On Tuesday 06 May 2003 12:13, Jan Janak wrote:
On 06-05 12:40, Juha Heinanen wrote:
Jan Janak writes:
And this is very tricky, that is the reason why there is no such helper application yet.
are you saying that implementing sip helper for iptables is more complicated than implementing sip support in firewalls like cisco pix, firewall one, nortel shasta, intertex, etc. that already have sip support.
No, it is not more complicated. I am saying that SIP support is generally tricky. Getting signalling thought is easy, associated media streams is the hard part.
I do not know the internals of pix etc. So it is hard to say for which platform it is more compilcated. AFAIK their is no SIP helper yet. And maybe it sounds hard, but i believe that their will be never one free available. The modules for ipchains was just a search and replacement of port numbers and IPs. And the netfilter team rejects to accept such a uncomplete module. They want a parser for SIP and SDP before they will accpet it as official part of netfilter. The hardest part for such a module is that it is not possible to resolve host names from the kernel space. And every UA is free to use DNS names or IPs in its SIP requests. Letting media trough the packet filter and connection tracking is also not easy but should be possible.
Regards Nils Ohlmeier