Hi Eric,
Eric Teeter schrieb am 24.11.2018 15:03:
> On 11/24/18 5:36 AM, Timo Sigurdsson wrote:
>> Hi,
>>
>> I recently moved from AUTOHELPERS=Yes to AUTOHELPERS=No in my shorewall
>> configuration and while I've got it working, I still don't fully
>> understand how the manual helper assignment is supposed to be done
>> correctly or why I needed to make one change in particular.
>>
>> So, with AUTOHELPERS=Yes, the following rules in shorewall6/rules were
>> sufficient and to get VOIP working:
>> ACCEPT voip net udp 3478,5060
>> ACCEPT net voip udp 5060
>>
>> (Note: This is shorewall6, so NAT is not involved here.)
>>
>> After setting AUTOHELPERS=No, I added a HELPER line for sip. But that
>> didn't seem to be sufficient. Signaling worked, but the audio stream
>> was blocked when using one of my two SIP providers. Only after adding
>> another accept rule for outgoing traffic, I could get VOIP calls with
>> both providers working again. Now my rules look like this:
>> HELPER voip - udp 5060 {
>> helper=sip }
>> ACCEPT voip net udp 3478,5060
>> ACCEPT voip net udp - 7078-7097
>> ACCEPT net voip udp 5060
>>
>> The UDP port range 7078-7079 is what my SIP device's documentation
>> recommends opening in firewall. But I don't understand why this rule
>> was not necessary when AUTOHELPERS=Yes was used, but seems to be
>> necessary when I try to assign the HELPER manually.
>>
>> Can someone explain this change in behavior? Or how do I attach the
>> HELPER manually to replicate the behavior of AUTOHELPERS?
>>
>> For the record: I've also tried use both ports 3478 and 5060 in the
>> HELPER rule, but that didn't make a difference. The other helper-
>> related settings in my shorewall configuration (both shorewall and
>> shorewall6) are HELPERS=sip and LOAD_HELPERS_ONLY=Yes.
>>
>> And one more question regarding the documentation:
>> The man page shorewall-rules says:
>> "No destination zone should be specified in HELPER rules."
>>
>> But the page http://shorewall.org/Helpers.html shows an example
>> rule at the end that has the DEST zone set:
>> HELPER all net tcp 21 ; helper=ftp
>>
>> Is that a mistake or can the DEST zone be specified in HELPER rules?
>> In general, I'd like my rules to be as specific as possible, so,
>> naturally, I'd have specified net as the DEST zone of my sip HELPER
>> rule, but I didn't because of the statement in the man page.
>>
>> Thanks!
>>
>> Kind regards,
>>
>> Timo
>>
>>
>> _______________________________________________
>> Shorewall-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
> When I used Asterisk they also had a stream port for the phones of
> 10000-20000 udp for them to directly communicate. Check to see what your
> VOIP needs for the phones.
The stream ports seem to be udp 7078-7097 in my case. If I allow outgoing
traffic on these ports, everything works fine. But my question is, why I
didn't have to do this before when I was still using AUTOHELPERS=Yes?
To me it looks like shorewall's autohelper logic automatically associated
these streams with the established connection on port 5060, but with the
manual HELPER assignment, I have to allow this outgoing traffic on udp
7048-7097 explicitely or else it will be blocked.
Don't get me wrong: I don't have a problem with the current ruleset. If
it works this way, that's fine for me. I just don't understand why I had
to do it this way or if that was even the right way to set it up. And
usually I prefer to understand what's happening ;)
Btw, I've also tested what happens if I don't load the sip helper at all.
Then calls don't work anymore. So the helper still seems to do something.
Thanks,
Timo
P.S.: I forgot to mention earlier which version of shorewall I'm using,
so here it is: shorewall 5.0.15.6 on Debian Stretch.
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
