[Asterisk-Users] Shorewall firewall rules
Mikael Magnusson
mikaelmagnusson at glocalnet.net
Sat Apr 2 02:27:42 MST 2005
On Sat, Apr 02, 2005 at 11:10:28AM +0200, Remco Barende wrote:
> I'm trying to get firewalling working but I am clueless as to which ports
> I need to open, I keep opening more ports and it's not working :(
>
> Basically I want SIP and IAX2 to work. IAX2 works fine, but SIP is giving
> me a headache. It seems that the stateless firewall is not able to handle
> SIP. I'm using shorewall as my firewall with these rules:
>
> ACCEPT net fw udp 4569
> ACCEPT fw net udp 4569,5060,10000:20000
>
> My rtp.conf says this:
> rtpstart=10000
> rtpend=20000
>
>
> Whenever I make a call I get these messages:
>
> Apr 2 09:18:25 pbx kernel: Shorewall:fw2net:REJECT:IN= OUT=eth1
> SRC=myip DST=80.118.132.66 LEN=200 TOS=0x00 PREC=0x00 TTL=64 ID=116 DF
> PROTO=UDP SPT=17798 DPT=7356 LEN=180
>
> Apr 2 09:18:26 raveon kernel: Shorewall:net2fw:REJECT:IN=eth1 OUT=
> SRC=80.118.132.66 DST=myip LEN=200 TOS=0x00 PREC=0x00 TTL=53
> ID=859 PROTO=UDP SPT=7356 DPT=17798 LEN=180
>
>
> So it seems that the %&*$*&$^&!!!! server is still trying to out out via a
> port lower than the range set in rtp.conf
>
> What is port 7356 for and what should I open to get it to work? I looked
> through the wiki but the low level iptables rules posted there do not make
> any sense to me.
>
Port 7356 is used by the called site to receive rtp packets. I don't
think you can have any influence to which port it chooses to use. You
will need to allow outgoing udp packets to all ports between 1024 and 65535.
For example:
ACCEPT net fw udp 4569,5060,10000:20000
ACCEPT fw net udp 1025:65536
/Mikael Magnusson
More information about the asterisk-users
mailing list