dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
624

dnoyeB
Ferrous Phallus
join:2000-10-09
Southfield, MI

1 edit

dnoyeB

Member

Firewall Question

I'm working with SIP here.

So my device registers with the server. Firewall will allow that because the connection started within my network. But how does the SIP server get through my firewall if a call comes in? How can it open other ports? Does SPI just allow new sessions from the server because my client already has some session going!?

trying to once again diagnose why some calls don't get through and I have a completely different VOIP service and device this time...

I wish I could log rejected packets but you know with comcast my log will be filled in 30 seconds. maybe i can log rejections from the servers address. Now that I think about it, that won't work. Since I am doing NAT, if there is no session initiated from my client, the firewall won't know what to do with the packet if/when it hits the Zywall.

Should I forward specific ports for SIP to guarantee incoming calls work even when not registered? my client is in DMZ but that won't help without a session or some port forwarding.
dnoyeB

dnoyeB

Member

Interesting.

I forwarded the SIP port 60 to my device. Then I created a rule to watch the action. Immediately the SIP server began opening sessions with my device. These sessions were previously not being allowed.

I wonder if this is a flaw of using SIP over UDP behind a SPI firewall!?
JPedroT
Premium Member
join:2005-02-18

JPedroT to dnoyeB

Premium Member

to dnoyeB
When NAT and SPI firewalls are in the path, the client or server needs to keep sending data, to keep the port(s) open, this is usually called a heartbeat.

If not they will be closed, so that we do not starve the devices of resources.

Now multiple ports and NAT is never a good idea and its the same for SPI.
So device vendors usually includes ALGs to compete with these situations, so for instance when traffic is received on the sip port (5060) it will analyze the data and find which port/protocol to expect the voice data.

So if you are not getting calls, ie no ringing, there is a heartbeat missing or it is not sent out often enoug and the port(s) closes.

If it is ringing, but you get no sound in the phone, then the secondary port(s) or protocols are blocked. Either there is no ALG or its broken etc.

Now many sip servers and clients are aware that NAT and SPI needs special considerations and try other tricks than just a heartbeat. Then those tricks might mess up the ALG and we get unpredictable state.

So usually its a good idea to turn of the ALG or the tricks on the server/client.

dnoyeB
Ferrous Phallus
join:2000-10-09
Southfield, MI

dnoyeB

Member

It generally works. I think Anveo keeps sending data to my modem every 15s in order to keep the session alive. I think this works 99% of the time. That last 1% failure I have a suspicion is due to the firewall. Trying to test to be sure.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano to dnoyeB

MVM

to dnoyeB
Another option is to try enabling SIP_ALG on port 60. With and without the FW rule and forwarding. See if that makes any difference.