[Serusers] Firewall

jaime.gill at orange.co.uk jaime.gill at orange.co.uk
Tue May 6 15:52:35 CEST 2003 

Hello,

If you are really interested in having SER within a natted network or running on
the firewall/nat itself, may be you could give a try to the fcp module. It
relies on a client side which is added as a module to SER, and a server side,
running on the firewall/nat (with iptables).

The module keeps track of sessions similar to a b2bua. When a new request for a
session comes (INVITE, SUBSCRIBE, MESSAGE, etc.) from an internal client, the
fcp module learns the external IP address and a port on the firewall and makes
several changes to the SIP message. In the current implementation, Contact and
SDP can be changed before sending any request through the firewall/nat. When
responses come back (200 OK with SDP), the firewall ports are open for media to
flow. Ports are closed after expiration of rules or because of CANCEL/BYE are
issued from any of the end points.

This has been tested so far in the following scenario:

SIP UA1 ----- SER+fcp module ------ NAT/FW(fcpd) --------- SER ----------- SIP
UA2

With the current version of fcpd  (http://www.iptel.org/fcp/) I have not been
successful in establishing a media connection, but you might be luckier :)

However, the previous version worked for me in several occasions (I could hear
audio to and from SIP UA1/SIP UA2).

If your are interested in giving it a try, let me know and we see how far we
get.

Jaime






"Hans Scheffers" <hans.scheffers at xs4all.nl> on 06/05/2003 13:32:16




To:   serusers at lists.iptel.org
cc:    (bcc: Jaime GILL/EN/HTLUK)


Subject:  RE: [Serusers] Firewall



NAT, i have one public ip
The problem with iptable/ipchains is the way they filter compared to
Cisco a.s.o.

Hans Scheffers
JifLin B.V.
Leliestraat 7
7151 GH Eibergen

http://www.jiflin.nl


> -----Oorspronkelijk bericht-----
> Van: Jan Janak [mailto:jan at iptel.org]
> Verzonden: dinsdag 6 mei 2003 12:18
> Aan: Hans Scheffers
> CC: serusers at lists.iptel.org
> Onderwerp: Re: [Serusers] Firewall
>
>
> BTW, are you behind a NAT or just a firewall ?
>
>   Jan.
>
> On 06-05 11:36, Hans Scheffers wrote:
> > But are there developers working on  it?
> >
> >
> > Hans Scheffers
> > JifLin B.V.
> > Leliestraat 7
> > 7151 GH Eibergen
> >
> > http://www.jiflin.nl
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: Jan Janak [mailto:jan at iptel.org]
> > > Verzonden: dinsdag 6 mei 2003 11:18
> > > Aan: Juha Heinanen
> > > CC: Hans Scheffers; serusers at lists.iptel.org
> > > Onderwerp: Re: [Serusers] Firewall
> > >
> > >
> > > On 06-05 07:54, Juha Heinanen wrote:
> > > > Jan Janak writes:
> > > >
> > > >  > > I have an Astaro Linux Firewall. This firewall blocks
> > > everything (what I
> > > >  > > want  :)), and is based on on iptables.
> > > >
> > > > if it based on iptables, then the right solution is to
> write a sip
> > > > helper application for iptables.  everything else is hackery.
> > >
> > >   And this is very tricky, that is the reason why there is no such
> > >   helper application yet.
> > >
> > >    Jan.
> > >
> > >
> >
> > _______________________________________________
> > Serusers mailing list
> > serusers at lists.iptel.org
> > http://lists.iptel.org/mailman/listinfo/serusers
>

_______________________________________________
Serusers mailing list
serusers at lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: att1.eml
Type: application/octet-stream
Size: 4247 bytes
Desc: not available
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20030506/7889ccde/attachment.obj>
-------------- next part --------------

*******************************************************************************
Important.
Confidentiality: This communication is intended for the above-named person and
may be confidential and/or legally privileged. Any opinions expressed in this
communication are not necessarily those of the company. If it has come to you
in error you must take no action based on it, nor must you copy or show it to
anyone; please delete/destroy and inform the sender immediately.

Monitoring/Viruses
Orange may monitor all incoming and outgoing emails in line with current
legislation.  Although we have taken steps to ensure that this email and
attachments are free from any virus, we advise that in keeping with good
computing practice the recipient should ensure they are actually virus free.

Orange PCS Limited is a subsidiary of Orange SA and is registered in England No
2178917, with its address at St James Court, Great Park Road, Almondsbury Park,
Bradley Stoke, Bristol BS32 4QJ.
*******************************************************************************

More information about the sr-users mailing list