lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 30 Nov 2009 18:21:09 +0100
From:	Patrick McHardy <kaber@...sh.net>
To:	Christoph Lameter <cl@...ux-foundation.org>
CC:	Christian Hentschel <chentschel@...et.com.ar>,
	netdev@...r.kernel.org
Subject: Re: SIP proxying: siproxd vs. Netfilter SIP nat

Christoph Lameter wrote:
> It seems that the current sip nat module in the kernel has only limited
> functionality. According to
> 
> http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html
> 
> one has to point the firewall at the target host for the SIP proxying to
> work. Therefore the kernel will only support a single inside phone
> connecting via SIP to the outside. For a network that has a series of
> phones inside the NAT zones this means that the firewall sip nat is not
> useful.

That documentation is horribly outdated.

> siproxd http://siproxd.sourceforge.net/ seems to be able to handle
> multiple outgoing SIP connections but one needs to specify an outbound
> proxy for each inside SIP phone.
> 
> Isnt there a way to make the kernel module work in the same way siproxd
> works and able to support multiple phones? Right now configuring SIP
> connectivity is a messy thing that is not easily setup. Can we fix this?

It should work fine with multiple phones, it even recognizes calls
between two internal phones and makes the media stream go between
them directly. Depending on how your registrar/proxy works, you might
have to set one or both of these module options:

sip_direct_signalling: when set to zero, allows incoming signalling
 connections from other hosts than the registrar. Usually not needed.

sip_direct_media: when set to zero, allows incoming media streams
 from other hosts than the registrar. This one is often required,
 some providers use server farms for handling the media streams,
 some set up media streams to go directly between the endpoints.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ