thanks for your help, below. Simon Hobson wrote: > Robert Moskowitz wrote: > >> I just got Shorewall up and running on a Centos box with the aid of Webmin. >> >> I have the luxury of 64 public addresses and thus both sides of this >> firewall have routable addresses. No NATing! (I am a co-author of RFC >> 1918). >> >> This particular firewalls' life purpose is protecting my Asterisk >> servers (one is also an NTP server). I **thought** I was setting up the >> rules right. It looks like I have a SIP registration with my VoIP >> provider (Broadvoice), but calling is not working. Here is what I have: >> >> cat interfaces >> # >> Pub eth0 detect >> VoIP eth1 detect >> >> >> cat zones >> # >> fw firewall >> Pub ipv4 # >> VoIP ipv4 # >> >> cat cat rules >> # >> #SECTION ESTABLISHED >> #SECTION RELATED >> SECTION NEW >> ACCEPT all all icmp >> ACCEPT all all udp 53 >> ACCEPT Pub VoIP tcp 80 >> ACCEPT Pub VoIP tcp 443 >> # SIP on UDP port 5060. Other SIP servers may need TCP port 5060 as well >> ACCEPT all- all- udp 5004:5082 >> > > I would suggest limiting that to just dport 5060. > I got this from the wiki: http://www.voip-info.org/wiki-Asterisk+firewall+rules >> ACCEPT all- all- tcp 5060 >> > > I've never heard of SIP using TCP > It does. Part of the RFC. I should know, I attended enough of the meetings! And we are finally seeing SSL being used. Many worry about the TCP overhead for lots of SIP clients. But TCP has its advantages... >> # RTP - the media stream >> ACCEPT all- all- udp 10000:20000 >> > > I would cut that down a bit - do you really need 10,000 simultaneous > call capacity ! Don't forget to alter /etc/asterisk/rtp.conf (IIRC) > to suit. Also, start at 10001 not 10000 as that is used for Webmin. > Yeah, well webmin uses TCP, not UDP? And those are the default ports, and no, only a few calls at a time! >> # IAX2- the IAX protocol >> ACCEPT all- all- udp 4569 >> # IAX - most have switched to IAX v2, or ought to >> ACCEPT all- all- udp 5036 >> > > Do you have AIX configured and in use - if not then I'd leave that rule out. > Free World Dialup for one. IAXmodem is of course localhost so the firewall should never see it. >> See anything obvious here? Other than wireshark on the firewall, how >> might I figure out what is being blocked? All I get is a fast busy on a >> call. >> > > I would also suggest being more specific with your rules - all to all > is generating rules for stuff you may not need/want. I personally > favour listing specific servers unless there are a few - so only > traffic to known servers gets allowed. Only thing(s) on the voipnet are Trixboxes. They are all duo-ported as well with all phones on the voipinnet. So the rules are for access to the firewall and to the Trixboxes only. Well one of them runs NTP. Oh, and Hylafax+ for efax so smtp is needed as well. > The params file is useful for > creating names that can be used in the rules files - eg $AstBoxes > instead of listing Ip addresses. > thanks but like I said, only asterisk boxes (Trixbox) on the internal net here. >> On a related note, I want a low-overhead reporting on usage and >> through-put on this firewall. The box is low end (per /proc/cpuinfo - >> bogomips : 731.66, and 256Mb memory) and I don't want to steal >> cycles from the voice traffic to measure any firewall induced voice >> degradation. >> > > See /etc/shorewall/accounting. > > You can quickly set up some rules to count traffic, and it's then > fairly simple to knock up a script to read the counters (I find > "iptables -L account-ip -vxn" gives a reasonably parsable output), > you may need to change account-ip to whatever your accounting chain > is called. I feed the results into an rrd database and graph things > from there. > > It doesn't take a lot of overhead to do. thanks.
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
