| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4B140508.1090802@trash.net> Date: Mon, 30 Nov 2009 18:46:48 +0100 From: Patrick McHardy <kaber@...sh.net> To: Christoph Lameter <cl@...ux-foundation.org> CC: Christian Hentschel <chentschel@...et.com.ar>, netdev@...r.kernel.org Subject: Re: SIP proxying: siproxd vs. Netfilter SIP nat Christoph Lameter wrote: > On Mon, 30 Nov 2009, Patrick McHardy wrote: > >>> Where do I find more recent documentation? >> Below :) > > I found http://lwn.net/Articles/271597/ which mentions that those two > values may be set too strictly. Can they default to zero? No, this is deliberate since it diverges from the behaviour of other helpers. Usually they only allow to create RELATED connections between the two hosts communicating. If you set either of these module options to zero, they will allow completely foreign addresses to establish connections when those addresses appear in the SDP payload. You should usually use additional filters to f.i. only allow source addresses of your registrar: iptables -A FORWARD -m state --state RELATED \ -m helper --helper "sip" \ -s registrar-network/X -j ACCEPT >> You of course also need to accept the packets marked RELATED by >> the helper. If this is missing it might result in one-way audio. > > Firewall is configured to accept all udp traffic. Will that do it? That should be fine, but you can restrict it to just accept -m state --state RELATED packets. > The "helper" is the conntrack module? Yes. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists