Hi Tom,
Tom Eastep schrieb am 24.11.2018 20:13:
> On 11/24/18 3:36 AM, Timo Sigurdsson wrote:
>> Hi,
>>
>> I recently moved from AUTOHELPERS=Yes to AUTOHELPERS=No in my shorewall
>> configuration and while I've got it working, I still don't fully
>> understand how the manual helper assignment is supposed to be done
>> correctly or why I needed to make one change in particular.
>>
>> So, with AUTOHELPERS=Yes, the following rules in shorewall6/rules were
>> sufficient and to get VOIP working:
>> ACCEPT voip net udp 3478,5060
>> ACCEPT net voip udp 5060
>>
>> (Note: This is shorewall6, so NAT is not involved here.)
>>
>> After setting AUTOHELPERS=No, I added a HELPER line for sip. But that
>> didn't seem to be sufficient. Signaling worked, but the audio stream
>> was blocked when using one of my two SIP providers. Only after adding
>> another accept rule for outgoing traffic, I could get VOIP calls with
>> both providers working again. Now my rules look like this:
>> HELPER voip - udp 5060 {
>> helper=sip
>> }
>> ACCEPT voip net udp 3478,5060
>> ACCEPT voip net udp - 7078-7097
>> ACCEPT net voip udp 5060
>>
>> The UDP port range 7078-7079 is what my SIP device's documentation
>> recommends opening in firewall. But I don't understand why this rule
>> was not necessary when AUTOHELPERS=Yes was used, but seems to be
>> necessary when I try to assign the HELPER manually.
>>
>> Can someone explain this change in behavior? Or how do I attach the
>> HELPER manually to replicate the behavior of AUTOHELPERS?
>>
>> For the record: I've also tried use both ports 3478 and 5060 in the
>> HELPER rule, but that didn't make a difference. The other helper-
>> related settings in my shorewall configuration (both shorewall and
>> shorewall6) are HELPERS=sip and LOAD_HELPERS_ONLY=Yes.
>>
>> And one more question regarding the documentation:
>> The man page shorewall-rules says:
>> "No destination zone should be specified in HELPER rules."
>>
>> But the page http://shorewall.org/Helpers.html shows an example
>> rule at the end that has the DEST zone set:
>> HELPER all net tcp 21 ; helper=ftp
>>
>> Is that a mistake or can the DEST zone be specified in HELPER rules?
>> In general, I'd like my rules to be as specific as possible, so,
>> naturally, I'd have specified net as the DEST zone of my sip HELPER
>> rule, but I didn't because of the statement in the man page.
>>
>
> What I recommend after setting AUTOHELPERS=No, is to simply add this to
> your /etc/shorewall/conntrack file:
>
> CT:helper:sip:PO - - udp 5060
>
> That is all that AUTOHELPERS=Yes does for SIP.
>
Thanks, I'll give that a try. But it'll have to wait since my wife
will freak out if I do anymore experiments with the phone/router
today :P
But on more general terms, was the HELPER rule that I added basically
correct?
Thanks,
Timo
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
