> > (Side note, previous versions of the Arno firewall script defaulted to >> 'all ports' if none were specified, now if no ports are specified, no >> logging occurs.) >> > >O.K. that's good to know. Still, it seems that something is borked here: > >> If you add the rule: >> >> Log Local Out | TCP | Destination: 0/0 | Port: 1 - 65535 >> >> Then a LOG rule is generated for all ports to all destinations for TCP >> going Out from the AstLinux box. > >I've done that (see attached picture). >Still I get no log messages on the status page even if I access sites on my >external IF. > >Furthermore: >> >I as a simple user would have expected that disabling a firewall ALLOWS >all >> >traffic. >> >> Normally it is so. All traffic is allowed. Maybe there sth. wrong >> with your configuration. >> > >It might seem naive, but if I simple disable the firewall, I can no longer >access my external IF from any LAN computers. When the firewall is active, >traffic is NATed to the outside and the firewall rules are applied. > >Would disabling the firewall also disable the masquerading (NAT) via the >external interface? > > > > > > > > To answer some of your previous questions... > > > > To allow all SIP and RTP for an external SIP phone, add something like... >> >> Pass EXT->Local | UDP | Source: 0/0 | Port: 5060 >> >> (Restrict more than any host 0/0 Source address if you can) >> >> Pass EXT->Local | UDP | Source: 0/0 | Port: 10000-20000 >> >> (The port range here should exactly match your /etc/asterisk/rtp.conf >> rtpstart-rtpend port range. Alternatively you can enable the 'sip-voip' >> plugin, but personally I keep the 'sip-voip' plugin disabled and use the >> above firewall rule.) >> >> Hope this helps. >> >> Lonnie >> >> > >Thanks. This is very helpful. Of course, only if I really can get the >firewall rules to apply. First step would be to make a simple "log all" rule >work. > >Michael
I tested it: The "Log local Out" works fine for me (port 1-1000). I can see that I got via SSH on anorther box: Jul 11 17:16:50 alix user.info kernel: AIF:Host TCP log (OUT): IN= OUT=eth0 SRC=192.168.x.y DST=192.168.x.z LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26043 DF PROTO=TCP SPT=57825 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 Michael http://www.mksolutions.info ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
