Discussion:
ipfilter and SIP
(too old to reply)
Alicia da Conceicao
2007-08-21 13:55:54 UTC
Permalink
Greetings:

Does anyone know if there is any type of application proxy for ipfilter
and SIP on NetBSD? Ipfilter has an application proxy for outgoing active
mode FTP, and Linux has a SIP application proxy that works with its
IPTables, but I cannot find any solution for NetBSD. The Linux Shorewall
distribution is able to do this right out of the box, so hopefully some
solution exists for NetBSD.

I have a Cisco 7960 IP phone (SIP based) with a vonage soft account,
which accesses the Internet via a NetBSD router (running NetBSD 3.1,
ipfilter & ipnat). The IP phone does not have any difficulties calling
out, but more than 80% of the incomming calls are blocked by ipfilter.
I can observe the blocked incoming UDP SIP packets using ipmon. If I
configure ipfilter to allow all incoming traffic, then the IP phone is
able to receive all of the calls without any problems. But neutralizing
the firewall is not a secure option!

So other than using Linux, I considered using a lightweight SIP proxy,
but neither asterisk nor openser could be considered lightweight or
secure to put on a firewall.

Any suggestions would be greatly appreciated.

Thank you in advance,
Alicia.


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Tobias Nygren
2007-08-21 16:44:28 UTC
Permalink
On Tue, 21 Aug 2007 09:55:54 -0400 (EDT)
Post by Alicia da Conceicao
Does anyone know if there is any type of application proxy for ipfilter
and SIP on NetBSD? Ipfilter has an application proxy for outgoing active
mode FTP, and Linux has a SIP application proxy that works with its
IPTables, but I cannot find any solution for NetBSD. The Linux Shorewall
distribution is able to do this right out of the box, so hopefully some
solution exists for NetBSD.
I have a Cisco 7960 IP phone (SIP based) with a vonage soft account,
which accesses the Internet via a NetBSD router (running NetBSD 3.1,
ipfilter & ipnat). The IP phone does not have any difficulties calling
out, but more than 80% of the incomming calls are blocked by ipfilter.
I can observe the blocked incoming UDP SIP packets using ipmon. If I
configure ipfilter to allow all incoming traffic, then the IP phone is
able to receive all of the calls without any problems. But neutralizing
the firewall is not a secure option!
So other than using Linux, I considered using a lightweight SIP proxy,
but neither asterisk nor openser could be considered lightweight or
secure to put on a firewall.
Any suggestions would be greatly appreciated.
Thank you in advance,
Alicia.
Hi,

I could never get my SIP phone to work with ipfilter and NAT, however
I did manage to get it to work with pf(4), using the setup below.
The static-port keyword was the magic I needed.

ext_if = "tap0"
sip_ports = "{3478:3479, 5060:5061, 10000:10007}"
sip_ip = "172.18.1.66/32"
nat on $ext_if from $sip_ip to any -> $ext_if static-port
rdr on $ext_if proto udp from any to $ext_if port $sip_ports -> $sip_ip
pass in quick on $ext_if inet proto udp from any to any port $sip_ports

HTH,
-Tobias


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Hauke Fath
2007-08-21 17:40:27 UTC
Permalink
Post by Alicia da Conceicao
Does anyone know if there is any type of application proxy for ipfilter
and SIP on NetBSD?
Have you looked at wip/siproxd? When I last looked, the package wasn't
done, yet, and the proxy crashed occasionally, but seemed to work otherwise.

hauke

--
"It's never straight up and down" (DEVO)



--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Darren Reed
2007-08-22 06:11:39 UTC
Permalink
Post by Tobias Nygren
On Tue, 21 Aug 2007 09:55:54 -0400 (EDT)
Post by Alicia da Conceicao
Does anyone know if there is any type of application proxy for ipfilter
and SIP on NetBSD? Ipfilter has an application proxy for outgoing active
mode FTP, and Linux has a SIP application proxy that works with its
IPTables, but I cannot find any solution for NetBSD. The Linux Shorewall
distribution is able to do this right out of the box, so hopefully some
solution exists for NetBSD.
I have a Cisco 7960 IP phone (SIP based) with a vonage soft account,
which accesses the Internet via a NetBSD router (running NetBSD 3.1,
ipfilter & ipnat). The IP phone does not have any difficulties calling
out, but more than 80% of the incomming calls are blocked by ipfilter.
I can observe the blocked incoming UDP SIP packets using ipmon. If I
configure ipfilter to allow all incoming traffic, then the IP phone is
able to receive all of the calls without any problems. But neutralizing
the firewall is not a secure option!
So other than using Linux, I considered using a lightweight SIP proxy,
but neither asterisk nor openser could be considered lightweight or
secure to put on a firewall.
Any suggestions would be greatly appreciated.
Thank you in advance,
Alicia.
Hi,
I could never get my SIP phone to work with ipfilter and NAT, however
I did manage to get it to work with pf(4), using the setup below.
The static-port keyword was the magic I needed.
ext_if = "tap0"
sip_ports = "{3478:3479, 5060:5061, 10000:10007}"
sip_ip = "172.18.1.66/32"
nat on $ext_if from $sip_ip to any -> $ext_if static-port
rdr on $ext_if proto udp from any to $ext_if port $sip_ports -> $sip_ip
pass in quick on $ext_if inet proto udp from any to any port $sip_ports
The only part that IPFilter is incapable of here is expressing
the above in so few rules.

Darren


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Stephen Borrill
2007-08-22 08:08:17 UTC
Permalink
Post by Darren Reed
Post by Tobias Nygren
On Tue, 21 Aug 2007 09:55:54 -0400 (EDT)
Post by Alicia da Conceicao
Post by Alicia da Conceicao
Does anyone know if there is any type of application proxy for ipfilter
and SIP on NetBSD?
[snip]
Post by Darren Reed
Post by Tobias Nygren
I could never get my SIP phone to work with ipfilter and NAT, however
I did manage to get it to work with pf(4), using the setup below.
The static-port keyword was the magic I needed.
ext_if = "tap0"
sip_ports = "{3478:3479, 5060:5061, 10000:10007}"
sip_ip = "172.18.1.66/32"
nat on $ext_if from $sip_ip to any -> $ext_if static-port
rdr on $ext_if proto udp from any to $ext_if port $sip_ports -> $sip_ip
pass in quick on $ext_if inet proto udp from any to any port $sip_ports
The only part that IPFilter is incapable of here is expressing
the above in so few rules.
Darren, can you give us a quick recipe-book entry based on the above so
that it'll be here if people Google for it later?
--
Stephen

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Alicia da Conceicao
2007-08-22 08:41:25 UTC
Permalink
Post by Stephen Borrill
Post by Darren Reed
Post by Tobias Nygren
Post by Alicia da Conceicao
Does anyone know if there is any type of application proxy for ipfilter
and SIP on NetBSD?
I could never get my SIP phone to work with ipfilter and NAT, however
I did manage to get it to work with pf(4), using the setup below.
The static-port keyword was the magic I needed.
ext_if = "tap0"
sip_ports = "{3478:3479, 5060:5061, 10000:10007}"
sip_ip = "172.18.1.66/32"
nat on $ext_if from $sip_ip to any -> $ext_if static-port
rdr on $ext_if proto udp from any to $ext_if port $sip_ports -> $sip_ip
pass in quick on $ext_if inet proto udp from any to any port $sip_ports
The only part that IPFilter is incapable of here is expressing
the above in so few rules.
Darren, can you give us a quick recipe-book entry based on the above so
that it'll be here if people Google for it later?
Yes Darren, I would also appreciate if you please post any example
configuration for ipf.conf, even if its a hundred lines. It would
be easier then reconfiguring the remaining firewall rules to PF or
worse IPTables.

Thank you in advance,
Alicia.


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Darren Reed
2007-08-22 09:50:43 UTC
Permalink
Post by Stephen Borrill
Post by Darren Reed
Post by Tobias Nygren
On Tue, 21 Aug 2007 09:55:54 -0400 (EDT)
Post by Alicia da Conceicao
Post by Alicia da Conceicao
Does anyone know if there is any type of application proxy for
ipfilter
Post by Alicia da Conceicao
and SIP on NetBSD?
[snip]
Post by Darren Reed
Post by Tobias Nygren
I could never get my SIP phone to work with ipfilter and NAT, however
I did manage to get it to work with pf(4), using the setup below.
The static-port keyword was the magic I needed.
ext_if = "tap0"
sip_ports = "{3478:3479, 5060:5061, 10000:10007}"
sip_ip = "172.18.1.66/32"
nat on $ext_if from $sip_ip to any -> $ext_if static-port
rdr on $ext_if proto udp from any to $ext_if port $sip_ports -> $sip_ip
pass in quick on $ext_if inet proto udp from any to any port $sip_ports
The only part that IPFilter is incapable of here is expressing
the above in so few rules.
Darren, can you give us a quick recipe-book entry based on the above
so that it'll be here if people Google for it later?
The only real dilemma is matching the IP# for the rdr rule, but that won't
be a problem forever...

For ipnat.conf, you can use:
map tap0 from 172.18.1.66/32 to any -> 0/32
rdr tap0 from any to tap0-ip# port 3477><3480 -> 172.18.1.66 udp
rdr tap0 from any to tap0-ip# port 5059><5062 -> 172.18.1.66 udp
rdr tap0 from any to tap0-ip# port 9999><10008 -> 172.18.1.66 udp

If you're using a "map tap0 ... portmap ... tcp/udp" style rule then you
may want
to put these up the very top:
map tap0 from 172.18.1.66/32 port 3477><3480 to any -> 0/32 udp
map tap0 from 172.18.1.66/32 port 5059><5062 to any -> 0/32 udp
map tap0 from 172.18.1.66/32 port 9999><10008 to any -> 0/32 udp

For ipf.conf, you can use:
pass in quick on tap0 proto udp from any to any port 3478:3479 keep state
pass in quick on tap0 proto udp from any to any port 5060:5061 keep state
pass in quick on tap0 proto udp from any to any port 10000:10007 keep state

If you wanted you could use $ext_if, like this:

ext_if="tap0";
pass in quick on $ext_if proto udp from any to any port 3478:3479 keep state
pass in quick on $ext_if proto udp from any to any port 5060:5061 keep state
pass in quick on $ext_if proto udp from any to any port 10000:10007 keep
state

but I'm not always sure it is a worthwhile change.

But it's obvious that ipnat.conf needs to be taught "portlow:porthigh".

Cheers,
Darren


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Darren Reed
2007-08-22 09:54:14 UTC
Permalink
Post by Darren Reed
...
But it's obvious that ipnat.conf needs to be taught "portlow:porthigh".
I believe this is a one line fix but I need to test it some more...

Darren

Index: tools/ipnat_y.y
===================================================================
RCS file: /devel/CVS/IP-Filter/tools/ipnat_y.y,v
retrieving revision 1.30.2.26
diff -c -r1.30.2.26 ipnat_y.y
*** tools/ipnat_y.y 10 Dec 2006 16:03:02 -0000 1.30.2.26
--- tools/ipnat_y.y 22 Aug 2007 09:48:55 -0000
***************
*** 609,614 ****
--- 609,615 ----
range:
YY_RANGE_OUT { $$ = FR_OUTRANGE; }
| YY_RANGE_IN { $$ = FR_INRANGE; }
+ | ':' { $$ = FR_INCRANGE; }
;

ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...