On 06/19/2017 08:16 PM, Ian Jones wrote: > > Le 20/06/2017 à 01:48, Ryan Joiner a écrit : >> >> >> On 6/19/2017 1:57 PM, Ian Jones wrote: >>> >>> I am becoming more convinced that this is a nat issue, since I have >>> installed Asterisk on the firewall itself, and it seems to run >>> normally with no issues when restarting. The feedback from the >>> Asterisk peer support site was that: Asterisk is sending OPTIONs, but >>> the peer is not replying, or the request or replies are getting lost, >>> in the network. Possibly an automatic NAT or firewall rule has timed >>> out. There is no evidence of anything wrong with Asterisk. >>> >>> Is there anyway to specify the UDP connection timeout? >>> >>> Regards >>> >>> Ian >>> >>> >> Ian, >> I should have looked at your dump first. I see the helpers are still >> loaded despite you telling them to not load. That could be because >> something other than shorewall loaded them. >> >> I know on CentOS it is rmmod "module", so rmmod nf_conntrack_sip. I'm >> not so sure for Debian. Maybe it is: >> >> modprobe -r nf_conntrack_sip >> modprobe -r nf_nat_sip >> >> Then see if the remote extensions magically reconnect. >> >> Ryan - JLink Communications >> >> ------------------------------------------------------------------------------ >> >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > Ryan, > > thanks for the suggestions. I have tried with and without the sip > helpers, by setting DONT_LOAD=nf_nat_sip,nf_conntrack_sip and by > removing the modules. It doesn't seem to make any difference, but I will > check again. >
Setting DONT_LOAD is not enough. You must also a) set HELPERS in shorewall.conf to specify the helpers that you want. b) set AUTOHELPERS=No c) Either use macros for all traffic that you want to use helpers for, or add the appropriate entries to /etc/shorewall/conntrack. And yes -- I need to update the FAQ with this information. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
