Sip-Aware firewall


#1

Hi,

I use Shorewall as firewall in my asterisk box but I am having troubles with configuring the rules. The only way I found in order that all my sip calls work correctly is to allow all ports to be open, which I think is not acceptable.

I thought a good way to get rid of all these may be using a sip-aware firewall. Does anybody use any kind of sip-awares? or could somebody explain how to configure my shorewall to work fine while remaining risk-free?

thanks in advance

Daniel


#2

are you forwarding your RTP ports also?

You need to forward udp port 5060 (sip control channel) to the asterisk box, as well as a range of at least 100 udp ports that you can define in /etc/rtp.conf. Then set externip= and localnet= and you’re set.


#3

Thanks for your reply.

As I said, the firewall is installed in the asterisk box, i.e., it’s a stand alone linux, asterisk and firwall machine. So, forwarding RTP ports to the same machine …?

In rtp.conf, the following are defined:

rtpstart=10001
rtpend=20000

and even when I define

ACCEPT net fw udp 5060, 10001:20000

in /etc/shorewall/rules

it doesn’t work.

Any idea?

Daniel


#4

it’s been a long time since i even looked at shorewall …

should it be $FW ??

i also forward/accept UDP 5004, UDP & TCP 3478 for one provider, have you asked yours what ports you need to accept ?


#5

If you dont have linux experience then best sip aware firewall is

Astaro.com

if you have a spare machine to load linux on, then:

Gentoo(personal pref) + siproxy siproxd.sourceforge.net/


#6

Or you can use m0n0wall. http://m0n0.ch/wall In will fit on a 64MB CF card, and works with almost any hardware including USB nics. We have used it a few times with great success.