nf_conntrack_sip and ekiga

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

nf_conntrack_sip and ekiga

ael-3
What is the status of ekiga and the nf_conntrack-sip netfilter module?

I saw this bug:
 https://bugzilla.netfilter.org/show_bug.cgi?id=522
from several years ago which suggested that it may work with ekiga now.

I am setting up a router with openWRT which does not seem to have the
conntrack_sip module compiled by default, which makes me a little
suspicious.

I have several sip devices behind the firewall and need to open the
firewall dynamically for sip traffic. And I distinguish the different
clients by using distinct destination ports in the 506* range. If the
nf_conntrack_sip and nf_nat_sip modules work, then presumably they are
all I need. I find netfilter documentation to be dated and inadequate:
it is unclear to me where to find information: as far as I can see, I
have to read the kernel source and the configuration files to get
up to date information.

From
# modinfo nf_conntrack_sip
...
parm:           ports:port numbers of SIP servers (array of ushort)
...

it looks as if I need to load with the port range. I am not even sure
whether this is for servers or clients behind the firewall (or both).

Has anyone any experience or suggestions?

ael
_______________________________________________
ekiga-list mailing list
[hidden email]
https://mail.gnome.org/mailman/listinfo/ekiga-list
Reply | Threaded
Open this post in threaded view
|

Re: nf_conntrack_sip and ekiga

Damien Sandras
Actually, it should magically work without doing anything. You do not even need distinct destination ports: Linux implements symmetric NAT, where the public IP/Port will be dynamically allocated depending on the internal IP:port and the external IP:port. As long as the internal IP is different, you do not need to ensure different internal ports.

If it does not magically work (with STUN disabled), then there are still bugs...

I have never tried it myself.

Damien

Le jeudi 22 janvier 2015 à 14:53 +0000, ael a écrit :
What is the status of ekiga and the nf_conntrack-sip netfilter module?

I saw this bug:
 https://bugzilla.netfilter.org/show_bug.cgi?id=522
from several years ago which suggested that it may work with ekiga now.

I am setting up a router with openWRT which does not seem to have the
conntrack_sip module compiled by default, which makes me a little
suspicious.

I have several sip devices behind the firewall and need to open the
firewall dynamically for sip traffic. And I distinguish the different
clients by using distinct destination ports in the 506* range. If the
nf_conntrack_sip and nf_nat_sip modules work, then presumably they are
all I need. I find netfilter documentation to be dated and inadequate:
it is unclear to me where to find information: as far as I can see, I
have to read the kernel source and the configuration files to get
up to date information.

From 
# modinfo nf_conntrack_sip
...
parm:           ports:port numbers of SIP servers (array of ushort)
...

it looks as if I need to load with the port range. I am not even sure 
whether this is for servers or clients behind the firewall (or both).

Has anyone any experience or suggestions?

ael
_______________________________________________
ekiga-list mailing list
[hidden email]
https://mail.gnome.org/mailman/listinfo/ekiga-list


--
Damien SANDRAS

Ekiga Project
http://www.ekiga.org

_______________________________________________
ekiga-list mailing list
[hidden email]
https://mail.gnome.org/mailman/listinfo/ekiga-list
Reply | Threaded
Open this post in threaded view
|

Re: nf_conntrack_sip and ekiga

ael-3
On Sun, Jan 25, 2015 at 01:55:27PM +0100, Damien Sandras wrote:

> Actually, it should magically work without doing anything. You do not
> even need distinct destination ports: Linux implements symmetric NAT,
> where the public IP/Port will be dynamically allocated depending on the
> internal IP:port and the external IP:port. As long as the internal IP is
> different, you do not need to ensure different internal ports.
>
> If it does not magically work (with STUN disabled), then there are still
> bugs...
>
> I have never tried it myself.
>
> Damien
>
> > What is the status of ekiga and the nf_conntrack-sip netfilter module?

Thanks for the reply. I will experiment and report back and maybe put
something on the wiki if I get it working. It may take some time: I am
still finding my way around openWRT and custom compilation.

I was a little concerned about the tracker modifying the contents of
SIP packets: commercial routers with "SIP ALG" which I suspect are based
on these modules seem to fail.

ael

_______________________________________________
ekiga-list mailing list
[hidden email]
https://mail.gnome.org/mailman/listinfo/ekiga-list