Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 1649 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Packet filter passing undesired packets?

brk
Hello,

I was reviewing my asterisk log and found a connection attempt from an unexpected peer.

I found the attempt in the astaro log as follows -

2010:05:24-05:24:24 brk ulogd[3437]: id="2016" severity="info" sys="SecureNet" sub="packetfilter" name="SIP call RTP" action="SIP call RTP" fwrule="60018" seq="0" initf="ppp0" outitf="eth0" srcip="188.138.56
.109" dstip="192.168.1.60" proto="17" length="442" tos="0x00" prec="0x00" ttl="52" srcport="5076" dstport="5060"

2010:05:24-05:24:26 brk ulogd[3437]: id="2016" severity="info" sys="SecureNet" sub="packetfilter" name="SIP call RTP" action="SIP call RTP" fwrule="60018" seq="0" initf="ppp0" outitf="eth0" srcip="188.138.56
.109" dstip="192.168.1.60" proto="17" length="459" tos="0x00" prec="0x00" ttl="52" srcport="5065" dstport="5060"


What I don't understand is why this packet would get through?  I have sip enabled, but have a specific server list and the above IP address isn't on the allowed list.

How can I debug why this happened?  I don't see any other reference to that srcip address anywhere else in the logs.  Also, is there any logging of the network definitions when they are resolved?


This thread was automatically locked due to age.
Parents
  • 0
    brk:/root # cc get sip expect_strict
    sip->expect_strict = 0

    brk:/root # cc set sip expect_strict 1
    [
              'INVALID_NODE',
              {
                'attrs' => [],
                'function' => 'set',
                'name' => 'invalid tree node specified',
                'external' => 'set',
                'nodelist' => 'sip->expect_strict',
                'msgtype' => 'INVALID_NODE',
                'format' => 'invalid tree node specified',
                'fatal' => 1
              }
            ]


    Looks like the set isn't accepted.

    I have no idea who that host was that was contacting me.

    I am still not clear - why would they widen the SIP proxy?  If the user wanted it widened wouldn't one just put "all" in the servers list?

    Also, I noticed on 7.505 one of my SIP devices (on port 5065) stopped working. Was working fine before on 7.504.  I had to put in a DNAT rule to make it work.
Reply
  • 0
    brk:/root # cc get sip expect_strict
    sip->expect_strict = 0

    brk:/root # cc set sip expect_strict 1
    [
              'INVALID_NODE',
              {
                'attrs' => [],
                'function' => 'set',
                'name' => 'invalid tree node specified',
                'external' => 'set',
                'nodelist' => 'sip->expect_strict',
                'msgtype' => 'INVALID_NODE',
                'format' => 'invalid tree node specified',
                'fatal' => 1
              }
            ]


    Looks like the set isn't accepted.

    I have no idea who that host was that was contacting me.

    I am still not clear - why would they widen the SIP proxy?  If the user wanted it widened wouldn't one just put "all" in the servers list?

    Also, I noticed on 7.505 one of my SIP devices (on port 5065) stopped working. Was working fine before on 7.504.  I had to put in a DNAT rule to make it work.
Children
No Data