I don't think it's as easy as you suggest... if you map all inbound 5060 to
5080 it won't work. You would have to map all of a source IP of your ITSP
to destination 5060/udp in to 5080/udp.
Joegen has something coming for that... i don't think it made it to 4.4. I
think there was a conflict in
it needs to be able to specify the source ip('s) and/or network(s) too...
On Sun, Apr 17, 2011 at 3:12 PM, Michael Scheidell
wrote:
> On 4/17/11 8:20 AM, Michael Picher wrote:
>
> There are a couple other initiatives that will also help address this:
>
> http://track.sipfoundry.org/browse/XX-9447
On 4/17/11 8:20 AM, Michael Picher wrote:
There are a couple other initiatives that will also help address this:
http://track.sipfoundry.org/browse/XX-9447
- We just couldn't get this in to 4.4... but hopefully will be in
the soon to follow 4.6
http://track.sipfoundry.org/browse/XX-9435
s
There are a couple other initiatives that will also help address this:
http://track.sipfoundry.org/browse/XX-9447
- We just couldn't get this in to 4.4... but hopefully will be in the
soon to follow 4.6
http://track.sipfoundry.org/browse/XX-9435
Thanks,
Mike
On Tue, Apr 12, 2011 at 8:02 AM
Thank you all for your comments, now trying to figure out what we can do
about those.
Eda
On Tue, Apr 12, 2011 at 4:12 PM, Michael Scheidell <
michael.scheid...@secnap.com> wrote:
> On 4/12/11 8:57 AM, Gerald Drouillard wrote:
>
> On 4/12/2011 7:46 AM, Eda Ercan wrote:
>
> Hi all,
>
> Regardin
On 4/12/11 8:57 AM, Gerald Drouillard wrote:
On 4/12/2011 7:46 AM, Eda Ercan wrote:
Hi all,
Regarding this http://track.sipfoundry.org/browse/XX-5197 issue to
create a framework for managing iptables rules, a UI will be added to
the patch attached to this issue. I've added a UI mockup to the
On 4/12/2011 7:46 AM, Eda Ercan wrote:
Hi all,
Regarding this http://track.sipfoundry.org/browse/XX-5197 issue to
create a framework for managing iptables rules, a UI will be added to
the patch attached to this issue. I've added a UI mockup to the issue.
Can you have a look at this mockup and
The sip rules (IMO) need to have a cps feature if the source is not trusted.
It would be desirable (imo) for tje framework rules to auto setup ports
12000/5269/5222 etc. for related services if enabled.
Is there any feature to disallow certain ua's or auto blacklist?
=
Tony G
Hi all,
Regarding this http://track.sipfoundry.org/browse/XX-5197 issue to create a
framework for managing iptables rules, a UI will be added to the patch
attached to this issue. I've added a UI mockup to the issue. Can you have a
look at this mockup and give me feedback if this makes sense?
In F
On Sat, 2 Oct 2010 06:58:11 +0200, Rene Pankratz wrote:
> Mike, this commands should do what you want:
> # Use this to clear all iptables rules and allow everything:
> # iptables --flush
Thanks, that is very appreciated.
Mike
___
sipx-users mailing lis
> You can easily set up iptables to allow only certain external addresses to
> communicate with ports 80/8443. The critical thing is to ensure that you
> don't block communications that uses transient ports, and sipXecs does so
> for SIP and RTP. Most iptables configurations block everything but
Mike, this commands should do what you want:
# Use this to clear all iptables rules and allow everything:
# iptables --flush
# allow 192.168.1.101 to 192.168.1.105 to access configserver
iptables -A INPUT -p tcp --src 192.168.1.101 --dport 8443 -j ACCEPT
iptables -A INPUT -p tcp --src 192.168.1.1
From: sipx-users-boun...@list.sipfoundry.org
[sipx-users-boun...@list.sipfoundry.org] On Behalf Of m...@grounded.net
[m...@grounded.net]
I've noticed that iptables on sipx is always disabled when I install a server.
I was wondering if there are any probl
> If you have sipxecs behind a firewall you could certainly limit it there.
It's behind a firewall, lan side users need access to their controls.
In my application, I just want to use iptables to allow SIP/RTP and other
services as usual but limit 80/8443 to specific clients.
_
inly do this manually.
>
> --martin
>
>
> > -Original Message-
> > From: sipx-users-boun...@list.sipfoundry.org [mailto:sipx-users-
> > boun...@list.sipfoundry.org] On Behalf Of m...@grounded.net
> > Sent: Monday, September 20, 2010 9:43 AM
> > To: sipx
> I think all we would need is a correctly configured iptables firewall. See
> here: http://track.sipfoundry.org/browse/XX-5197
> You can certainly do this manually.
Thanks. Wasn't sure if there might be some issues. Typically, on phone systems,
iptables aren't used but I want to allow all traff
> boun...@list.sipfoundry.org] On Behalf Of m...@grounded.net
> Sent: Monday, September 20, 2010 9:43 AM
> To: sipx-users
> Subject: [sipx-users] iptables
>
> I've noticed that iptables on sipx is always disabled when I install a
> server.
>
> I was wondering if there are any
I've noticed that iptables on sipx is always disabled when I install a server.
I was wondering if there are any problems with using iptables? I have a
requirement where I wish only certain clients to have access to port 80/8443
and want to use iptables to allow/deny access to these ports.
Thank
it doesnt matter what port the itsp sends to you on as long as they dont
send to the same public ip that remoter use.
even in the templates you are sending to them on port 5060. "they" dont
care, sipxbridge is the only CARING thing and that is for the INVITE for
incoming ITSP calls, ONLY.
On Fri,
but the return RTP traffic would match the iptables filter, right?
wouldn't it be redirected to port 5080?
guess its time to test voip.ms as a static authentication.
(no, I don't want to call them to have the send to port 5080. I want
them to send to 5060 and have the iptable rule send to 5080
ael Scheidell
> [mailto:michael.scheid...@secnap.com]
>
> *Sent:* Friday, August 20, 2010 1:19 PM
> *To:* Sven Evensen
> *Cc:* sipx-users@list.sipfoundry.org
> *Subject:* Re: [sipx-users] iptables experts: port forwarding.
>
>
>
> noop, that didn't do it.
> remember, th
ugust 20, 2010 1:19 PM
*To:* Sven Evensen
*Cc:* sipx-users@list.sipfoundry.org
*Subject:* Re: [sipx-users] iptables experts: port forwarding.
noop, that didn't do it.
remember, this is behind a firewall already, iptables isn't doing natting.
ran system-config-securitylevel-tui
enabled fi
:* Re: [sipx-users] iptables experts: port forwarding.
noop, that didn't do it.
remember, this is behind a firewall already, iptables isn't doing natting.
ran system-config-securitylevel-tui
enabled firewall.
edited /etc/sysconfig/iptables to be what you had (ip's changed)
restarted i
1:19 PM
To: Sven Evensen
Cc: sipx-users@list.sipfoundry.org
Subject: Re: [sipx-users] iptables experts: port forwarding.
noop, that didn't do it.
remember, this is behind a firewall already, iptables isn't doing
natting.
ran system-config-securitylevel-tui
enabled firewall.
edited
t;
>> :POSTROUTING ACCEPT [0:0]
>>
>> -A PREROUTING -p udp --dport 5060 -s 217.37.32.162 -i eth+ -j DNAT
>> --to 10.227.122.31:5080
>>
>> COMMIT
>>
>>
--------
>>
>> *From:* sipx-users-bo
ichael Scheidell
*Cc:* sipx-users@list.sipfoundry.org users
*Subject:* Re: [sipx-users] iptables experts: port forwarding.
The startup scriptfor sipx checks to see if iptables is running,
because it is automatically "problematic" if it is...
On Thu, Aug 19, 2010 at 11:14 PM, Michael Scheidell
m
alright, I did say I was stupid, right?
I edited /etc/sysconfig/system-config-securitylevel and put that in
below (ips changed of course)
do /etc/init.d/iptables start
then ./status
and get:
Firewall is stopped.
iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source
Perfect this needs to be in the wiki
--
Michael Scheidell, CTO
SECNAP Network Security
-Original message-
From: Sven Evensen
To: Tony Graziano , Michael Scheidell
Cc: sipx-users@list.sipfoundry.org
Sent: Fri, Aug 20, 2010 09:24:37 GMT+00:00
Subject: RE: [sipx-users] iptables
;sipx-users@list.sipfoundry.org users"
Sent: Fri, Aug 20, 2010 07:17:37 GMT+00:00
Subject: Re: [sipx-users] iptables experts: port forwarding.
The startup scriptfor sipx checks to see if iptables is running, because it
is automatically "problematic" if it is...
On Thu, Aug 19, 2010
oundry.org] *On Behalf Of *Tony Graziano
> *Sent:* 20 August 2010 08:18
> *To:* Michael Scheidell
> *Cc:* sipx-users@list.sipfoundry.org users
> *Subject:* Re: [sipx-users] iptables experts: port forwarding.
>
>
>
> The startup scriptfor sipx checks to see if iptables is
Sent: 20 August 2010 08:18
To: Michael Scheidell
Cc: sipx-users@list.sipfoundry.org users
Subject: Re: [sipx-users] iptables experts: port forwarding.
The startup scriptfor sipx checks to see if iptables is running, because
it is automatically "problematic" if it is...
On Thu, Aug 19,
The startup scriptfor sipx checks to see if iptables is running, because it
is automatically "problematic" if it is...
On Thu, Aug 19, 2010 at 11:14 PM, Michael Scheidell <
michael.scheid...@secnap.com> wrote:
> It just occurred to me that sipx on centos has iptables. maybe not
> active, but it
It just occurred to me that sipx on centos has iptables. maybe not
active, but its got it.
can I use iptables, internally, without involving natting to do
selective port forwarding.
example:
private ip address of 192.168.0.2 sipx.secnap.com.
public ip of ITSP: 4.2.2.2
I want to do somethin
33 matches
Mail list logo