[Serusers] Firewall
Nils Ohlmeier
nils at iptel.org
Tue May 6 13:38:17 CEST 2003
On Tuesday 06 May 2003 12:13, Jan Janak wrote:
> On 06-05 12:40, Juha Heinanen wrote:
> > Jan Janak writes:
> > > And this is very tricky, that is the reason why there is no such
> > > helper application yet.
> >
> > are you saying that implementing sip helper for iptables is more
> > complicated than implementing sip support in firewalls like cisco pix,
> > firewall one, nortel shasta, intertex, etc. that already have sip
> > support.
>
> No, it is not more complicated. I am saying that SIP support is
> generally tricky. Getting signalling thought is easy, associated media
> streams is the hard part.
I do not know the internals of pix etc. So it is hard to say for which
platform it is more compilcated.
AFAIK their is no SIP helper yet. And maybe it sounds hard, but i believe that
their will be never one free available.
The modules for ipchains was just a search and replacement of port numbers and
IPs. And the netfilter team rejects to accept such a uncomplete module. They
want a parser for SIP and SDP before they will accpet it as official part of
netfilter.
The hardest part for such a module is that it is not possible to resolve host
names from the kernel space. And every UA is free to use DNS names or IPs in
its SIP requests.
Letting media trough the packet filter and connection tracking is also not
easy but should be possible.
Regards
Nils Ohlmeier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20030506/43622bbb/attachment.pgp>
More information about the sr-users
mailing list