I was talking about the SIP ALG in the firewall. It did not allow SIP
traffic that was standard compliant through. A checkpoint engineer said
that according to *him* it was not standard use of SIP. The best you can
do is junk Checkpoint and use something else.
Jan.
On 15-11-2005 13:47, Joao Pereira wrote:
The firewall says that our SIP implementation doesnt
follow one of the
RFCs or the packets are malformed.
To test this, I started SER with the default configuration, that simply
accepts registrations and redirects the INVITEs and It still doesnt work.
The Firewall vendors said that it supported SIP... That´s why I need to
know if the problem is from SER or Cisco phones or with the firewall....
I cant change the firewall :(
What do you mean with having troubles with the vendor? Are you talking
of the hard SIP configuration of the firewall 1?
Thanks
Jo??o Pereira
Jan Janak wrote:
>Checkpoint firewalls contain stateful SIP packet inspection. It will
>look into the packet and decide whether it should be dropped or allowed
>based on the contents of the SIP message.
>
>I guess you would have to change some settings in the firewall to make
>the messages go through.
>
>I would recommend you to use something else than Checkpoint firewalls.
>We have had troubles with this vendor.
>
> Jan.
>
>On 15-11-2005 12:38, Joao Pereira wrote:
>
>
>>Hello
>>I have two Cisco 7940 phones with private addresses (10.0.11.239 and
>>10.0.11.140) connected to SER also with private address (10.0.0.135),
>>but in another network.
>>
>>My SER is with the default configuration.
>>
>>Between the networks I have a Checkpoint Firewall-1NG
>>The Cisco IP phones can register because the REGISTER packets arent
>>blocked.
>>But the INVITEs never reach SER (I checked with ngrep), because the
>>Firewall drops them, saying there was an illegal redirection.
>>
>>The most strange part, is that, when I try to make a phone call from
>>PhoneA(10.0.11.239) to PhoneB(10.0.11.240), the INVITE is dropped before
>>reaching SER, and it says "Illegal redirection
10.0.0.135->10.0.11.240".
>>How can the firewall know that the INVITE was going to be redirected by
>>SER to PhoneB(10.0.11.240) ????
>>
>>
>>my ser.cfg (the default one):
>>
>># $Id: ser.cfg,v 1.25 2004/11/30 16:28:24 andrei Exp $
>># simple quick-start config script
>>
>># ----------- global configuration parameters ------------------------
>>
>>debug=3 # debug level (cmd line: -dddddddddd)
>>fork=yes
>>log_stderror=yes # (cmd line: -E)
>>
>>listen = 10.0.0.135
>>
>>/* Uncomment these lines to enter debugging mode
>>fork=no
>>log_stderror=yes
>>*/
>>
>>check_via=no # (cmd. line: -v)
>>dns=no # (cmd. line: -r)
>>rev_dns=no # (cmd. line: -R)
>>
>>
>># ------------------ module loading ----------------------------------
>>
>>loadmodule "/usr/local/lib/ser/modules/sl.so"
>>loadmodule "/usr/local/lib/ser/modules/tm.so"
>>loadmodule "/usr/local/lib/ser/modules/rr.so"
>>loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
>>loadmodule "/usr/local/lib/ser/modules/usrloc.so"
>>loadmodule "/usr/local/lib/ser/modules/registrar.so"
>>loadmodule "/usr/local/lib/ser/modules/textops.so"
>>
>>
>># ----------------- setting module-specific parameters ---------------
>>
>># -- usrloc params --
>>
>>modparam("usrloc", "db_mode", 0)
>>
>># -- rr params --
>># add value to ;lr param to make some broken UAs happy
>>modparam("rr", "enable_full_lr", 1)
>>
>># ------------------------- request routing logic -------------------
>>
>># main routing logic
>>
>>route{
>> # initial sanity checks -- messages with
>> # max_forwards==0, or excessively long requests
>> if (!mf_process_maxfwd_header("10")) {
>> sl_send_reply("483","Too Many Hops");
>> break;
>> };
>> if (msg:len >= max_len ) {
>> sl_send_reply("513", "Message too big");
>> break;
>> };
>>
>> # we record-route all messages -- to make sure that
>> # subsequent messages will go through our proxy; that's
>> # particularly good if upstream and downstream entities
>> # use different transport protocol
>> if (!method=="REGISTER") record_route();
>>
>> # subsequent messages withing a dialog should take the
>> # path determined by record-routing
>> if (loose_route()) {
>> # mark routing logic in request
>> append_hf("P-hint: rr-enforced\r\n");
>> route(1);
>> break;
>> };
>>
>> if (!uri==myself) {
>> # mark routing logic in request
>> append_hf("P-hint: outbound\r\n");
>> route(1);
>> break;
>> };
>>
>> # if the request is for other domain use UsrLoc
>> # (in case, it does not work, use the following command
>> # with proper names and addresses in it)
>> if (uri==myself) {
>>
>> if (method=="REGISTER") {
>>
>> save("location");
>> break;
>> };
>>
>> lookup("aliases");
>> if (!uri==myself) {
>> append_hf("P-hint: outbound alias\r\n");
>> route(1);
>> break;
>> };
>>
>> # native SIP destinations are handled using our USRLOC DB
>> if (!lookup("location")) {
>> sl_send_reply("404", "Not Found");
>> break;
>> };
>> };
>> append_hf("P-hint: usrloc applied\r\n");
>> route(1);
>>}
>>
>>route[1]
>>{
>> # send it out now; use stateful forwarding as it works reliably
>> # even for UDP2TCP
>> if (!t_relay()) {
>> sl_reply_error();
>> };
>>}
>>
>>
>>
>>
>>
>>_______________________________________________
>>Serusers mailing list
>>serusers(a)lists.iptel.org
>>http://lists.iptel.org/mailman/listinfo/serusers
>>
>>
>
>
>