[Asterisk-Users] Broken firewall or brain damaged admin?

Jason Bachman jason at bachman.cc
Sat Jun 10 07:53:33 MST 2006 

More than likely, the hotels are using a service that uses proxies, not 
just a NAT firewall.  This being the case, they may very well block UDP 
traffic.  Since UDP is a stateless protocol, there is the very good 
chance that they block incoming UDP to deter people from using streaming 
services/p2p services for bandwidth control or to deter DoS attacks. 
Would not be the first time i have seen that happen.  It would have a 
detrimental effect on IAX protocol since it uses UDP.  SIP TCP would fix 
your problem but Asterisk doesn't support that yet.


Rich Adamson wrote:
> Brian Capouch wrote:
>> I am travelling this week and have had to buy connectivity from a 
>> hotel and at a couple of airports.
>>
>> For the first time ever, I have had problems (twice out of four 
>> connections) with IAX traffic going through firewalls.
>>
>> I'm almost certain I'm looking at a broken firewall, and if it's a 
>> commercial one that's in use by hotspot/hotel-type operations, I 
>> would like to follow up and see if I can figure out how to convince 
>> them to fix it.
>>
>> In both cases I have been on a NAT connection.
>>
>> In both cases I have been able trace and see the following behavior, 
>> identical in both:
>>
>> 1. My packets leave a private IP asking for a UDP connection to my 
>> home Asterisk server, port 4569.
>>
>> 2. Asterisk reports "<Unregistered>" when I do an iax2 show registry.
>>
>> 3. Sniffing at my home server shows tons of traffic similar to this 
>> snippet:
>>
>> 21:30:37.829275 ip-66-80-112-58.chi.megapath.net > pbx: icmp: 
>> ip-66-80-112-58.chi.megapath.net udp port 4569 unreachable (DF)
>> 21:30:37.833965 ip-66-80-112-58.chi.megapath.net > pbx: icmp: 
>> ip-66-80-112-58.chi.megapath.net udp port 4569 unreachable (DF)
>>
>> I'd like to ask the list two things: first, is this indeed a broken 
>> firewall?  It seems like the NAT mapping that sends traffic out 
>> should accept the return traffic on the port it uses (4569 in this 
>> case) as its *source* port.
>
> Probably not. If it were broken, then dns and other udp services would 
> fail as well.
>
>> Second, and more important, anything I can do beyond beating my head 
>> against doltish ISP customer service reps, who in both cases told me 
>> that I had something broken "on my end?"
>
> Guess you could try changing the iax port (from 4569) to see if that 
> works. If it does, there might be an access list applied somewhere 
> that is blocking 4569.
>
> A more complete/detailed sniffer trace might be helpful since the 
> above snippet only shows one-way traffic and not much of the actual 
> packet.
>
> R.
>
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
>
> Asterisk-Users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list