Shorewall not passing 5060

[compsos]

Hi
Hope all is well on your side of the world.
PBX release: 16.28.0
SAIL Release: 6.2.0-16+deb10u1
HPE Release: 6.0.0-9

My trunks show as unreachable whilst I have shorewall running. Turn it off and the number of messages for options and register drop from 34 to 2.

Is there an adjustment to shorewall to reduce interference on sip traffic?


local.lan
xxx.xxx.xxx.x/24

local.if1
IF1=enp6s18

ACCEPT net:$LAN $FW tcp 5060 - -   
ACCEPT net:$LAN $FW tcp 80 - - # HTTP
ACCEPT net:$LAN $FW tcp 443 - - # HTTPS
ACCEPT net:$LAN $FW tcp 22 - - # SSH
ACCEPT net:$LAN $FW udp 123 - - # NTP
ACCEPT net:$LAN $FW tcp 389 - - # LDAP
ACCEPT net:$LAN $FW udp 389 - - # LDAP
ACCEPT net:$LAN $FW udp 4569 - - # IAX2
ACCEPT net:$LAN $FW udp 5060 - - 4/min:5 # SIP
ACCEPT net:$LAN $FW udp 10000:20000 - -  # RTP
This is the rules file
ACCEPT net:$LAN $FW tcp 5060 - -   
ACCEPT net:$LAN $FW tcp 80 - - # HTTP
ACCEPT net:$LAN $FW tcp 443 - - # HTTPS
ACCEPT net:$LAN $FW tcp 22 - - # SSH
ACCEPT net:$LAN $FW udp 123 - - # NTP
ACCEPT net:$LAN $FW tcp 389 - - # LDAP
ACCEPT net:$LAN $FW udp 389 - - # LDAP
ACCEPT net:$LAN $FW udp 4569 - - # IAX2
ACCEPT net:$LAN $FW udp 5060 - - 4/min:5 # SIP
ACCEPT net:$LAN $FW udp 10000:20000 - -  # RTP

[compsos]

May have found the answer
If you run
shorewall show zones

it returns 0.0.0.0/0 and when I modify the local.lan file from "/" to "0.0.0.0/0" it now works as expected.

[sysadmin]

Hi there,

All good here.  The local.lan file should show the subnet CIDR.  Like this

Code Select Expand

root@ip-10-0-1-34:~# cat /etc/shorewall/local.lan
LAN=10.0.1.0/24

A routine called setip (/opt/sark/generator/setip.php) runs as a systemd task (called setlan) each time you reboot the box.  Among other things, it attempts to figure out the local network CIDR and set it into local.lan

Things which can sometimes confuse it are multiple NICs on the box with the second (or higher) NIC attached to the LAN and NIC 0 empty.

The easiest way to see what it's doing is to simply run it inline and then look at syslog.

Code Select Expand

php /opt/sark/generator/setip.php
Syslog should look something like this

Code Select Expand

May  8 15:31:51 ip-10-0-1-34 php: SRK setip Interface name on this node: eth0
May  8 15:31:51 ip-10-0-1-34 php: SRK setip IPV4: 10.0.1.34
May  8 15:31:51 ip-10-0-1-34 php: SRK setip staticIPV4:
May  8 15:31:51 ip-10-0-1-34 php: SRK setip Network address: 10.0.1.0
May  8 15:31:51 ip-10-0-1-34 php: SRK setip netmask: 255.255.255.0
May  8 15:31:51 ip-10-0-1-34 php: SRK setip CIDR: 24
Hope this helps

[compsos]

Thank you for the reply.
What lead us to this was in sngrep the packets were not getting back to the PBX from ITSP. Turn off shorewall and worked perfectly. The local.lan file read "LAN=/" and on some other systems it was 0.0.0.0/0 which works.

The PBX is a node in a Proxmox server with only 1 NIC defined.

I will run the php line and see what we get back.

[sysadmin]

Usually if it is "LAN=/" then something went wrong in the IP discovery.   I haven't used Proxmox for quite some time and my memory is hazy.  The example I showed you above was from a live AWS Debian instance.  We also use Parallels for local testing and it behaves the same as AWS.

I'd be interested to see what "ip a" gives on your Proxmox instance. That may give some clues.