[email protected] wrote: >I'm using Shorewall 4.0.6 on a Debian Etch server with kernel 2.6.24. >The server is running asterisk 1.6 with few IP Phones registered to the >asterisk, on the internal Interface eth0. The server has indeed a public >interface eth1 used by asterisk to connect to external SIP providers. >Now, I simply can't prevent an external IP Phone from registering on my >asterisk on interface eth1. >I tried to stop the UDP traffic with this rule (rules file): > >DROP net:XX.XX.XX.XX fw udp 1024:65535 > >Where XX.XX.XX.XX is the public ip addres of the IP Phone. How could it be? > >The interface file looks like: > >net eth1 detect tcpflags,nosmurfs >loc eth0 detect tcpflags,nosmurfs > >The policy file looks like: > >$FW all ACCEPT >net $FW DROP info >net loc DROP info >net all DROP info >all all REJECT info
Firstly, you only need to block port 5060 to stop SIP (assuming you aren't running a non-standard port). Also be aware that SIP can use TCP as well as UDP. But I see that your policies will drop the traffic anyway, so a drop rule is redundant. As Tom has already pointed out, if the phone had a connection active before you invoked the firewall then that connection will remain open. Also check your rules file for anything that might be explicitly permitting the traffic. Lastly, check that you don't have anything configured on your Asterisk setup that might be sending outbound SIP packets to the device - that would be enough to create an open connection which would permit inbound traffic as well. Not related to this, but make sure you use good strong passwords for your devices. We have to allow external access to our system at work to cater for home and mobile users - we regularly get brute force attacks, one day we had two separate attacks that overlapped ! -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
