Thanks much Lonnie. These are some awesome ideas. I will try some and report
back.
Cheers
Ionel
> On Apr 22, 2023, at 1:38 PM, Lonnie Abelbeck
> wrote:
>
> Hi Ionel,
>
>> Is it possible to create a rule and say only this “extension” can log in and
>> everything else drop?
>
> No, that w
Hi Ionel,
> Is it possible to create a rule and say only this “extension” can log in and
> everything else drop?
No, that would require some sort of deep inspection at the firewall level.
A couple of ideas...
1) Using 'sipgrep' from the AstLinux CLI, have your brother call you and see
what th
I had to open port 5060 to the internet for my brother PAP2-NA to get in.
Initially I started getting a lot of brute force attacks but the “adaptive-ban”
plugins took care of it. Now I am getting a different type of attacks? See
logs bellow.
I do have a firewall from UDMP-SE and this PBX is
Lonnie,
Thanks! That's what I was looking for; a bare-bones "firewalls for
dummies" type approach.
Actually, I have to admit that I did turn the firewall on without any
rules set. Thank goodness for the local console! ;-)
PDW
Original Message
Hi Paul,
Actually, I
Greetings,
I am trying to get the Adaptive Ban plugin to work but know nothing
about firewall configuration. Is there a guide to using the AstLinux
GUI firewall settings or, short of that, a suggested minimal
configuration for SSH, IAX2, and SIP? Actually, I never opened a port
to the "outs
Very good. That helps alot.
@Michael: Maybe you could add an example, how to configure the downstream
router (in principle), to the Wiki.
Sent from my iPad
Michael
> Am 30.05.2016 um 19:04 schrieb Lonnie Abelbeck :
>
> The new NAT_FOREIGN_NETWORK variable is now documented in the WiKi...
>
The new NAT_FOREIGN_NETWORK variable is now documented in the WiKi...
Internal Downstream Router
https://doc.astlinux.org/userdoc:tt-internal-downstream-router
Lonnie
--
What NetFlow Analyzer can do for you? Monitors ne
;> In this case, FOREIGN does not make as much sense.
>>
>> Regards
>> Michael Knill
>>
>>
>> -Original Message-
>> From: Lonnie Abelbeck
>> Reply-To: AstLinux List
>> Date: Sunday, 29 May 2016 at 3:34 AM
>> To: AstLinux List
you could configure by default all the Private networks?
Regards
Michael Knill
-Original Message-
From: Michael Keuter
Reply-To: AstLinux List
Date: Sunday, 29 May 2016 at 8:32 PM
To: AstLinux List
Subject: Re: [Astlinux-users] Firewall forwarding
Sent from my iPad
Michael
&g
Sent from my iPad
Michael
> Am 28.05.2016 um 21:43 schrieb Lonnie Abelbeck :
>
>
>> On May 28, 2016, at 2:12 PM, Michael Keuter wrote:
>>
>>
>>
>> Sent from my iPad
>>
>> Michael
>>
>>> Am 28.05.2016 um 18:34 schrieb Lonnie Abelbeck :
>>>
>>> Hi Michael,
>>>
>>> Indeed dividing the /2
directly connected networks. I assume this should not be a problem?
> In this case, FOREIGN does not make as much sense.
>
> Regards
> Michael Knill
>
>
> -Original Message-
> From: Lonnie Abelbeck
> Reply-To: AstLinux List
> Date: Sunday, 29 May 2016
rks. I assume this should not be a problem?
> In this case, FOREIGN does not make as much sense.
>
> Regards
> Michael Knill
>
>
> -Original Message-
> From: Lonnie Abelbeck
> Reply-To: AstLinux List
> Date: Sunday, 29 May 2016 at 3:34 AM
> To: AstLinux
9 May 2016 at 3:34 AM
To: AstLinux List
Subject: Re: [Astlinux-users] Firewall forwarding
Hi Michael,
Indeed dividing the /24 into two /25's is a hack and should be ignored.
The solution is, as you suggested, to add a rc.conf variable to specify routed
LAN subnets downstream from AstLi
On May 28, 2016, at 2:12 PM, Michael Keuter wrote:
>
>
> Sent from my iPad
>
> Michael
>
>> Am 28.05.2016 um 18:34 schrieb Lonnie Abelbeck :
>>
>> Hi Michael,
>>
>> Indeed dividing the /24 into two /25's is a hack and should be ignored.
>>
>> The solution is, as you suggested, to add a rc
Sent from my iPad
Michael
> Am 28.05.2016 um 18:34 schrieb Lonnie Abelbeck :
>
> Hi Michael,
>
> Indeed dividing the /24 into two /25's is a hack and should be ignored.
>
> The solution is, as you suggested, to add a rc.conf variable to specify
> routed LAN subnets downstream from AstLinux
Hi Michael,
Indeed dividing the /24 into two /25's is a hack and should be ignored.
The solution is, as you suggested, to add a rc.conf variable to specify routed
LAN subnets downstream from AstLinux to be NAT'ed.
I think the route to 'hidden' subnets downstream will still have to be a
rc.eloc
Ted networks!
>
> Regards
> Michael Knill
>
>
> -Original Message-
> From: Lonnie Abelbeck
> Reply-To: AstLinux List
> Date: Saturday, 28 May 2016 at 11:39 AM
> To: AstLinux List
> Subject: Re: [Astlinux-users] Firewall forwarding
>
>
> On Ma
firewalls require you to specify the NATed networks!
Regards
Michael Knill
-Original Message-
From: Lonnie Abelbeck
Reply-To: AstLinux List
Date: Saturday, 28 May 2016 at 11:39 AM
To: AstLinux List
Subject: Re: [Astlinux-users] Firewall forwarding
On May 27, 2016, at 7:17 PM
ave to ponder the best way to handle 192.168.6.0/24 packets on eth2 sent
from behind the Cisco. Possibly some clever subnet choices where the Cisco WAN
subnet and Cisco LAN subnet "add up" to the AstLinux 2nd interface LAN subnet.
Lonnie
>
> Regards
> Michael Knill
>
all -- anywhere anywhere
Does this mean that 192.168.6.0/24 is not being NATed?
Regards
Michael Knill
-Original Message-
From: Lonnie Abelbeck
Reply-To: AstLinux List
Date: Friday, 27 May 2016 at 11:47 PM
To: AstLinux List
Subject: Re: [Astlinux-users] Firewall
Hi Michael,
It sounds like you are on the correct path, but the devil is in the details, so
let's talk details with an example.
Assume the Cisco firewall is connected to AstLinux's 1st LAN Interface:
AstLinux-LAN IPv4: 10.1.1.1
NetMask: 255.255.255.0
Assume the Cisco firewall has two interfaces
Hi group
Ok I think I am missing something here as it seems simple but it is not working
and I am pulling out my hair.
I have an Astlinux appliance connected directly to the Public network where I
am doing NAT(PAT).
The customer wants to protect their data LAN by a Cisco ASA firewall so I have
Thanks Lonnie
Regards
Michael Knill
-Original Message-
From: Lonnie Abelbeck
Reply-To: AstLinux List
Date: Monday, 11 April 2016 at 9:49 PM
To: AstLinux List
Subject: Re: [Astlinux-users] Firewall restart
Michael,
When the firewall reloads, any new traffic will be blocked, but
Michael,
When the firewall reloads, any new traffic will be blocked, but any
pre-existing firewall states will remain and any matching packets are allowed
to pass.
The reason is, while the firewall rules are under construction, we don't want
any packets to sneak in that would normally be block
Hi All
I am about to set up a VM based Astlinux system for ultimately a reasonable
volume of calls. It will be providing SIP Trunks to the Public network from
known IP Addresses of which I will be adding rules in the firewall.
Does restarting the firewall affect existing traffic? I know I have
Shamus,
If you want "auto-magic" addition of the NAT firewall rules, possibly if the
SIP phones supported some sort of Universal Plug-n-Play like NAT-PMP then you
could enable NAT-PMP in AstLinux, but you would still need to know what the WAN
port number was for each phone, so this probably won
Thanks for the responses. I tried Lonnie’s suggestion adding the NAT rules and
it worked. I was hoping for something more elegant.
Just wondering if the following would be possible… On my LAN (192.168.10.0/24)
I have an existing Ubuntu-based server. This is on the same subnet that
AstLinux see
And another option which is what I use is SSH Tunnelling. Use SSH Keys and in
user.conf set SSHDPORT=“” and SSHDROOT=“No” in user.conf.
You can tunnel to any device on the network. So simple. No need to establish
VPN connections. No problems with overlapping IP ranges and a single firewall
rule.
Hi Shamus,
One method would be to manually add Firewall Rules for each SIP phone (example):
--
NAT EXT->LAN TCP Source: 0/0 8010 Destination: 192.168.5.10 80
NAT EXT->LAN TCP Source: 0/0 8011 Destination: 192.168.5.11 80
...etc for each phone
--
(of course use any NAT'ed port numbers you wish)
Th
Running the latest version of AstLinux on a box with 2x Ethernet ports. Eth0 is
my external interface and I’ve assigned a static IP, this sits on my LAN. Eth1
is the local port and serves as DHCP/DNS server for all my SIP phones. These
are assigned an address in the 192.168.5.0/24 range and are
You need to do a custom build to get tinyproxy.
David
On Mon, Aug 25, 2014 at 5:08 PM, Michael Knill <
michael.kn...@ipcsolutions.com.au> wrote:
> Thanks David
>
> So I assume that tinyproxy is not in the standard build?
> I think I am going to need to read ‘IP Tables for Dummies’ if it exists.
Thanks David
So I assume that tinyproxy is not in the standard build?
I think I am going to need to read ‘IP Tables for Dummies’ if it exists.
Regards
Michael Knill
On 25 Aug 2014, at 11:12 pm, David Kerr wrote:
> I do not use either of the firewall plugins, but I do use tinyproxy as a
> t
I do not use either of the firewall plugins, but I do use tinyproxy as a
transparent proxy. The way I use it is to transparently redirect HTTP
traffic from selected devices on my network (kids systems) over to
tinyproxy. Tinyproxy is setup to block access to certain websites based
solely on the U
Am 24.08.2014 um 11:12 schrieb Michael Knill
:
> Hi group
>
> Can anyone tell me how the Transparent Proxy works and what it can be used
> for?
>
> Regards
> Michael Knill
From: /usr/share/arno-iptables-firewall/plugins/50transparent-proxy.plugin
# Comments : This plugin enables transpare
Hi group
Can anyone tell me how the Transparent Proxy works and what it can be used for?
Regards
Michael Knill
--
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/___
Thank you all!
All is well.
On Thu, Oct 3, 2013 at 2:19 PM, Lonnie Abelbeck
wrote:
> Fernando,
>
> $ iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> $ iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
>
> Should get you going... but don't leave it that way for too long, add the
> Fire
Fernando,
$ iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$ iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Should get you going... but don't leave it that way for too long, add the
Firewall tab rules for TCP 80,443 and restart the firewall.
Lonnie
On Oct 3, 2013, at 2:03 PM, Fer
Am 03.10.2013 um 21:03 schrieb Fernando Fuentes :
> Lonnie,
>
> That's exactly what I am trying to do. Give my self access to the gui.
>
> Regards,
Ah OK, then add
GUI_FIREWALL_RULES="
1~PASS_EXT_LOCAL~TCP~0/0~443~~
"
HOST_OPEN_TCP="0/0~22 0/0~443"
into "/mnt/kd/rc.conf.d/gui.firewall.co
Lonnie,
That's exactly what I am trying to do. Give my self access to the gui.
Regards,
On Thu, Oct 3, 2013 at 1:54 PM, Michael Keuter wrote:
>
> Am 03.10.2013 um 20:43 schrieb Fernando Fuentes <
> ffuen...@digitalvoipnet.com>:
>
> > Lonnie,
> >
> > Thanks. I dont have access to the gui and I
Am 03.10.2013 um 20:43 schrieb Fernando Fuentes :
> Lonnie,
>
> Thanks. I dont have access to the gui and I need to add rules to the firewall.
> I guess this will work.
> How would I know which is the interface?
> IE: EXT to INT
>
> Regards,
You can look into "/mnt/kd/rc.conf.d/gui.network.con
Fernando,
Do you need to simply issue an iptables command to get access to the web
interface ?
I still don't understand what you are trying to do...
> How would I know which is the interface?
$ ip a
Lonnie
On Oct 3, 2013, at 1:43 PM, Fernando Fuentes wrote:
> Lonnie,
>
> Thanks. I dont ha
Lonnie,
Thanks. I dont have access to the gui and I need to add rules to the
firewall.
I guess this will work.
How would I know which is the interface?
IE: EXT to INT
Regards,
On Thu, Oct 3, 2013 at 1:23 PM, Lonnie Abelbeck
wrote:
> Hi Fernando,
>
> I'm not completely sure what you are asking
Hi Fernando,
I'm not completely sure what you are asking, is it... "I'd like to add
persistent iptables rules that are outside the scope of the web interface
Firewall tab"
If so, edit the file "/mnt/kd/arno-iptables-firewall/custom-rules" (BTW
symlinked to by "/etc/arno-iptables-firewall/custo
Team,
I am trying to add a rule to my firewall via cli.
I cant seem to find the iptables file.
Can you point me to the right direction?
Regards,
--
October Webinars: Code for Performance
Free Intel webinars can help you
Hi Miguel,
We need more information about your setup to help.
Let me assume you are using a recent version of AstLinux, and AstLinux is
acting as the OpenVPN server.
As this document states, you need the Firewall enabled for OpenVPN to operate
properly.
http://doc.astlinux.org/userdoc:tt_openv
I have this error :
3 read UDPv4 [CMSG=8|ECONNREFUSED]: Connection refused (code=111)
this error is only with astlinux´s firewall and openvpn client.the
openvpn connects but bria program NOT.Without firewall bria and
openvpn connects success.But with firewall openvpn connects and bria
NOT c
ocal TCP 192.168.2.0/24 22
Pass EXT->Local TCP 192.168.2.0/24 443
Pass EXT->Local TCP 192.168.2.0/24 80
Pass EXT->Local UDP 0/0 1-10128
Am I missing anything obvious?
cheers,
Shamus
Message: 3
Date: Sun, 10 Feb 2013 13:07:26 -0600
From: Lists <mailto:li...@lonnie.abelbe
3
> Date: Sun, 10 Feb 2013 13:07:26 -0600
> From: Lists mailto:li...@lonnie.abelbeck.com)>
> Subject: Re: [Astlinux-users] Firewall
> To: AstLinux Users Mailing List (mailto:astlinux-users@lists.sourceforge.net)>
> Message-ID: (mailto:a40acf32-a2dd-4ee4-bd0e-a0ce64d0d...@l
Crap.
LOL
Thats what I get for not paying attention.
LOL
Thank You,
Fernando Fuentes
DIGITALVOIPNET.COM
On Sun, Feb 10, 2013 at 1:07 PM, Lists wrote:
> Almost... it is...
>
> $ service iptables stop
>
> Access via the web interface again, add Pass EXT->Local rules for TCP
> 80,443,22 . Rest
Almost... it is...
$ service iptables stop
Access via the web interface again, add Pass EXT->Local rules for TCP 80,443,22
. Restart Firewall and you are back in business.
Lonnie
On Feb 10, 2013, at 12:22 PM, "Fernando F." wrote:
> Shamus,
>
> service stop iptables
> to start
> service sta
Shamus,
service stop iptables
to start
service start iptables
Thank You,
Fernando Fuentes
DIGITALVOIPNET.COM
On Sun, Feb 10, 2013 at 11:15 AM, Shamus Rask wrote:
> I'm running the latest version of AstLinux. A friend of mine recently got
> hacked and I've read about the hacking attempts on
I'm running the latest version of AstLinux. A friend of mine recently got
hacked and I've read about the hacking attempts on this list. Based on this, I
decided it was time to enable the firewall.
>From the network tab; I enabled the firewall with all default settings. I am
>no longer able to
To the group.
I have a customer with some interesting firewall rules. The problem that they
are noticing is that when the external ip address changes, the firewall needs
to be reset to forward the right ports to the DMZ. Any ideas?
### gui.firewall.conf - start ###
###
### Generic Firewall Rule
To the group
Coming from a network background, a golden rule is that you always separate the
firewall and you run as few applications as possible to reduce the risk of
internal compromise. Obviously this is not the case with AstLinux and I am
interested in how the group installs their systems a
Original Message-
From: "Dan Ryson"
Sent: Monday, November 29, 2010 11:31am
To: "AstLinux Users Mailing List"
Subject: Re: [Astlinux-users] Firewall Oddity
Lonnie,
Thanks for coming to my rescue. (Again.)
For the benefit of the list, I'll give a general answer. I&
Lonnie,
Thanks for coming to my rescue. (Again.)
For the benefit of the list, I'll give a general answer. I'd prefer to
work privately for the specifics.
This is a Net5501 with WAN on Eth0. A NAT'd subnet, exclusive to
phones, is supported on Eth1. Office Internet traffic, along with a
Hi Dan,
In 0.7.4 the web interface uses a new internal format for the Firewall tab
(uses a ~ instead of a : for a delimiter to handle IPv6 addresses). The
transition from 0.7.3 to 0.7.4 is handled, but obviously 0.7.3 does not handle
the new 0.7.4 format. The good news is this is just the int
All,
First, thank you for all your efforts on 0.7.4. That's an impressive
list of changes.
I upgraded one PBX to 0.7.4 yesterday, rebooted, and restarted the
firewall. Sadly, it appears that at least one port-forward had stopped
working.
In order to quickly squelch a loud complaint, I dow
Hi Graham,
I gave the AIF mac-address-filter plugin a go, and it works perfectly for me.
First, use: MAC_ADDRESS_FILE="/mnt/kd/allow-mac-addresses" as I suggested in
the plugin. (just good advice, not your problem)
Also, with the default: MAC_ADDRESS_LOG=1
Any packets blocked will be logged to
Thanks Lonnie,
the conf file is the same as the GUI loads and points to a file that exists and
is readable.
As an "aside" it looks like the allowed mac address file can have comments i.e.
00:11:22:33:44:55 #PC 1
00:11:22:33:44:56 #PC 2
00:11:22:33:44:57 #PC 3
Which is very use
Graham,
I never use the mac-address-filter plugin, so I will have to play with it
myself... I'll have to get back to you later.
Double check your
"/mnt/kd/arno-iptables-firewall/plugins/mac-address-filter.conf" file to make
sure it is correct, particularly the variable:
MAC_ADDRESS_FILE="/mnt
Hello Lonnie,
Can you explain this:
When the mac-address-filter plugin is disabled I can connect from a PC on lan2
(eth2) to the web interface of snom phones on lan1 (eth1).
When the plugin is enabled I can't any more even though I put the mac addr of
the PC, eth2 and eth1 (both - just to be sure
Graham,
There has been a long standing typo in Arno's Firewall comment for the
mac-address-filter plugin. In the next AIF version fixes it and it now reads:
--
# Specify interfaces that the MAC Addresses Filter is applied (eg. INT_IF)
# ---
don't rely on mac address only
can do mac spoofing!
use something like captive portal and shedule it for out of office only
Le 11/11/2010 10:03, Graham S. Jarvis a écrit :
> Hello All,
>
> As if you haven't been hearing enough from me recently - here another "nearly
> newbie" question:
>
> I want
Hello All,
As if you haven't been hearing enough from me recently - here another "nearly
newbie" question:
I want to stop people on one of my interfaces (you guessed it - eth2/lan2) from
connecting to the Ethernet outside of office hours.
I don't know if it would be better to block by IP or MAC -
em up... make sure those ports (typically 5038) is locked down
in your firewall...
-Christopher
-Original Message-
From: Cleve Jansen [mailto:clev...@gmail.com]
Sent: Wednesday, October 13, 2010 7:45 PM
To: 'AstLinux Users Mailing List'
Subject: Re: [Astlinux-users] Firewal
this helps..
>
> Good Luck!!
>
> Cleve
>
> -Original Message-
> From: Dan Ryson [mailto:d...@ryson.org]
> Sent: Thursday, 14 October 2010 9:02 AM
> To: astlinux-users@lists.sourceforge.net
> Subject: Re: [Astlinux-users] Firewall Question
>
>
> On 10/13/2010
safe
presumption - at least with my present setup.
I'll continue tinkering and share any findings.
Cordially,
Dan
-Original Message-
From: "Cleve Jansen"
Sent: Wednesday, October 13, 2010 7:45pm
To: "'AstLinux Users Mailing List'"
Subject: Re: [Astli
implement and also a few others where I cannot
add fail2ban or CSF.
Hope this helps..
Good Luck!!
Cleve
-Original Message-
From: Dan Ryson [mailto:d...@ryson.org]
Sent: Thursday, 14 October 2010 9:02 AM
To: astlinux-users@lists.sourceforge.net
Subject: Re: [Astlinux-users] Firewall Que
On 10/13/10 3:02 PM, Dan Ryson wrote:
> On 10/13/2010 3:34 PM, Philip Prindeville wrote:
>> On 10/13/10 7:44 AM, Lonnie Abelbeck wrote:
>>> On Oct 13, 2010, at 9:15 AM, Dan Ryson wrote:
>>>
All,
I wonder if I may, once again, ask for your help.
Using the GUI to config
On 10/13/2010 3:34 PM, Philip Prindeville wrote:
>On 10/13/10 7:44 AM, Lonnie Abelbeck wrote:
>> On Oct 13, 2010, at 9:15 AM, Dan Ryson wrote:
>>
>>> All,
>>>
>>> I wonder if I may, once again, ask for your help.
>>>
>>> Using the GUI to configure the firewall, my intent was to open only one
>
Too late.
On 10/13/10 10:33 AM, Lonnie Abelbeck wrote:
> Dan,
>
> A new config variable, SIP_VOIP_REMOTE_HOSTS has been added to the sip-voip
> plugin in the next AIF.
>
> https://rocky.eld.leidenuniv.nl/trac/aif/changeset/434/
>
> Thanks for the suggestion.
>
> Lonnie
>
>
> On Oct 13, 2010, at
On 10/13/10 7:44 AM, Lonnie Abelbeck wrote:
> On Oct 13, 2010, at 9:15 AM, Dan Ryson wrote:
>
>> All,
>>
>> I wonder if I may, once again, ask for your help.
>>
>> Using the GUI to configure the firewall, my intent was to open only one
>> "Source IP" to port 5060, for an off-site IP phone. I'm d
That's fantastic, Lonnie.
Thank you for bringing this up with AIF. Hopefully, this will come to
fruition!
Dan
On 10/13/2010 1:33 PM, Lonnie Abelbeck wrote:
> Dan,
>
> A new config variable, SIP_VOIP_REMOTE_HOSTS has been added to the sip-voip
> plugin in the next AIF.
>
> https://rocky.eld.
Dan,
A new config variable, SIP_VOIP_REMOTE_HOSTS has been added to the sip-voip
plugin in the next AIF.
https://rocky.eld.leidenuniv.nl/trac/aif/changeset/434/
Thanks for the suggestion.
Lonnie
On Oct 13, 2010, at 10:26 AM, Dan Ryson wrote:
> So it's that simple? I really like simple.
>
So it's that simple? I really like simple.
Adaptive-ban has been very effective. However, since I only have the
one outside user, I'd also like to block the ports at the firewall.
Thanks as always for your insight.
Dan
On 10/13/2010 10:44 AM, Lonnie Abelbeck wrote:
> On Oct 13, 2010, at 9:
On Oct 13, 2010, at 9:15 AM, Dan Ryson wrote:
> All,
>
> I wonder if I may, once again, ask for your help.
>
> Using the GUI to configure the firewall, my intent was to open only one
> "Source IP" to port 5060, for an off-site IP phone. I'm depending on
> frequent & regular registration tra
All,
I wonder if I may, once again, ask for your help.
Using the GUI to configure the firewall, my intent was to open only one
"Source IP" to port 5060, for an off-site IP phone. I'm depending on
frequent & regular registration traffic to keep port 5060 open to
providers. Despite this, I s
On Jun 8, 2010, at 6:39 PM, Ionel Chila wrote:
> What would firewall rule any-any-any look like in my Astlinux config file. My
> Soekris box is behind a firewall already and all I want is to enable the
> Adaptive Ban Plugin for the SIP attacks
>
> Thanks anyone
If you want to allow all TC
What would firewall rule any-any-any look like in my Astlinux config file. My
Soekris box is behind a firewall already and all I want is to enable the
Adaptive Ban Plugin for the SIP attacks
Thanks anyone
--
ThinkGe
But that's the problem, I didn't. Not until you suggested it later on.
While I originally had port 5060 configured in the plugin and being
used on the ATA, when that didn't work I changed the port on the ATA to
5061 and later on 5090. Both times without modifying the voip-sip
plug-in at all. An
If you had previously put 5090 into SIP_VOIP_PORTS then yes, that would
have persisted across firewall restarts.
Hence the need to reboot.
On 01/25/2010 09:33 AM, James Babiak wrote:
> Hey Everyone,
>
> Ok, so I think I got everything working. It was the voip-sip plugin
> that was causing the pr
Hey Everyone,
Ok, so I think I got everything working. It was the voip-sip plugin that was
causing the problem. I had to disable it altogether and then reboot the
astlinux box. Restarting only the firewall/iptables had no affect. It seems
like the plugin is broken, because if enabled, it will appa
Trying adding 5090 to the port list, and reboot.
And yes, nf_conntrack_sip and nf_nat_sip *will* rewrite INVITE's.
Though usually only outbound. There's no reason to inbound.
On 01/24/2010 07:40 PM, Lonnie Abelbeck wrote:
> James,
>
> I also have a SPA-3102 (voice, no FAX) behind NAT, behind A
James,
I also have a SPA-3102 (voice, no FAX) behind NAT, behind AstLinux 0.7
---
SPA-3102 [SIP]
NAT Support Parameters
Handle VIA received: yesHandle VIA rport: yes
Insert VIA received: yesInsert VIA rport: yes
Substitute VIA Addr: no Send Resp To Src Port
Hey,
Thanks for the assistance everyone.
.
The reason why I left 5090 out of the firewall's SIP plugin was because
I am port forwarding 5090 directly to the ATA to keep Asterisk out of
the mix. When I initially began testing this, before I made any changes
on the ATA or Astlinux box, I had th
All you need is "/etc/init.d/iptables restart".
On 01/24/2010 04:01 PM, James Babiak wrote:
> I tried adding 5090 to the plugin, restarting firewall, and tested.
> Didn't work same 19.226.0.0 IP.
>
> Then I tried disabling the plugin altogether, restarting firewall, and
> tested. Still didn't wor
Ok, you're misunderstanding how the plugin works.
The signaling channel (SIP) terminates on your Asterisk box, and
Asterisk stays in the call for its duration.
5060 is the standard SIP port used by Asterisk (and most other SIP PBX's).
The plugin configures a netfilter connection-tracker to *also
On Jan 24, 2010, at 6:01 PM, James Babiak wrote:
> I tried adding 5090 to the plugin, restarting firewall, and tested. Didn't
> work same 19.226.0.0 IP.
>
> Then I tried disabling the plugin altogether, restarting firewall, and
> tested. Still didn't work with same result.
>
> I shouldn't nee
I tried adding 5090 to the plugin, restarting firewall, and tested.
Didn't work same 19.226.0.0 IP.
Then I tried disabling the plugin altogether, restarting firewall, and
tested. Still didn't work with same result.
I shouldn't need to restart the system for those changes to go into
effect, ri
Hey,
Yes, but only for UDP 5060, as this is the port that Asterisk is
listening on. I have 5090 configured for the ATA, but didn't enable it
in sip-voip.conf, figuring it's just being (supposedly) passed thru and
NAT'd.
Should I enable it for this port too or disable the plug-in altogether?
Have you enabled /etc/arno-iptables-firewall/plugins/sip-voip.conf ?
On 01/24/2010 01:11 PM, James Babiak wrote:
> Hey Everyone,
>
> I'm running into a weird issue, and hopefully someone can assist me in
> finding out what's going on.
>
> I'm running Astlinux 0.7 on a box serving as my router, a
Hey Everyone,
I'm running into a weird issue, and hopefully someone can assist me in
finding out what's going on.
I'm running Astlinux 0.7 on a box serving as my router, asterisk box and
openvpn server (and a few other things) and I've run into a seemingly
very unusual issue. I have an ATA set
On Apr 23, 2009, at 3:20 PM, David Kerr wrote:
> Anyone know what these messages in my syslog are for?
>
> Apr 23 15:53:40 pbx user.info kernel: AIF:Connect attempt: IN=eth0
> OUT= MAC=01:00:5e:00:00:01:00:0b:45:30:b8:01:08:00 SRC=73.165.40.1
> DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID
Anyone know what these messages in my syslog are for?
Apr 23 15:53:40 pbx user.info kernel: AIF:Connect attempt: IN=eth0
OUT= MAC=01:00:5e:00:00:01:00:0b:45:30:b8:01:08:00 SRC=73.165.40.1
DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=17003 PROTO=2
Apr 23 15:54:40 pbx user.info kernel: AIF:Conne
95 matches
Mail list logo
