[Asterisk-Users] IAX and Firewall
tim panton
tpanton at attglobal.net
Fri Nov 18 15:58:55 MST 2005
On 18 Nov 2005, at 22:01, Piotr A. Sygula wrote:
> If teliax ever wants to connect to your asterisk box, as in if they're
> providing a DID for you, you will need to allow teliax through the
> firewall.
> If you're the one originating the connection to them, you don't
> need to open
> the ingress port.
>
>> I don't believe so. By registering with the remote server,
>> you are giving them the NAT port to get back into your
>> server with. All communications will take place on that
>> port.
>
> Registration has nothing to do with NAT. The key here is which side
> initiates the connection. Of course this is all under the
> assumption that
> Joseph's firewall is statefull.
Ah, but registration does have something to do with it.
Classic IAX re-registers often enough to keep a 'udp connection' (ugh)
open through most domestic stateful firewalls.
Put another way, Joseph's Asterisk is sending out UDP packets to
teliax every
300 seconds (say) (either to register or these days to 'qualify' the
link). The firewall
sees any inbound packets IAX from teliax as part of that conversation
and passes them
in to Asterisk.
This fails if both the re-registration and qualify period is longer
than the
time Joseph's firewall keeps the udp state.
As to how to debug the original problem, get the firewall to log
filtered packets and see if
any are from teliax. Also turn on IAX debugging and send us the
relevant logs.
Tim.
More information about the asterisk-users
mailing list