[Shorewall-users] How to migrate from AUTOHELPERS to manual helper assignment? (VOIP/SIP)

Sat, 24 Nov 2018 03:38:08 -0800 

Hi,

I recently moved from AUTOHELPERS=Yes to AUTOHELPERS=No in my shorewall
configuration and while I've got it working, I still don't fully
understand how the manual helper assignment is supposed to be done 
correctly or why I needed to make one change in particular.

So, with AUTOHELPERS=Yes, the following rules in shorewall6/rules were
sufficient and to get VOIP working:
  ACCEPT          voip            net             udp     3478,5060
  ACCEPT          net             voip            udp     5060
  
(Note: This is shorewall6, so NAT is not involved here.)
  
After setting AUTOHELPERS=No, I added a HELPER line for sip. But that
didn't seem to be sufficient. Signaling worked, but the audio stream
was blocked when using one of my two SIP providers. Only after adding
another accept rule for outgoing traffic, I could get VOIP calls with
both providers working again. Now my rules look like this:
  HELPER          voip            -               udp     5060    { helper=sip }
  ACCEPT          voip            net             udp     3478,5060
  ACCEPT          voip            net             udp     -       7078-7097
  ACCEPT          net             voip            udp     5060

The UDP port range 7078-7079 is what my SIP device's documentation
recommends opening in firewall. But I don't understand why this rule
was not necessary when AUTOHELPERS=Yes was used, but seems to be
necessary when I try to assign the HELPER manually.

Can someone explain this change in behavior? Or how do I attach the
HELPER manually to replicate the behavior of AUTOHELPERS?

For the record: I've also tried use both ports 3478 and 5060 in the
HELPER rule, but that didn't make a difference. The other helper-
related settings in my shorewall configuration (both shorewall and
shorewall6) are HELPERS=sip and LOAD_HELPERS_ONLY=Yes.

And one more question regarding the documentation:
The man page shorewall-rules says:
  "No destination zone should be specified in HELPER rules."

But the page http://shorewall.org/Helpers.html shows an example
rule at the end that has the DEST zone set:
  HELPER        all     net     tcp     21      ; helper=ftp

Is that a mistake or can the DEST zone be specified in HELPER rules?
In general, I'd like my rules to be as specific as possible, so,
naturally, I'd have specified net as the DEST zone of my sip HELPER
rule, but I didn't because of the statement in the man page.

Thanks!

Kind regards,

Timo


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to