Mailinglist Archive: opensuse-security (69 mails)

< Previous Next >
Re: [suse-security] SIP Connections and NAT/FW Configuration
  • From: Bastian Friedrich <bastian@xxxxxxxxxxxxxxxxxxxx>
  • Date: Fri, 27 Oct 2006 08:51:46 +0200
  • Message-id: <200610270851.50191.bastian@xxxxxxxxxxxxxxxxxxxx>
Hi,

Am Freitag, 27. Oktober 2006 08:19 schrieb dcb@xxxxxxxxxxx:
> Calling in is the problem. As far as I can tell, I need to forward SIP
> from the outside zone to the internal zone so the Vonage VOIP device
> (Motorola VT 2142) can set up the call session. The VT 2142 does not
> have/support an IP address

Er. I'm sure it does have an address. If it wants to communicate (inbound or
outbound) it needs one... If you don't know it's address, try to check that
with tcpdump/ethereal/whatever while calling outbound.

> so I'm not clear on how to route SIP once it
> transits the FW, or how to broadcast it such that the VT 2142 endpoint
> establishes the session.

Consider installing a SIP proxy[1] in your environment, possibly on the
firewall itself.

> I'm also not sure what the securtiy risk is
> opening up UDP 5060 from the outside -> inside is, so insights there are
> appreciated.

An open port is a bad port, as long as you don't know _why_ you open it.
Security considerations with opening a port depend on your network setup, the
environment and more theoretical considerations.

Please note that many SIP connections are TCP!

[1] I'd recommend OpenSER (www.openser.org) or SER (www.iptel.org, but OpenSER
is better ;)). Asterisk can give you similar functionality, but it's primary
domain is a different one.

Have a lot of fun...
Bastian

--
Bastian Friedrich bastian@xxxxxxxxxxxxxxxxxxxx
Adress & Fon available on my HP http://www.bastian-friedrich.de/
\~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\
\ Absence is to love what wind is to fire. It extinguishes the small,
\ it enkindles the great.
< Previous Next >