[asterisk-users] problems with natted phones

Marek Greško mgresko8 at gmail.com
Sat Sep 11 10:21:03 CDT 2021 

Hello,

I already read the scenario you pointed to. It is not really the same.
as you can see in my rules I sent before I have CT in both directions.

Related to configuration error I am 99% sure the configuration is
correct. It was generated by automatic tool and then slightly edited
and reviewed by nftables guru. I just admit the there could be some
configuration error. Maybe some race condition in systemd - wrong
dependencies or something like that. I do not know. But I am sure once
I will find it (or suffer longer).

The reason many people use it and they will notice is invalid. I hit a
bug in PMTU dicovery several moths ago. And no one was complaining at
all. The bug is now fixed, so it is pretty probable it is a bug.

The reasoning that no expliot has been found in rtp for 20 year is
invalid. We are not talking about bugs in rtp. We are talking about
open ports and application local to asterisk server could use. So many
backdoors can be open. Believe me. It is not secure. Maybe it is
acceptable on a dedicated asterisk box, but not on a multi purpose
server.

Marek


2021-09-10 23:28 GMT+02:00, Duncan Turnbull <duncan at e-simple.co.nz>:
>
>
>> On 11/09/2021, at 2:54 AM, Marek Greško <mgresko8 at gmail.com> wrote:
>>
>> Hello,
>>
>> thanks you very much for your effort. Without your help I would never
>> realize the problem lies in the firewall.
>>
>> But what do you mean by the doubt that it is bug? You mean it should
>> be configured another way? I do not claim my configuration is correct.
>> I am also new to nftables. But I do not think opening the wide port
>> range is a solution. The nftables runs on the asterisk server itself.
>
> The reason I don’t use sip algs is because they have a have a function that
> isn’t required. And a complexity that messes things up. No exploit has yet
> been found for rtp for 20 years and it has been open to the world. For
> whatever reason you can’t get your head around this being a valid option so
> then you are jumping to a bug when you freely admit your lack of familiarity
>
>
> This may be your scenario
>
> https://unix.stackexchange.com/questions/461320/nf-conntrack-sip-does-not-work-sometimes-restarting-iptables-usually-fixes-it
>
> You are adding a dependency on the firewall that you don’t need using
> configuration you are not sure of. That is never a reliable situation to be
> in.
>
> Why would nftables have a bug? Many people use it around the world and it
> works well. What is the likelihood of a bug in this scenario
>
> The alternative is a misconfiguration, and you are not very familiar with
> the configuration and new to nftables. Which one is more likely?
>
> The above issue sounds like yours but it could be something else
>
> You can research and find the config error, or somehow you can prove a bug
> or you can remove the issue by just allowing rtp through
>
> All of these are your choices. To me the config error is most likely as I
> have very rarely found a bug. It’s almost always config
>
>>
>> Marek
>>
>>
>> 2021-09-10 1:19 GMT+02:00, Duncan Turnbull <duncan at e-simple.co.nz>:
>>>
>>>
>>>>> On 10/09/2021, at 4:37 AM, Marek Greško <mgresko8 at gmail.com> wrote:
>>>>
>>>> There are other systems running on the same hardware. It would just
>>>> leave open ports here.
>>>>
>>>> Do not compare SIP ALG on a closed source device to an opensource
>>>> software with active development. I had no such problems in the past
>>>> when using iptables. The nftables is a pretty new software, so some
>>>> bugs could be present and I accept. I just wanted to be sure I am not
>>>> doing anything wrong. Now I am pretty sure it is a bug.
>>>
>>> I very much doubt it’s a bug, but that’s your choice to pursue that
>>>
>>> You ask for help but perhaps you are not wanting to listen
>>>
>>> If you open your asterisk rtp ports in your firewall then you are
>>> following
>>> pretty much what everyone else does.
>>>
>>> Otherwise you are letting another device interfere with your Sip
>>> transactions and we have already shown that’s a bad idea. Makes no
>>> difference whether it’s open source or not.
>>>
>>> But up to you
>>>
>>>>
>>>> Thanks
>>>>
>>>> Marek
>>>>
>>>>
>>>> 2021-09-09 18:30 GMT+02:00, Administrator <admin at tootai.net>:
>>>>>
>>>>>> Le 09/09/2021 à 18:15, Marek Greško a écrit :
>>>>>> There is always some risk. If there is a solution that should work,
>>>>>> it
>>>>>> is best to use it. We just need the root cause, why it fails
>>>>>> sometimes.
>>>>>
>>>>> Like SIP ALG ? ;) Please explain which risk are existing if there is
>>>>> nothing listening on those ports ?
>>>>>
>>>>>>
>>>>>>
>>>>>> 2021-09-09 18:01 GMT+02:00, Antony Stone
>>>>>> <Antony.Stone at asterisk.open.source.it>:
>>>>>>> On Thursday 09 September 2021 at 17:56:10, Marek Greško wrote:
>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I would not like to open whole range of udp ports for rtp.
>>>>>>> Why not?  What is the risk?
>>>>>>>
>>>>>>> What would possibly be listening on UDP ports 10000 - 20000 (the
>>>>>>> Asterisk
>>>>>>> default range) which an external scanner / attacker could make use
>>>>>>> of?
>>>>>
>>>>> --
>>>>> Daniel
>>>>>
>>>>> --
>>>>> _____________________________________________________________________
>>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>>>
>>>>> Check out the new Asterisk community forum at:
>>>>> https://community.asterisk.org/
>>>>>
>>>>> New to Asterisk? Start here:
>>>>>     https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>>
>>>>> asterisk-users mailing list
>>>>> To UNSUBSCRIBE or update options visit:
>>>>>  http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>
>>>> --
>>>> _____________________________________________________________________
>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>>
>>>> Check out the new Asterisk community forum at:
>>>> https://community.asterisk.org/
>>>>
>>>> New to Asterisk? Start here:
>>>>     https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>
>>>> asterisk-users mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>>  http://lists.digium.com/mailman/listinfo/asterisk-users
>>>
>>> --
>>> _____________________________________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>
>>> Check out the new Asterisk community forum at:
>>> https://community.asterisk.org/
>>>
>>> New to Asterisk? Start here:
>>>      https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> Check out the new Asterisk community forum at:
>> https://community.asterisk.org/
>>
>> New to Asterisk? Start here:
>>      https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list