search

project-trident / trident-core

Core Packages and system overlay files
http://project-trident.org
BSD 2-Clause "Simplified" License
33 stars 10 forks source link

Firewall default open-out.rules addition #83

Closed ghost closed 4 years ago

ghost commented 5 years ago

When using SIP VoIP [Linphone] the firewall requires opening ports. However, firewall deny trapping shows that fragmented ip-proto-17 datagrams are not handled and must be reassembled.

  1. I suggest you consider modifying the default /etc/ipfw-profiles/open-out.rules to include $cmd reass all from any to any in As I'm not confident Trident Firewall IPv6 can handle reass you might use $cmd reass ip4 from any to any in
  2. In addition to the current Firewall Manager services pick list, for SIP you might consider adding the supplementary default Linphone ports too: 9078/udp Linphone Video 7078/udp Linphone Audio

To Reproduce Install Linphone and log firewall deny events with ports open: 9078/udp 7078/udp 5061/udp sip-tld #SIP over TLS 5061/tcp sip-tld #SIP over TLS 5060/udp sip #Session Initilisation Protocol (VoIP) 5060/tcp sip #Session Initilisation Protocol (VoIP) You should see fragmented datagrams of ip-proto-17, and use of the Linphone default ports. Modify open-out.rules to include reass and the issue should clear. More detail on installing Linphone SIP VoIP is on our community forum where I raised a report. [https://discourse.trueos.org/t/sip-voip-settings/3772]

Expected behavior Firewall would not block SIP if defined ports are open.

OS Version: Fresh install of U8 to blank disc. FreeBSD trident-4783 13.0-CURRENT FreeBSD 13.0-CURRENT GENERIC-NODEBUG amd64 Thanks, Steve

RodMyers commented 4 years ago

No longer a valid issue. Moving to void linux in 2020