[asterisk-users] Dead Air on PF firewall

Michiel van Baak michiel at vanbaak.info
Mon Mar 10 07:20:54 CDT 2008 

On 07:00, Mon 10 Mar 08, NOC ph wrote:
> Hi All,
> 
> I have an asterisk box on my DMZ, and I'm using a PF for my firewall, I 
> can make a call but some reasons I have a dead air.
> 
> Any Ideas? below are my rules...
> 
> ext_if = "bce0"
> int_if = "bce1"
> altitude = "172.16.1.0/24"
> 
> #### machines ####
> vbox = "172.16.1.1"
> uci = "172.16.1.4"
> voices = "203.172.x.1"
> ipc = "203.172.x.2"
> 
> #### default deny ####
> set block-policy return
> set loginterface $ext_if
> set skip on lo
> scrub in
> 
> #### nat ####
> nat on $ext_if from !($ext_if) -> ($ext_if:0)

> nat on $ext_if inet proto { udp tcp } from $vbox to any port 5060 -> 
> $ext_if port 5060
> nat on $ext_if inet proto tcp from $uci to any port 1500 -> $ext_if port 
> 1500

Why those two rules ? The first nat rule already takes care
of that

> rdr on $ext_if proto { udp tcp } from any to $ext_if port 5060 -> $vbox 
> port 5060
> rdr on $ext_if proto udp from any to $ext_if port 5100 -> $vbox port 5100

you have to forward the rtp ports as well
rdr on $ext_if proto udp from any to $ext_if port
10000:20000 -> $vbox

> 
> #### filtering section ####
> pass out on { $int_if, ext_if } inet proto { udp tcp } from $altitude to any
> pass in on $ext_if inet proto { tcp udp } from $ipc to any port 5060
> pass in on $ext_if inet proto tcp from $ipc to any port 1500 flags S/SA 
> keep state

And you should allow the rtp ports as well
pass in on $ext_if inet proto udp from any to any port
10000:20000 keep state

> pass in on bce0 proto tcp from $ipc to any port ssh flags S/SA keep state
> pass in inet proto icmp all icmp-type echoreq keep state
> pass in quick on bce1
> 

For reference, here are my pf rules for my internal pbx:

##########
# Macros #
##########
ext_if           = "rl0"
ext_ip           = "82.95.XXX.XXX"
int_if           = "wb0"
int_net          = "192.168.2.0/24"
voip_server      = "192.168.2.4"
voip_ports       = "{ 4569, 5060, 10000:20000 }"

####################################
# NAT rules: "rdr", "nat", "binat" #
####################################
nat on $ext_if from $int_if:network to any -> $ext_ip
# asterisk server
rdr on $ext_if proto udp from any to any port $voip_ports ->
$voip_server

#############
# Filtering #
#############
# voip always goes in the priority class
pass out quick on $ext_if inet proto udp from any to any
port $voip_ports keep state queue q_pri
pass in quick on $ext_if inet proto udp from any to any port
$voip_ports keep state queue q_pri

Also, make sure in asterisk sip.conf you have the externip
and localnet config parameters set.

-- 

Michiel van Baak
michiel at vanbaak.eu
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD

"Why is it drug addicts and computer aficionados are both called users?"

More information about the asterisk-users mailing list