[CentOS] Firewall frustration

Sun Jan 6 00:41:01 UTC 2008
Robert Moskowitz <rgm at htt-consult.com>


Christopher Chan wrote:
>> Now I have to hop over to the Asterisk list to figure why with one 
>> firewall the INVITE properly redirects the RTP to the RTP server, and 
>> the with the other firewall this is not in the INVITE so the RTP flow 
>> does not..... ARGH!!!!!
>>
>
> I hope you are not trying to get around a double nat situation. client 
> -> nat <-> nat <- asterisk.
>
> I never managed to get things to work in that scenario. I have a vpn 
> setup to get things to work.
No.  That in part of my frustration.  I have 64 publicly routed addresses.

My open net is 8 addresses, for 6 systems.  DSL router and so far 2 
firewalls standard (occational honeypot).
I assigned 8 addresses for my VoIPnet.  All Trixboxes on VoIPnet have 2 
NICs.  Their second NIC is to an 192.168 addressed net with the various 
VoIP clients.

So I have a WRT54g running sveasoft with NAT turned off.  But even with 
NAT turned off, the box is basically brain-dead.  It would only allow 
the ONE server defined as the DMZ server to be accessed even when the 
firewall is disabled!  And I have 2 Trixboxes (part of my testing.  Have 
to learn DUNDI too).

So I now have a REAL firewall; well Centos wiht Shorewall.  And it 
seemed to be working, but the SIP/SDP INVITE when I have the sveasoft 
box has a redirect from the SIP server to the actual RTP server.  But 
with Shorewall, that information is NOT in the INVITE so the SIP server 
responds with an ICMP of no such port.  And so far I have not figured 
this out...