Cannot remove shorewall modules

ertank · November 9, 2020, 2:46pm

I am not familar with h323. Can it a problem?
Or, can conntrack be a problem?

[root@neth ~]# lsmod|grep sip
[root@neth ~]# lsmod|grep h323
nf_nat_h323            17720  0 
nf_conntrack_h323      73895  5 nf_nat_h323
nf_nat                 26583  10 nf_nat_ftp,nf_nat_irc,nf_nat_amanda,nf_nat_proto_gre,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_nat,nf_nat_masquerade_ipv4
nf_conntrack          139264  27 nf_nat_ftp,nf_nat_irc,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,nf_nat,xt_state,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,nf_nat_masquerade_ipv4,nf_conntrack_netlink,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp
[root@neth ~]#

BTW, I cannot remove it to test as it is used by nf_nat

[root@neth ~]# rmmod nf_conntrack
rmmod: ERROR: Module nf_conntrack is in use by: nf_nat_ftp nf_nat_irc nf_nat_amanda xt_CT nf_nat_snmp_basic nf_conntrack_netbios_ns nf_conntrack_proto_gre nf_nat xt_state nf_nat_h323 nf_nat_ipv4 nf_nat_pptp nf_nat_tftp xt_conntrack nf_conntrack_amanda nf_nat_masquerade_ipv4 nf_conntrack_netlink nf_conntrack_broadcast xt_connmark nf_conntrack_ftp nf_conntrack_irc nf_conntrack_h323 nf_conntrack_ipv4 nf_conntrack_pptp nf_conntrack_sane nf_conntrack_snmp nf_conntrack_tftp
[root@neth ~]#

stephdl · November 9, 2020, 2:50pm

only if you still use h323 instead of sip

It seems that your shorewall does not load the conntrack sip module that it could block the SIP in one way.

ertank · November 9, 2020, 4:02pm

Is there a way to get notified when this feature included version released?

stephdl · November 9, 2020, 4:04pm

Everything is under control, please relax and take a breath

ertank · November 9, 2020, 7:11pm

Quite interesting. I checked latest updates to see if anything related with firewall. Nothing related until one month earlier update. Problem is very new.

Now, I cannot understand why our server cannot reach other side as I can ping, traceroute and all works nicely. Just SIP trunk is not getting registered.

Error I read is:
Destination (sip:188.132.208.13:5060;lr) is not reachable, DNS error resolving FQDN, or service is not available.

Service provider claims our packets are not arriving to their servers.

stephdl · November 9, 2020, 8:06pm

Not a firewall guy, you should open a new thread and gather informations

Reboot the firewall
Check the sip rule port exists in iptables
Check the firewall.log
…

ertank · November 10, 2020, 5:37pm

Problem turned out to be not related with an update or a setup parameter or firewall.

It turned out some router along the way to our SIP service provider IP is not routing SIP packets.

Our provider send us a new IP number and everything started to work again.

Yet, I will be making snapshots of the VM NethServer is running before applying updates for future