[asterisk-users] problems with natted phones
Duncan Turnbull
duncan at e-simple.co.nz
Fri Sep 10 16:28:19 CDT 2021
> On 11/09/2021, at 2:54 AM, Marek Greško <mgresko8 at gmail.com> wrote:
>
> Hello,
>
> thanks you very much for your effort. Without your help I would never
> realize the problem lies in the firewall.
>
> But what do you mean by the doubt that it is bug? You mean it should
> be configured another way? I do not claim my configuration is correct.
> I am also new to nftables. But I do not think opening the wide port
> range is a solution. The nftables runs on the asterisk server itself.
The reason I don’t use sip algs is because they have a have a function that isn’t required. And a complexity that messes things up. No exploit has yet been found for rtp for 20 years and it has been open to the world. For whatever reason you can’t get your head around this being a valid option so then you are jumping to a bug when you freely admit your lack of familiarity
This may be your scenario
https://unix.stackexchange.com/questions/461320/nf-conntrack-sip-does-not-work-sometimes-restarting-iptables-usually-fixes-it
You are adding a dependency on the firewall that you don’t need using configuration you are not sure of. That is never a reliable situation to be in.
Why would nftables have a bug? Many people use it around the world and it works well. What is the likelihood of a bug in this scenario
The alternative is a misconfiguration, and you are not very familiar with the configuration and new to nftables. Which one is more likely?
The above issue sounds like yours but it could be something else
You can research and find the config error, or somehow you can prove a bug or you can remove the issue by just allowing rtp through
All of these are your choices. To me the config error is most likely as I have very rarely found a bug. It’s almost always config
>
> Marek
>
>
> 2021-09-10 1:19 GMT+02:00, Duncan Turnbull <duncan at e-simple.co.nz>:
>>
>>
>>>> On 10/09/2021, at 4:37 AM, Marek Greško <mgresko8 at gmail.com> wrote:
>>>
>>> There are other systems running on the same hardware. It would just
>>> leave open ports here.
>>>
>>> Do not compare SIP ALG on a closed source device to an opensource
>>> software with active development. I had no such problems in the past
>>> when using iptables. The nftables is a pretty new software, so some
>>> bugs could be present and I accept. I just wanted to be sure I am not
>>> doing anything wrong. Now I am pretty sure it is a bug.
>>
>> I very much doubt it’s a bug, but that’s your choice to pursue that
>>
>> You ask for help but perhaps you are not wanting to listen
>>
>> If you open your asterisk rtp ports in your firewall then you are following
>> pretty much what everyone else does.
>>
>> Otherwise you are letting another device interfere with your Sip
>> transactions and we have already shown that’s a bad idea. Makes no
>> difference whether it’s open source or not.
>>
>> But up to you
>>
>>>
>>> Thanks
>>>
>>> Marek
>>>
>>>
>>> 2021-09-09 18:30 GMT+02:00, Administrator <admin at tootai.net>:
>>>>
>>>>> Le 09/09/2021 à 18:15, Marek Greško a écrit :
>>>>> There is always some risk. If there is a solution that should work, it
>>>>> is best to use it. We just need the root cause, why it fails
>>>>> sometimes.
>>>>
>>>> Like SIP ALG ? ;) Please explain which risk are existing if there is
>>>> nothing listening on those ports ?
>>>>
>>>>>
>>>>>
>>>>> 2021-09-09 18:01 GMT+02:00, Antony Stone
>>>>> <Antony.Stone at asterisk.open.source.it>:
>>>>>> On Thursday 09 September 2021 at 17:56:10, Marek Greško wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> I would not like to open whole range of udp ports for rtp.
>>>>>> Why not? What is the risk?
>>>>>>
>>>>>> What would possibly be listening on UDP ports 10000 - 20000 (the
>>>>>> Asterisk
>>>>>> default range) which an external scanner / attacker could make use of?
>>>>
>>>> --
>>>> Daniel
>>>>
>>>> --
>>>> _____________________________________________________________________
>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>>
>>>> Check out the new Asterisk community forum at:
>>>> https://community.asterisk.org/
>>>>
>>>> New to Asterisk? Start here:
>>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>
>>>> asterisk-users mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>
>>> --
>>> _____________________________________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>
>>> Check out the new Asterisk community forum at:
>>> https://community.asterisk.org/
>>>
>>> New to Asterisk? Start here:
>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> Check out the new Asterisk community forum at:
>> https://community.asterisk.org/
>>
>> New to Asterisk? Start here:
>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-users
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at: https://community.asterisk.org/
>
> New to Asterisk? Start here:
> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20210911/dc76175e/attachment.html>
More information about the asterisk-users
mailing list