On our lab we have a RH7.3 box with iptables firewall and NAT. When we were initially testing the nathelper module we found out that external pings did NOT keep the sessions alive on this box. Only pings going from inside towards the internet. At that point we decided to simply rely on the ability of devices like the ATA186 and GS phones to send a SIP Dummy packet from behind the NAT in order to keep the sessions alive. So far this approach has worked 100%. It is possible that the Linux box just needed some tweaking, but we needed a solution that worked seamlessly with all customers.
I belive we also tested another common broadband home router and it behaved the same way.
Regards, Andres
----- Original Message ----- From: "Jan Janak" jan@iptel.org To: "Hans Eriksson" hansa@mac.com Cc: "Klaus Darilion" darilion@ict.tuwien.ac.at; serusers@lists.iptel.org Sent: Thursday, December 04, 2003 3:09 PM Subject: Re: [Serusers] symmetric nat/ broadband routers
On 04-12 18:12, Hans Eriksson wrote:
Klaus,
Many commersial grade firewalls do not keep sessions alive, regardsless of external pings, so it won't work in rather too many cases.
Which firewalls behave this way, do you have any particular in mind ? What makes you think that many firewall require traffic from inside to keep the mapping open ?
Jan.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers