Re: SIP proxying: siproxd vs. Netfilter SIP nat

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Christoph Lameter <cl@linux-foundation.org>
Cc: Christian Hentschel <chentschel@arnet.com.ar>, netdev@vger.kernel.org
Subject: Re: SIP proxying: siproxd vs. Netfilter SIP nat
Date: Mon, 30 Nov 2009 18:46:48 +0100	[thread overview]
Message-ID: <4B140508.1090802@trash.net> (raw)
In-Reply-To: <alpine.DEB.2.00.0911301133280.17037@router.home>

Christoph Lameter wrote:
> On Mon, 30 Nov 2009, Patrick McHardy wrote:
> 
>>> Where do I find more recent documentation?
>> Below :)
> 
> I found http://lwn.net/Articles/271597/ which mentions that those two
> values may be set too strictly. Can they default to zero?

No, this is deliberate since it diverges from the behaviour of other
helpers. Usually they only allow to create RELATED connections between
the two hosts communicating. If you set either of these module options
to zero, they will allow completely foreign addresses to establish
connections when those addresses appear in the SDP payload. You should
usually use additional filters to f.i. only allow source addresses of
your registrar:

iptables -A FORWARD -m state --state RELATED \
		    -m helper --helper "sip" \
		    -s registrar-network/X -j ACCEPT

>> You of course also need to accept the packets marked RELATED by
>> the helper. If this is missing it might result in one-way audio.
> 
> Firewall is configured to accept all udp traffic. Will that do it?

That should be fine, but you can restrict it to just accept
-m state --state RELATED packets.

> The "helper" is the conntrack module?

Yes.

next prev parent reply	other threads:[~2009-11-30 17:46 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-11-30 17:13 SIP proxying: siproxd vs. Netfilter SIP nat Christoph Lameter
2009-11-30 17:21 ` Patrick McHardy
2009-11-30 17:27   ` Christoph Lameter
2009-11-30 17:30     ` Patrick McHardy
2009-11-30 17:35       ` Christoph Lameter
2009-11-30 17:46         ` Patrick McHardy [this message]
2009-11-30 17:55           ` Christoph Lameter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4B140508.1090802@trash.net \
    --to=kaber@trash.net \
    --cc=chentschel@arnet.com.ar \
    --cc=cl@linux-foundation.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).