On 11/24/18 3:36 AM, Timo Sigurdsson wrote:
> Hi,
>
> I recently moved from AUTOHELPERS=Yes to AUTOHELPERS=No in my shorewall
> configuration and while I've got it working, I still don't fully
> understand how the manual helper assignment is supposed to be done
> correctly or why I needed to make one change in particular.
>
> So, with AUTOHELPERS=Yes, the following rules in shorewall6/rules were
> sufficient and to get VOIP working:
> ACCEPT voip net udp 3478,5060
> ACCEPT net voip udp 5060
>
> (Note: This is shorewall6, so NAT is not involved here.)
>
> After setting AUTOHELPERS=No, I added a HELPER line for sip. But that
> didn't seem to be sufficient. Signaling worked, but the audio stream
> was blocked when using one of my two SIP providers. Only after adding
> another accept rule for outgoing traffic, I could get VOIP calls with
> both providers working again. Now my rules look like this:
> HELPER voip - udp 5060 {
> helper=sip }
> ACCEPT voip net udp 3478,5060
> ACCEPT voip net udp - 7078-7097
> ACCEPT net voip udp 5060
>
> The UDP port range 7078-7079 is what my SIP device's documentation
> recommends opening in firewall. But I don't understand why this rule
> was not necessary when AUTOHELPERS=Yes was used, but seems to be
> necessary when I try to assign the HELPER manually.
>
> Can someone explain this change in behavior? Or how do I attach the
> HELPER manually to replicate the behavior of AUTOHELPERS?
>
> For the record: I've also tried use both ports 3478 and 5060 in the
> HELPER rule, but that didn't make a difference. The other helper-
> related settings in my shorewall configuration (both shorewall and
> shorewall6) are HELPERS=sip and LOAD_HELPERS_ONLY=Yes.
>
> And one more question regarding the documentation:
> The man page shorewall-rules says:
> "No destination zone should be specified in HELPER rules."
>
> But the page http://shorewall.org/Helpers.html shows an example
> rule at the end that has the DEST zone set:
> HELPER all net tcp 21 ; helper=ftp
>
> Is that a mistake or can the DEST zone be specified in HELPER rules?
> In general, I'd like my rules to be as specific as possible, so,
> naturally, I'd have specified net as the DEST zone of my sip HELPER
> rule, but I didn't because of the statement in the man page.
> What I recommend after setting AUTOHELPERS=No, is to simply add this to your /etc/shorewall/conntrack file: CT:helper:sip:PO - - udp 5060 That is all that AUTOHELPERS=Yes does for SIP. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
