[Asterisk-Users] IAX and Firewall
Piotr A. Sygula
psygula at net-shapers.com
Fri Nov 18 21:35:57 MST 2005
300 seconds is a mighty long time to keep state on a udp connection. Our
firewalls time out udp states out in 2 seconds of inactivity. But your
point is valid and taken...
-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of tim panton
Sent: Friday, November 18, 2005 4:59 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [Asterisk-Users] IAX and Firewall
On 18 Nov 2005, at 22:01, Piotr A. Sygula wrote:
> If teliax ever wants to connect to your asterisk box, as in if they're
> providing a DID for you, you will need to allow teliax through the
> firewall.
> If you're the one originating the connection to them, you don't
> need to open
> the ingress port.
>
>> I don't believe so. By registering with the remote server,
>> you are giving them the NAT port to get back into your
>> server with. All communications will take place on that
>> port.
>
> Registration has nothing to do with NAT. The key here is which side
> initiates the connection. Of course this is all under the
> assumption that
> Joseph's firewall is statefull.
Ah, but registration does have something to do with it.
Classic IAX re-registers often enough to keep a 'udp connection' (ugh)
open through most domestic stateful firewalls.
Put another way, Joseph's Asterisk is sending out UDP packets to
teliax every
300 seconds (say) (either to register or these days to 'qualify' the
link). The firewall
sees any inbound packets IAX from teliax as part of that conversation
and passes them
in to Asterisk.
This fails if both the re-registration and qualify period is longer
than the
time Joseph's firewall keeps the udp state.
As to how to debug the original problem, get the firewall to log
filtered packets and see if
any are from teliax. Also turn on IAX debugging and send us the
relevant logs.
Tim.
_______________________________________________
--Bandwidth and Colocation sponsored by Easynews.com --
Asterisk-Users mailing list
Asterisk-Users at lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
More information about the asterisk-users
mailing list