also, start at 10001 not 10000 as that is used for Webmin. ># IAX2- the IAX protocol >ACCEPT all- all- udp 4569 ># IAX - most have switched to IAX v2, or ought to >ACCEPT all- all- udp 5036 Do you have AIX configured and in use - if not then I'd leave that rule out. > >See anything obvious here? Other than wireshark on the firewall, how >might I figure out what is being blocked? All I get is a fast busy on a >call. I would also suggest being more specific with your rules - all to all is generating rules for stuff you may not need/want. I personally favour listing specific servers unless there are a few - so only traffic to known servers gets allowed. The params file is useful for creating names that can be used in the rules files - eg $AstBoxes instead of listing Ip addresses. >On a related note, I want a low-overhead reporting on usage and >through-put on this firewall. The box is low end (per /proc/cpuinfo - >bogomips : 731.66, and 256Mb memory) and I don't want to steal >cycles from the voice traffic to measure any firewall induced voice >degradation. See /etc/shorewall/accounting. You can quickly set up some rules to count traffic, and it's then fairly simple to knock up a script to read the counters (I find "iptables -L account-ip -vxn" gives a reasonably parsable output), you may need to change account-ip to whatever your accounting chain is called. I feed the results into an rrd database and graph things from there. It doesn't take a lot of overhead to do. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
