On 9/14/10 10:54 AM, Mr Dash Four wrote: > OK, I was intrigued by earlier posts in the "VoIP, getting ICMP > destination unreachable" thread and started digging up info on the above > 2 modules and their use on Shorewall. > > I found a good starting-point reference here - > http://wiki.freeswitch.org/wiki/Firewall, but I am still unclear as to > the function of this two modules - what are they actually 'helping' > with? The link gives brief information about the various module > parameters, but they are a bit sketchy and apart from the "ports" > parameter I am not completely clear what the rest of them mean?
Application designers are in love with the notion that they can embed IP addresses and port numbers in packets sent to their peer with the expectation that the peer will then return packets addressed to that embedded address/port. This has been going on forever (think FTP). That works fine until a stateful firewall is injected between the peers. The firewall must then deal with these return connections without knowing about them in advance. This is the purpose of Netfilter 'helpers'. These helpers examine packets going through the firewall and create "expectations"; An "expectation" is essentially a temporary "hole" in the firewall in the form of a conntrack entry that will be matched by the return or "related" connection. This allows expecations to properly handle NAT as well as allowing passage through the firewall. Helper modules are not autoloaded. When using the sample Shorewall configurations, the generated firewall script loads all helper modules during start/restart. You can suppress the loading of individual helpers using the DONT_LOAD option in shorewall.conf. I've written an example of how the FTP helper works at http://www.shorewall.net/FTP.html. Other helpers are similar. I have no direct experience with VOIP so there is no similar article on the Shorewall site concerning SIP. From the list it is clear that some people find that the SIP helpers actuall break VOIP (See Shorewall FAQ 77) while others claim that the SIP helpers are essential Hope this helps. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
