[Asterisk-Users] IAX and Firewall

Rich Adamson radamson at routers.com
Sat Nov 19 06:22:20 MST 2005 

He was just using 300 as an example. Iax is rather chatty in that it
does the equivalent of a keep-alive every 60 seconds (give or take a
few seconds).

------------------------
> 300 seconds is a mighty long time to keep state on a udp connection.  Our
> firewalls time out udp states out in 2 seconds of inactivity.  But your
> point is valid and taken...
>    
> 
> -----Original Message-----
> From: asterisk-users-bounces at lists.digium.com
> [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of tim panton
> Sent: Friday, November 18, 2005 4:59 PM
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> Subject: Re: [Asterisk-Users] IAX and Firewall
> 
> 
> On 18 Nov 2005, at 22:01, Piotr A. Sygula wrote:
> 
> > If teliax ever wants to connect to your asterisk box, as in if they're
> > providing a DID for you, you will need to allow teliax through the  
> > firewall.
> > If you're the one originating the connection to them, you don't  
> > need to open
> > the ingress port.
> >
> >> I don't believe so. By registering with the remote server,
> >> you are giving them the NAT port to get back into your
> >> server with. All communications will take place on that
> >> port.
> >
> > Registration has nothing to do with NAT.  The key here is which side
> > initiates the connection.  Of course this is all under the  
> > assumption that
> > Joseph's firewall is statefull.
> 
> Ah, but registration does have something to do with it.
> Classic IAX re-registers often enough to keep a 'udp connection' (ugh)
> open through most domestic stateful firewalls.
> 
> Put another way, Joseph's Asterisk is sending out UDP packets to  
> teliax every
> 300 seconds (say) (either to register or these days to 'qualify' the  
> link). The firewall
> sees any inbound packets IAX from teliax as part of that conversation  
> and passes them
> in to Asterisk.
> 
> This fails if both the re-registration and qualify period is longer  
> than the
> time Joseph's firewall keeps the udp state.
> 
> As to how to debug the original problem, get the firewall to log  
> filtered packets and see if
> any are from teliax. Also turn on IAX debugging and send us the  
> relevant logs.
> 
> Tim.
> _______________________________________________
> --Bandwidth and Colocation sponsored by Easynews.com --
> 
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
> 
> 
> _______________________________________________
> --Bandwidth and Colocation sponsored by Easynews.com --
> 
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
> 

---------------End of Original Message-----------------

More information about the asterisk-users mailing list