Please help configure my firewall

firewall
v7

(Matthieu Gaillet) #1

NethServer Version: 7
Module: firewall

Hi,

Our SIP provider request us to do the following in order to allow SIP traffic between us and them :

  • Ask the person who manages your router/firewall to allow outgoing traffic to the IP range: 37.59.194.64/27 (/27 means that the subnet mask is 255.255.255.224)
  • If the router/firewall supports QoS (Quality of Service), assign a higher priority to the trafic exchanged with our IP range
  • Some routers also include a feature called SIP ALG (http://en.wikipedia.org/wiki/Application-level_gateway). Our experience shows that SIP ALG is often poorly implemented on low-cost routers and that it is better to disable SIP ALG
  • Make sure that the default NAT session timeout is > 30 seconds

I created those rules :

(Those are the ports used by VOIP traffic)

Still, I get those messages in the logs :

Sep  6 15:33:17 serveur kernel: Shorewall:net2fw:DROP:IN=enp3s6f0 OUT= MAC=00:1b:21:ae:42:32:38:10:d5:c3:84:26:08:00 SRC=37.59.194.81 DST=192.168.178.23 LEN=200 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=19352 DPT=11780 LEN=180 MARK=0x10000 

192.168.178.23 being my RED interface.

What am I doing wrong ?

Thanks

Matthieu


(Paul Woodhouse) #2

umm, it seems your RED interface is an internal class C network, sure thats not the GREEN one?


(Giacomo Sanchietti) #3

Outgoing traffic is open by default.

I think you’re talking about nf_conntrack_sip kernel module which should be already loaded.
We didn’t experienced any problem so far on our installations (@Stll0 can correct me if I’m wrong).

SIP packets already have the correct TOS which is honored.

Just check:

cat /proc/sys/net/netfilter/nf_conntrack_udp_timeout

I don’t really know, because you didn’t explained the problem :blush:
AFAIK you don’t need to do any modification on the firewall.


(Paul Woodhouse) #4

I suspect the server is configured incorrectly in networking, there is no way a 192.168.x.x address should be on the RED port. What IP address does the green port have?


(Matthieu Gaillet) #5

Actually not. Because I wasn’t able to create a pppoe connection directly from NS to my provider, I had to use the one embedded in the DSL modem. I configured it widely open (DMZ mode).

There is certainly a double NAT issue, but until now no real world problem asfaik. Still investigating why I can’t connect directly though pppoe.


(Matthieu Gaillet) #6

Hi giacomo,

I know most of the requirement were readily fulfilled. The issue is that some packets are still blocked by the firewall :

Thanks for your insight.


(Eddie Atherton) #7

That appears to be an attempt to connect to port 11780 on the firewall itself. Is the application listening for the SIP traffic running on the NS server, or behind it. If behind, then you need a port forward rule for 11780.

Cheers.


(Matthieu Gaillet) #8

Thanks.

Indeed, the port 11780 is the one where the VOIP phone is listening.

However, it is impossible to know which phone will listen to what port beforehand : the assignation is dynamic and part of the SIP protocol when establishing the call.

That said, everything is working correctly; that’s for the sake of learning something :wink:


(Rob Bosch) #9

Do you have Double NAT on your network? Then you have 2 firewalls/gateways to configure.

Internet - ISP router - NethServer - Local Lan

External IP addres on RED interface of ISP router
internal IP address on Green interface of ISP router 192.168.178.0/24 subnet
External IP address on RED interface of NS 192.168.178.23
internal IP address on GREEN interface NethServer (subnet for local LAN)

If possible you could ask your ISP to put the router in bridge mode so your NS gets an external IP address
otherwise you have to do the correct portforwarding on your ISP router and also open the ports on the ISP router to make the connection. Theoreticly double NAT shouldn’t be a showstopper.

/edit: I should read the whole thread before posting… lol