[Asterisk-Users] Broken firewall or brain damaged admin?

Rich Adamson radamson at routers.com
Sat Jun 10 02:00:55 MST 2006


Brian Capouch wrote:
> I am travelling this week and have had to buy connectivity from a hotel 
> and at a couple of airports.
> 
> For the first time ever, I have had problems (twice out of four 
> connections) with IAX traffic going through firewalls.
> 
> I'm almost certain I'm looking at a broken firewall, and if it's a 
> commercial one that's in use by hotspot/hotel-type operations, I would 
> like to follow up and see if I can figure out how to convince them to 
> fix it.
> 
> In both cases I have been on a NAT connection.
> 
> In both cases I have been able trace and see the following behavior, 
> identical in both:
> 
> 1. My packets leave a private IP asking for a UDP connection to my home 
> Asterisk server, port 4569.
> 
> 2. Asterisk reports "<Unregistered>" when I do an iax2 show registry.
> 
> 3. Sniffing at my home server shows tons of traffic similar to this 
> snippet:
> 
> 21:30:37.829275 ip-66-80-112-58.chi.megapath.net > pbx: icmp: 
> ip-66-80-112-58.chi.megapath.net udp port 4569 unreachable (DF)
> 21:30:37.833965 ip-66-80-112-58.chi.megapath.net > pbx: icmp: 
> ip-66-80-112-58.chi.megapath.net udp port 4569 unreachable (DF)
> 
> I'd like to ask the list two things: first, is this indeed a broken 
> firewall?  It seems like the NAT mapping that sends traffic out should 
> accept the return traffic on the port it uses (4569 in this case) as its 
> *source* port.

Probably not. If it were broken, then dns and other udp services would 
fail as well.

> Second, and more important, anything I can do beyond beating my head 
> against doltish ISP customer service reps, who in both cases told me 
> that I had something broken "on my end?"

Guess you could try changing the iax port (from 4569) to see if that 
works. If it does, there might be an access list applied somewhere that 
is blocking 4569.

A more complete/detailed sniffer trace might be helpful since the above 
snippet only shows one-way traffic and not much of the actual packet.

R.




More information about the asterisk-users mailing list