<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"><br></div><div dir="ltr"><br><blockquote type="cite">On 11/09/2021, at 2:54 AM, Marek Greško <mgresko8@gmail.com> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><span>Hello,</span><br><span></span><br><span>thanks you very much for your effort. Without your help I would never</span><br><span>realize the problem lies in the firewall.</span><br><span></span><br><span>But what do you mean by the doubt that it is bug? You mean it should</span><br><span>be configured another way? I do not claim my configuration is correct.</span><br><span>I am also new to nftables. But I do not think opening the wide port</span><br><span>range is a solution. The nftables runs on the asterisk server itself.</span><br></div></blockquote><div><br></div><div>The reason I don’t use sip algs is because they have a have a function that isn’t required. And a complexity that messes things up. No exploit has yet been found for rtp for 20 years and it has been open to the world. For whatever reason you can’t get your head around this being a valid option so then you are jumping to a bug when you freely admit your lack of familiarity </div><div><br></div><div>This may be your scenario </div><div><br></div><div><a href="https://unix.stackexchange.com/questions/461320/nf-conntrack-sip-does-not-work-sometimes-restarting-iptables-usually-fixes-it">https://unix.stackexchange.com/questions/461320/nf-conntrack-sip-does-not-work-sometimes-restarting-iptables-usually-fixes-it</a></div><div><br></div><div>You are adding a dependency on the firewall that you don’t need using configuration you are not sure of. That is never a reliable situation to be in. </div><div><br></div><div>Why would nftables have a bug? Many people use it around the world and it works well. What is the likelihood of a bug in this scenario </div><div><br></div><div>The alternative is a misconfiguration, and you are not very familiar with the configuration and new to nftables. Which one is more likely?</div><div><br></div><div>The above issue sounds like yours but it could be something else</div><div><br></div><div>You can research and find the config error, or somehow you can prove a bug or you can remove the issue by just allowing rtp through</div><div><br></div><div>All of these are your choices. To me the config error is most likely as I have very rarely found a bug. It’s almost always config </div><div><br></div><blockquote type="cite"><div dir="ltr"><span></span><br><span>Marek</span><br><span></span><br><span></span><br><span>2021-09-10 1:19 GMT+02:00, Duncan Turnbull <duncan@e-simple.co.nz>:</span><br><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>On 10/09/2021, at 4:37 AM, Marek Greško <mgresko8@gmail.com> wrote:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>There are other systems running on the same hardware. It would just</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>leave open ports here.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Do not compare SIP ALG on a closed source device to an opensource</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>software with active development. I had no such problems in the past</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>when using iptables. The nftables is a pretty new software, so some</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>bugs could be present and I accept. I just wanted to be sure I am not</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>doing anything wrong. Now I am pretty sure it is a bug.</span><br></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>I very much doubt it’s a bug, but that’s your choice to pursue that</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>You ask for help but perhaps you are not wanting to listen</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>If you open your asterisk rtp ports in your firewall then you are following</span><br></blockquote><blockquote type="cite"><span>pretty much what everyone else does.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Otherwise you are letting another device interfere with your Sip</span><br></blockquote><blockquote type="cite"><span>transactions and we have already shown that’s a bad idea. Makes no</span><br></blockquote><blockquote type="cite"><span>difference whether it’s open source or not.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>But up to you</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Thanks</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Marek</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>2021-09-09 18:30 GMT+02:00, Administrator <admin@tootai.net>:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Le 09/09/2021 à 18:15, Marek Greško a écrit :</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>There is always some risk. If there is a solution that should work, it</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>is best to use it. We just need the root cause, why it fails</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>sometimes.</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Like SIP ALG ? ;) Please explain which risk are existing if there is</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>nothing listening on those ports ?</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>2021-09-09 18:01 GMT+02:00, Antony Stone</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span><Antony.Stone@asterisk.open.source.it>:</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>On Thursday 09 September 2021 at 17:56:10, Marek Greško wrote:</span><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Hello,</span><br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>I would not like to open whole range of udp ports for rtp.</span><br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Why not?  What is the risk?</span><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>What would possibly be listening on UDP ports 10000 - 20000 (the</span><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Asterisk</span><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>default range) which an external scanner / attacker could make use of?</span><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>--</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Daniel</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>--</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>_____________________________________________________________________</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>-- Bandwidth and Colocation Provided by http://www.api-digital.com --</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Check out the new Asterisk community forum at:</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>https://community.asterisk.org/</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>New to Asterisk? Start here:</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>     https://wiki.asterisk.org/wiki/display/AST/Getting+Started</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>asterisk-users mailing list</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>To UNSUBSCRIBE or update options visit:</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>  http://lists.digium.com/mailman/listinfo/asterisk-users</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>--</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>_____________________________________________________________________</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>-- Bandwidth and Colocation Provided by http://www.api-digital.com --</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Check out the new Asterisk community forum at:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>https://community.asterisk.org/</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>New to Asterisk? Start here:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>     https://wiki.asterisk.org/wiki/display/AST/Getting+Started</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>asterisk-users mailing list</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>To UNSUBSCRIBE or update options visit:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>  http://lists.digium.com/mailman/listinfo/asterisk-users</span><br></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>--</span><br></blockquote><blockquote type="cite"><span>_____________________________________________________________________</span><br></blockquote><blockquote type="cite"><span>-- Bandwidth and Colocation Provided by http://www.api-digital.com --</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Check out the new Asterisk community forum at:</span><br></blockquote><blockquote type="cite"><span>https://community.asterisk.org/</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>New to Asterisk? Start here:</span><br></blockquote><blockquote type="cite"><span>      https://wiki.asterisk.org/wiki/display/AST/Getting+Started</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>asterisk-users mailing list</span><br></blockquote><blockquote type="cite"><span>To UNSUBSCRIBE or update options visit:</span><br></blockquote><blockquote type="cite"><span>   http://lists.digium.com/mailman/listinfo/asterisk-users</span><br></blockquote><span></span><br><span>-- </span><br><span>_____________________________________________________________________</span><br><span>-- Bandwidth and Colocation Provided by http://www.api-digital.com --</span><br><span></span><br><span>Check out the new Asterisk community forum at: https://community.asterisk.org/</span><br><span></span><br><span>New to Asterisk? Start here:</span><br><span>      https://wiki.asterisk.org/wiki/display/AST/Getting+Started</span><br><span></span><br><span>asterisk-users mailing list</span><br><span>To UNSUBSCRIBE or update options visit:</span><br><span>   http://lists.digium.com/mailman/listinfo/asterisk-users</span></div></blockquote></body></html>