Hi,
I use Shorewall as firewall in my asterisk box but I am having troubles with configuring the rules. The only way I found in order that all my sip calls work correctly is to allow all ports to be open, which I think is not acceptable.
I thought a good way to get rid of all these may be using a sip-aware firewall. Does anybody use any kind of sip-awares? or could somebody explain how to configure my shorewall to work fine while remaining risk-free?
thanks in advance
Daniel
are you forwarding your RTP ports also?
You need to forward udp port 5060 (sip control channel) to the asterisk box, as well as a range of at least 100 udp ports that you can define in /etc/rtp.conf. Then set externip= and localnet= and you’re set.
Thanks for your reply.
As I said, the firewall is installed in the asterisk box, i.e., it’s a stand alone linux, asterisk and firwall machine. So, forwarding RTP ports to the same machine …?
In rtp.conf, the following are defined:
rtpstart=10001
rtpend=20000
and even when I define
ACCEPT net fw udp 5060, 10001:20000
in /etc/shorewall/rules
it doesn’t work.
Any idea?
Daniel
it’s been a long time since i even looked at shorewall …
should it be $FW ??
i also forward/accept UDP 5004, UDP & TCP 3478 for one provider, have you asked yours what ports you need to accept ?
If you dont have linux experience then best sip aware firewall is
if you have a spare machine to load linux on, then:
Gentoo(personal pref) + siproxy siproxd.sourceforge.net/
Or you can use m0n0wall. http://m0n0.ch/wall In will fit on a 64MB CF card, and works with almost any hardware including USB nics. We have used it a few times with great success.