Checkpoint firewalls contain stateful SIP packet
inspection. It will
look into the packet and decide whether it should be dropped or allowed
based on the contents of the SIP message.
I guess you would have to change some settings in the firewall to make
the messages go through.
I would recommend you to use something else than Checkpoint firewalls.
We have had troubles with this vendor.
Jan.
On 15-11-2005 12:38, Joao Pereira wrote:
Hello
I have two Cisco 7940 phones with private addresses (10.0.11.239 and
10.0.11.140) connected to SER also with private address (10.0.0.135),
but in another network.
My SER is with the default configuration.
Between the networks I have a Checkpoint Firewall-1NG
The Cisco IP phones can register because the REGISTER packets arent blocked.
But the INVITEs never reach SER (I checked with ngrep), because the
Firewall drops them, saying there was an illegal redirection.
The most strange part, is that, when I try to make a phone call from
PhoneA(10.0.11.239) to PhoneB(10.0.11.240), the INVITE is dropped before
reaching SER, and it says "Illegal redirection 10.0.0.135->10.0.11.240".
How can the firewall know that the INVITE was going to be redirected by
SER to PhoneB(10.0.11.240) ????
my ser.cfg (the default one):
# $Id: ser.cfg,v 1.25 2004/11/30 16:28:24 andrei Exp $
# simple quick-start config script
# ----------- global configuration parameters ------------------------
debug=3 # debug level (cmd line: -dddddddddd)
fork=yes
log_stderror=yes # (cmd line: -E)
listen = 10.0.0.135
/* Uncomment these lines to enter debugging mode
fork=no
log_stderror=yes
*/
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
# ------------------ module loading ----------------------------------
loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
loadmodule "/usr/local/lib/ser/modules/textops.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
break;
};
if (msg:len >= max_len ) {
sl_send_reply("513", "Message too big");
break;
};
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER") record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
break;
};
if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
break;
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="REGISTER") {
save("location");
break;
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
break;
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
break;
};
};
append_hf("P-hint: usrloc applied\r\n");
route(1);
}
route[1]
{
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
if (!t_relay()) {
sl_reply_error();
};
}
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers