[Shorewall-users] Moving to CentOS7 - Disabling nf_nat_sip and nf_conntrack

Post by Ryan Joiner
Hello, I provide SIP trunking to a bunch of my customers and I also
mainly have them use shorewall. I have been using CentOS 6 for
some time and disabling the nf_nat_sip and nf_conntrack_sip modules
have always helped with SIP trunking. In fact, it has been a
requirement for SIP trunking to work properly.
For CentOS 7 it seems like these modules don't exist. I'm
wondering if you happen to know if that is true or if their name
just changed. So far in my testing I have found that the SIP
trunking just works using shorewall and CentOS 7 without disabling
any modules, but I just want to be sure there's not something else
that might bite me later.
Thanks for everything!

Ryan Joiner

2016-10-28 19:11:26 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On my Centos 7 installation, both nf_conntrack_sip.ko and
nf_nat_sip.ko exist in /lib/modules/... and modprobe successfully
loads them.
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJYE4RNAAoJEJbms/JCOk0QcPsP/A9DMmLOgH276bhpO5zTGJYu
7r6mVmWvDZhsAscTT0F76Z8JRRwuRRuR3Nctt2pIeMDclzRPHUlI/x47kBGsn2ot
Kn8zA+gOAi4/aEwvIaA4XoAHINKK/3vNGdeocfDOmOoceW3ju/7LZlw2eGvsTuEx
8rrcN2lF1whZgibUKydOXsyg7du/N9rEen5j5Qxc6HLl1AG9hMj4lrPC0X+/hlvM
haA0xKPyU/lU/OvDlhe/nLzHvCzm/m+lyXnsPkf5wrnDtD59Zqcap+wpKR9me29D
/ExtUX/H4qVP8wcfTRdu+8344m2myuE+jPEF75WyE14oCB/UJ8P3hYJyIX8k9m5x
EYiPNp5gkfc6rTo37FDlVbtmpLcxgE9hOnKYSTNN5RXl5lCdVJ8rB1Mxst4aamF1
NRxqs17VauhrhM62Sm2gWFS65xCZO9qDGkk8qBVnZNdzTjeg37fkqkzyRX9ar8gZ
yqI5IqcT0LcwZq/PHO2t7Ff0xylACCxbVYeYwK0yevY9uG3yuVJugEfs/XKreksL
sUwLIfyHt1dINq1uBgmqp5o83HnlrezzAiO4wy/oqBqKXfGtwNoMwbKeCWxUPDlj
7PDlYTPbK4MyeFktrhCJk2ulGYW6rYQ+LxW8amHlpVe2OPm5bg1EtYCdMJzGGi08
6dADsduA7tAXnGKWb9JA
=1dqh
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users

What would be the command to disable them for CentOS7? I have searched
a bunch but couldn't find anything.

Do the modules exist as a native part of CentOS, or is that added in by
Shorewall (Sorry for dumb question)?

Tom Eastep

2016-10-28 21:11:43 UTC

Post by Ryan Joiner
What would be the command to disable them for CentOS7? I have
searched a bunch but couldn't find anything.

a) rmmod nf_nat_sip
rmmod nf_conntrack_sip
a) Set AUTOHELPERS=No in shorewall.conf.
b) Set HELPERS in shorewall.conf to the list of helpers you actually
want.
c) Use standard macros for rules in the rules file that require a
helper, such as ftp.

Post by Ryan Joiner
Do the modules exist as a native part of CentOS, or is that added
in by Shorewall (Sorry for dumb question)?

Ryan Joiner

2016-11-04 04:49:55 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Post by Ryan Joiner
What would be the command to disable them for CentOS7? I have
searched a bunch but couldn't find anything.

Post by Ryan Joiner
Do the modules exist as a native part of CentOS, or is that added
in by Shorewall (Sorry for dumb question)?

They are a native part of Centos -- Shorewall never installs kernel
modules.
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJYE78PAAoJEJbms/JCOk0Q6RQP/1ORsmq4aJ2Ck+H3cb/vJYCc
DSnjp2sNfV4Eg4zAumezz1oKLuhl9OIFIVyod8Gr7BO7Yu+48ypEgqX2r61vN2UN
ueXHCQUmo76Sd43bzyxgImnG5tP8YMq3cUQspciA/owDSm7PB9gfiak/L7Q18xS0
SFjMfjJwruO4gKzg0x8Qli7OPL6/1KVD2L3zxbYcUMClRvTIiKjn6OvY0xnD8LHj
vWF3QoAD2+UbTrE5nK+MIEYWrMwVrWBFs8Wa+PHsYvJNMS+ZcucREpz7K5Rmz2i2
x1EBw0tmBSKTPfS5/zmSrNpMI7oZehrvwPSeAJU5UmFSkkPVQdnDGo9QuGg8QOdN
BVFO5/qo0a6jc7jxU1EpL76JFxyHVqmK0PEenUVnm5AxGqO9VJT7/yBPMyojaI0Q
gSFBxVL0eBXu7eYThyVDEHhrZIMYfURw3NLofpPtGMheYEEN+I9LB2uraW51f1NP
wdmpJy/1+x5JesAeNaxgLDyeWdFq1N47pJYrB0x+4vn+fQ/bWu/K7io82qRS2cJr
D74QOg/cjSSVS/sqoRYnKWJs3n+MXGuJbNGgncpGPi0rcQjkEX2oVF/TEHmp1Aj6
K8DVAaZwLXf75jgueifFMYWbYktWSaZHo0kiNxJgHQqCs4MW3lzdCAPmVUMn90AH
j07JSvQ5hi6LK1B1YGap
=F97L
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users

On 10/28/16 2:11 PM, Tom Eastep wrote:

Hey Tom, just a heads up, on every CentOS 7 install I've done when I run
the

rmmod nf_nat_sip
rmmod nf_conntrack_sip

it says the module does not exist. That's why I was confused.

Am I missing something? I do the minimal install every time.

Simon Matter

2016-11-04 05:41:52 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Post by Ryan Joiner
What would be the command to disable them for CentOS7? I have
searched a bunch but couldn't find anything.

Post by Ryan Joiner
Do the modules exist as a native part of CentOS, or is that added
in by Shorewall (Sorry for dumb question)?

Hey Tom, just a heads up, on every CentOS 7 install I've done when I run
the
rmmod nf_nat_sip
rmmod nf_conntrack_sip
it says the module does not exist. That's why I was confused.
Am I missing something? I do the minimal install every time.

What exactly does it say? Does it say the module is not loaded?

Regards,
Simon

Ryan Joiner

2016-11-04 15:16:53 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Post by Ryan Joiner
What would be the command to disable them for CentOS7? I have
searched a bunch but couldn't find anything.

Post by Ryan Joiner
Do the modules exist as a native part of CentOS, or is that added
in by Shorewall (Sorry for dumb question)?

What exactly does it say? Does it say the module is not loaded?
Regards,
Simon

Yes exactly. It says:
rmmod: ERROR: Module nf_nat_sip is not currently loaded
So far this is on every CentOS7 install I have done. I install and
configure Shorewall via RPM just like I did on CentOS 6 before.

Simon Matter

2016-11-04 16:58:29 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Post by Ryan Joiner
What would be the command to disable them for CentOS7? I have
searched a bunch but couldn't find anything.

Post by Ryan Joiner
Do the modules exist as a native part of CentOS, or is that added
in by Shorewall (Sorry for dumb question)?

What exactly does it say? Does it say the module is not loaded?
Regards,
Simon

rmmod: ERROR: Module nf_nat_sip is not currently loaded
So far this is on every CentOS7 install I have done. I install and
configure Shorewall via RPM just like I did on CentOS 6 before.

So it means nf_nat_sip doesn't get loaded by your current shorewall
config, but be assured it's installed on your CentOS 7 box - since it's
part of the kernel rpm.

Simon

Ryan Joiner

2016-11-05 04:52:05 UTC