[Shorewall-users] VoIP, getting ICMP destination unreachable

Discussion:

Sebastian Tänzer

2010-09-06 07:53:59 UTC

Hello,

I've recently set up our shorewall based firewall to use our GrandStream voip phones connecting to sipgate.de.
I'm experiencing some problems as after some time (2-3 hours) the phones are still registered but when calling
so. I can't hear them (but the other side can hear me).

I tried different settings by checking the port forwardings, disabling STUN and NAT on the device itself.
I can't tell if it works now (as I can hear the other side now) but will stop working again in a couple of hours.

Traffic logs with tshark show no errors, except this:

450.767075 192.168.10.253 -> 192.168.10.160 ICMP Destination unreachable (Port unreachable)

- and it's there almost each second.

As you can see from the dump attached access between my fw (10.253) and 10.160 is wide open.
10.160 is my voip phone.

Any ideas what this is about or should I ignore this message?

Best,
Sebastian

Jorge Armando Medina

2010-09-06 22:32:30 UTC

Permalink

Post by Sebastian TÃ¤nzer
Hello,

Hi Sebastian,

Post by Sebastian TÃ¤nzer
I've recently set up our shorewall based firewall to use our GrandStream voip phones connecting to sipgate.de.
I'm experiencing some problems as after some time (2-3 hours) the phones are still registered but when calling
so. I can't hear them (but the other side can hear me).

I had a similar problem, with a Asterisk PBX behind shorewall and remote
iphones, this phones registerd but when RTP traffic appeared I got dest
unreachable messages.

What I did is read FAQ 77 and disable sip helpers, after that SIP and
RTP traffic worked.

NOTE: I was using sip helpers because a few local phones were
connectiong to a hosted pbx and I used simple traffic shapping using sip
helper for QoS, I had to change the way about simple traffic shapping.

http://www.shorewall.net/FAQ.htm#faq77

Best regards.

Post by Sebastian TÃ¤nzer
I tried different settings by checking the port forwardings, disabling STUN and NAT on the device itself.
I can't tell if it works now (as I can hear the other side now) but will stop working again in a couple of hours.
450.767075 192.168.10.253 -> 192.168.10.160 ICMP Destination unreachable (Port unreachable)
- and it's there almost each second.
As you can see from the dump attached access between my fw (10.253) and 10.160 is wide open.
10.160 is my voip phone.
Any ideas what this is about or should I ignore this message?
Best,
Sebastian
------------------------------------------------------------------------------
Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users

--
Compugraf

Christian Vieser

2010-09-13 09:08:05 UTC

Permalink

Hi Sebastian.

We also installed a GrandStream phone recently with sipgate and I had
the same problem in the beginning. Solution was, to disable STUN on the
device and enable the sip helper modules (nf_nat_sip, nf_conntrack_sip)
on the shorewall firewall. Only rule I made for the phone was an ACCEPT
on all outgoing UDP connections (for your case: ACCEPT
loc:192.168.10.160 net udp).

Regards,
Christian

Mr Dash Four

2010-09-13 18:54:58 UTC

Permalink

Post by Christian Vieser
Solution was, to disable STUN on the
device and enable the sip helper modules (nf_nat_sip, nf_conntrack_sip)
on the shorewall firewall.

Interesting! I've had major some major headaches with VOIP (it is fair
to say I was STUNned as well - on multiple occasions I might add) and
had to 'invent' a VOIP proxy based on the X-Tunnels protocol and route
VOIP traffic, securely and in BOTH directions, from three internal
networks via a single point externally (one machine visible from the
outside world).

This is the first time I am seeing these 'helper modules'. Where can I
find more information about them and how they are used/work?

Mr Dash Four

2010-09-14 17:54:07 UTC

Permalink

OK, I was intrigued by earlier posts in the "VoIP, getting ICMP
destination unreachable" thread and started digging up info on the above
2 modules and their use on Shorewall.

I found a good starting-point reference here -
http://wiki.freeswitch.org/wiki/Firewall, but I am still unclear as to
the function of this two modules - what are they actually 'helping'
with? The link gives brief information about the various module
parameters, but they are a bit sketchy and apart from the "ports"
parameter I am not completely clear what the rest of them mean?

So, how are these modules helping? Establishing pin holes in the
firewall for voip connection/traffic to go through? Establishing
connection tracking so that when initial connection to voip server is
made on :5060 all subsequent connections initiated/received (on random
high ports) are treated as part of this RELATED initial connection to
:5060? If so, do I need to define separate rules for them or adding just
one rule for connection to the voip server to :5060 would be enough?
What about the SELinux contexts - are they kept the same provided all
other connections are treated the same by the above 2 'helper' modules?

I am asking all these questions because up until now I had no idea about
their existence and all my voip traffic (and it is a LOT of it in my
case) is confined by explicit rules defined in the rules file (I also
use a specifically designed voip proxy which routes all my internal voip
traffic coming from all 3 subnets to an external provider). These rules
are matched/related together by defined uid/gid of the process which
runs my voip traffic show.

I checked with lsmod and the above two modules are indeed loaded on my
main firewall machine (where Shorewall is), though they are not
specifically configured in any way. Any info or experience shared on the
usage and configuration of these two modules and the appropriate
Shorewall setup is welcome!

Tom Eastep

2010-09-14 19:42:43 UTC

Permalink

Post by Mr Dash Four
OK, I was intrigued by earlier posts in the "VoIP, getting ICMP
destination unreachable" thread and started digging up info on the above
2 modules and their use on Shorewall.
I found a good starting-point reference here -
http://wiki.freeswitch.org/wiki/Firewall, but I am still unclear as to
the function of this two modules - what are they actually 'helping'
with? The link gives brief information about the various module
parameters, but they are a bit sketchy and apart from the "ports"
parameter I am not completely clear what the rest of them mean?

Application designers are in love with the notion that they can embed IP
addresses and port numbers in packets sent to their peer with the
expectation that the peer will then return packets addressed to that
embedded address/port. This has been going on forever (think FTP). That
works fine until a stateful firewall is injected between the peers. The
firewall must then deal with these return connections without knowing
about them in advance. This is the purpose of Netfilter 'helpers'.

These helpers examine packets going through the firewall and create
"expectations"; An "expectation" is essentially a temporary "hole" in
the firewall in the form of a conntrack entry that will be matched by
the return or "related" connection. This allows expecations to properly
handle NAT as well as allowing passage through the firewall.

Helper modules are not autoloaded. When using the sample Shorewall
configurations, the generated firewall script loads all helper modules
during start/restart. You can suppress the loading of individual helpers
using the DONT_LOAD option in shorewall.conf.

I've written an example of how the FTP helper works at
http://www.shorewall.net/FTP.html. Other helpers are similar.

I have no direct experience with VOIP so there is no similar article on

Mr Dash Four

2010-09-14 20:00:29 UTC

Permalink

Post by Tom Eastep
I've written an example of how the FTP helper works at
http://www.shorewall.net/FTP.html. Other helpers are similar.
I have no direct experience with VOIP so there is no similar article on
the Shorewall site concerning SIP.

Tom Eastep

2010-09-14 20:33:16 UTC

Permalink

Mr Dash Four

2010-09-14 22:42:09 UTC

Permalink

I just told you there is nothing on the Shorewall site, and you can use
Google as well as any of us can. But please let us know if you find
anything useful and I'll add a link on the site.

Already tried google, but am getting nowhere! Also tried the netfilter
web site - no joy there either. I'll look for a newsgroup or mailing
list in the hope of getting better luck. If I have time during the
weekend I will be experimenting with this because if it works it will
take a LOT of the headaches I've had in the past with VOIP away for good!

Simon Hobson

2010-09-14 20:28:51 UTC

Permalink

Tom Eastep wrote:

Mr Dash Four

2010-09-14 22:51:25 UTC

Permalink

Alternatively, it's more admin but also more reliable to statically
configure everything. Manually configure each SIP device to use a
different port for it's SIP traffic, and a different port range for
it's RTP traffic. Configure them with knowledge of their public IP,
and manually configure your firewall with all the corresponding NAT
mappings.

THAT is exactly what I have been doing for the past year or so - very
painful experience, though once done it works for good (well, most of
the time!). I am also strongly against using STUN as, for me, this is an
abomination and should never EVER be used.

<mounts soapbox>
The real answer is to persuade the world and his dog that NAT ==
Broken. By definition, NAT breaks rule 1 of IP connectivity that
requires every device to have a globally unique and routeable address.
If only as much effort was put into making IPv6 as ubiquitous as IPv4
as is put into trying to work round (eg writing ALGs to put into NAT
gateways) the fundamental breakage of NAT then I think IPv6 would be
a lot further on than it is.

OK, I have a confession to make - when I first looked at your post, it
reminded me of something, but I couldn't put my finger on it until I
came across the above paragraph and then I remembered - when I started
looking over the web for more info about the above two modules I read a
thread (I think it was in one of the Shorewall mailing lists from a
while ago) containing a rather well-thought-out well-drilled rant by
somebody (it might have been you, actually, in which case hats off to
you, sir!) about SIP/NAT and the like - it made me laugh out loud
because every single word of that rant was 100% true! Pure genius!

Simon Hobson

2010-09-15 08:16:32 UTC

Permalink

Post by Mr Dash Four

I agree, STUN is an abomination. However, as long as we have NAT
(also an affront to common sense) then we need tools to work around
the breakage. My experience is that, given a well behaved gateway,
STUN is actually highly effective.
Where it breaks down is gateways that are designed by people with the
strange idea that randomising ports is a good idea. When that
happens, the device cannot determine it's outside port since it will
change between doing STUN and doing VOIP. For that reason I always
advise strongly against having anything to do with Zyxel in your
network if you also want to do VOIP.

Commercial VOIP providers (we use Gradwell at work) get round these
problems by providing NAT proxies that ignore the address/port
combinations in the SIP packets and instead look at the actual
address/port the SIP and RTP packets come from.

I think you can probably tell what's been driving me nuts for the
last few years ! When I started 5 years ago, they were just
experimenting with VOIP at work - and all the phones were on public
IPs outside the firewall because they hadn't (at the time) figured
out how to make them work otherwise. Fortunately we had the IPs
available because of our hosting services.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

Mr Dash Four

2010-09-15 21:18:09 UTC

Permalink

Post by Simon Hobson
I think you can probably tell what's been driving me nuts for the
last few years ! When I started 5 years ago, they were just
experimenting with VOIP at work - and all the phones were on public
IPs outside the firewall because they hadn't (at the time) figured
out how to make them work otherwise. Fortunately we had the IPs
available because of our hosting services.

I don't have as much experience in voip as you, but I share your
sentiments.

I can't resist the itch, though, and have a go at the two modules - I
just want to see what they do and how they work as I've never tried them
before (in my own configuration even though they are loaded by Shorewall
they are not 'active' as my voip port is not 5060) - so I may as well
take the plunge and see how they perform (the reason why I am so eager
to get as much info about these modules as possible before I start).

d***@mastertraining.it

2010-12-22 12:21:26 UTC

Permalink

Hi everybody,
I have a very old and home made Asterisk PBX. Recently I can see other
annoying server in the net are trying to register SIP accounts on the
asterisk bound to my eth1 interface which has a public IP, directly
connected to the router. I'm using shorewall 2.2.3 on a Debian Sarge (I
said it was very old!). Yes...I've almost ready a pretty new PBX with
Debian Lenny and Shorewall 4.0.15 but all I'd like to know is if the
current "attacks" on my sip ports are due to the old kernel/shorewall or
my configuration.
Here the (old) cfg:

Policy (everything dropped):
fw all ACCEPT
net all DROP info

Rules (only udp traffic from my sip provider):
ACCEPT net:[my authorized sip provider IP] fw udp 1024:65535

Interfaces:
net eth1 detect tcpflags

I'm really curious because despite this configuration I'm receiving SIP
traffic from other unwanted IP.

Thanx

Tom eastep

2010-12-22 16:17:17 UTC

Permalink

Post by d***@mastertraining.it
Hi everybody,
I have a very old and home made Asterisk PBX. Recently I can see other
annoying server in the net are trying to register SIP accounts on the
asterisk bound to my eth1 interface which has a public IP, directly
connected to the router. I'm using shorewall 2.2.3 on a Debian Sarge (I
said it was very old!). Yes...I've almost ready a pretty new PBX with
Debian Lenny and Shorewall 4.0.15 but all I'd like to know is if the
current "attacks" on my sip ports are due to the old kernel/shorewall or
my configuration.
fw all ACCEPT
net all DROP info
ACCEPT net:[my authorized sip provider IP] fw udp 1024:65535
net eth1 detect tcpflags
I'm really curious because despite this configuration I'm receiving SIP
traffic from other unwanted IP.

Hard to say without specifics. Please show us:

- The output of 'iptables -L -n -v'
- The output of 'cat /proc/net/ip_conntrack'

Please collect this output when you are seeing unwanted traffic.

Thanks,
-Tom

--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________

d***@mastertraining.it

2010-12-23 12:27:29 UTC

Permalink

:(
Seems they don't like my asterisk server no more. The attack is ended
one day ago.
As soon as it start again I'll collect the data!!
Thanks

Post by Tom eastep

- The output of 'iptables -L -n -v'
- The output of 'cat /proc/net/ip_conntrack'
Please collect this output when you are seeing unwanted traffic.
Thanks,
-Tom
------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
an online email calendar, and document program that's accessible from your
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users

--
Distinti saluti
--

Daniele Davolio
Information Technology Department

tel: +39 0522 268059
fax: +39 0522 331673
e-mail: ***@mastertraining.it
web: www.mastertraining.it

Master Training S.r.l.
Sede Legale: via Timolini, 18 - Correggio (RE) - Italy
Sede Operativa: via Sani, 15 - Reggio Emilia - Italy
Sede Commerciale: via Sani, 9 - Reggio Emilia - Italy

================================================================
Le informazioni contenute in questa e-mail sono da considerarsi confidenziali e esclusivamente per uso personale dei destinatari sopra indicati. Questo messaggio può includere dati personali o sensibili. Qualora questo messaggio fosse da Voi ricevuto per errore vogliate cortesemente darcene notizia a mezzo e-mail e distruggere il messaggio ricevuto erroneamente. Quanto precede ai fini del rispetto del Decreto Legislativo 196/2003 sulla tutela dei dati personali e sensibili.
This e-mail and any file transmitted with it is intended only for the person or entity to which is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure.Copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this e-mail by mistake, please notify us immediately by telephone or fax.