On 07/13/2012 09:41 AM, Pedro Bulach Gapski wrote: > Hello shorewall-users, > > I am runnung shorewall 4.4.11.6 on debian squeeze. It seems that some > packages are not masqueraded and I am not sure why. > > My masq file is as follows: > eth1 10.232.0.0/16 > ppp0 10.232.0.0/16 > > Here is one except from a package trace from eth1. It shows one of the > internal boxes trying to register 2 different SIP accounts: > 989.063344 189.61.199.178 -> 217.9.36.145 SIP Request: REGISTER sip:iptel.org > 989.065124 10.232.0.9 -> 201.86.87.36 SIP Request: REGISTER sip:vono.net.br > 989.325070 217.9.36.145 -> 189.61.199.178 SIP Status: 401 Unauthorized > (0 bindings) > 989.523246 189.61.199.178 -> 217.9.36.145 SIP Request: REGISTER sip:iptel.org > 989.779081 217.9.36.145 -> 189.61.199.178 SIP Status: 200 OK (1 bindings) > 990.060768 10.232.0.9 -> 201.86.87.36 SIP Request: OPTIONS sip:vono.net.br > 990.064791 10.232.0.9 -> 201.86.87.36 SIP Request: REGISTER sip:vono.net.br > 991.061014 10.232.0.9 -> 201.86.87.36 SIP Request: OPTIONS sip:vono.net.br > 991.065030 10.232.0.9 -> 201.86.87.36 SIP Request: REGISTER sip:vono.net.br > 992.061244 10.232.0.9 -> 201.86.87.36 SIP Request: OPTIONS sip:vono.net.br > > Notice that the first package is masqueraded, but the second is not. > > I ask for advice in understanding what is going on.
Your VOIP devices are attempting to connect to the network before Shorewall is brought up. That causes conntrack entries without NAT to be created. The best way to avoid that is to install and configure Shorewall-init so that the connections are rejected until Shorewall starts. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
