lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 30 Nov 2009 18:46:48 +0100
From:	Patrick McHardy <kaber@...sh.net>
To:	Christoph Lameter <cl@...ux-foundation.org>
CC:	Christian Hentschel <chentschel@...et.com.ar>,
	netdev@...r.kernel.org
Subject: Re: SIP proxying: siproxd vs. Netfilter SIP nat

Christoph Lameter wrote:
> On Mon, 30 Nov 2009, Patrick McHardy wrote:
> 
>>> Where do I find more recent documentation?
>> Below :)
> 
> I found http://lwn.net/Articles/271597/ which mentions that those two
> values may be set too strictly. Can they default to zero?

No, this is deliberate since it diverges from the behaviour of other
helpers. Usually they only allow to create RELATED connections between
the two hosts communicating. If you set either of these module options
to zero, they will allow completely foreign addresses to establish
connections when those addresses appear in the SDP payload. You should
usually use additional filters to f.i. only allow source addresses of
your registrar:

iptables -A FORWARD -m state --state RELATED \
		    -m helper --helper "sip" \
		    -s registrar-network/X -j ACCEPT

>> You of course also need to accept the packets marked RELATED by
>> the helper. If this is missing it might result in one-way audio.
> 
> Firewall is configured to accept all udp traffic. Will that do it?

That should be fine, but you can restrict it to just accept
-m state --state RELATED packets.

> The "helper" is the conntrack module?

Yes.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists