Jump to content
Vodia PBX forum
shigeru

snomONE 5.0.3 on CentOS 6.3 & iptables

Recommended Posts

Hello!

 

I have installed and trying to setup snomONE 5.0.3 on CentOS 6.3. I have installed CentOS with;

 

CentOS-6.3-x86_64-netinstall-EFI.iso

After fully updated the OS, I have installed snomONE as on the http://wiki.snomone.com/index.php?title=Installations

 

$ wget http://www.snomone.com/downloads/snomONE/install-centos.sh
$ chmod a+rx install-centos.sh
$ ./install-centos.sh

 

Then tried to setup a snom870 at hand for PnP Provisioning. My all attempts were failed until I turned the iptables off on CentOS. I have setup the rules according to the snomONE wiki articles;

 

TCP 80, 161, 389, 443, 5060, 5061

UDP 69, 5060, 49152-64512

Did I miss any other port to set open? I do not want to leave iptables/firewall down on my snomONE machine. Any ideas?

 

Thanks.

Share this post


Link to post
Share on other sites

We had the same problem with out test installation. There is documentation available for CentOS firewall, e.g. http://wiki.centos.org/HowTos/Network/IPTables iptables is very powerful, but could be easier to use...

 

You can also use netstat to check which port the pbxctrl process has opened. RTP ports are opened on demand, so make sure that you also list them there.

Share this post


Link to post
Share on other sites

We had the same problem with out test installation. There is documentation available for CentOS firewall, e.g. http://wiki.centos.org/HowTos/Network/IPTables iptables is very powerful, but could be easier to use...

 

You can also use netstat to check which port the pbxctrl process has opened. RTP ports are opened on demand, so make sure that you also list them there.

 

Thank you for pointing to the documents regarding to IPTables, but what I am looking for and the reason I have posted is to know what are the real set of ports snomONE requires. They definitely are more than what snomONE's somewhat outdated and broken WIKI documentation (http://wiki.snomone.com/) has been suggesting.

 

Do you mean that you are not aware of any other ports used by snomONE other than I have listed? Could you share snomONE's real network requirements specification?

 

Thanks.

 

Version:	5.0.3 (CentOS64)
Created on:	Dec 14 2012 14:28:41
License Status:	snom ONE free

Share this post


Link to post
Share on other sites

Well, there are server ports and there are client ports. For server ports, having SIP (UDP/TCP/TLS) and HTTP (TCP/TLS), possibly TFTP (UDP) and maybe even SNMP (UDP) should be sufficient. Client ports like the DNS client can actually take random numbers.

 

RTP is somewhat different first of all because it is a server port and you must specify a port range there. RTP is difficult to track down with netstat, but I don't think that we are trying to hide port numbers here. http://wiki.snomone.com/index.php?title=Ports has some information what the ports are actually doing. OF course the protocols itself are described in the RFC, we don't want to repeat that in the Wiki.

 

BTW in Windows it seems to be easier to control the firewall, all you need to say there "trust that application". Not sure if there is a equivalent for CentOS/iptables.

Share this post


Link to post
Share on other sites

Well, there are server ports and there are client ports. For server ports, having SIP (UDP/TCP/TLS) and HTTP (TCP/TLS), possibly TFTP (UDP) and maybe even SNMP (UDP) should be sufficient. Client ports like the DNS client can actually take random numbers.

 

RTP is somewhat different first of all because it is a server port and you must specify a port range there. RTP is difficult to track down with netstat, but I don't think that we are trying to hide port numbers here. http://wiki.snomone.com/index.php?title=Ports has some information what the ports are actually doing. OF course the protocols itself are described in the RFC, we don't want to repeat that in the Wiki.

 

BTW in Windows it seems to be easier to control the firewall, all you need to say there "trust that application". Not sure if there is a equivalent for CentOS/iptables.

 

Would not the ports I listed in the first post covers all the server ports you mentioned?

 

I am suspecting that the above listed ports does not cover all the required ports for snomONE to properly operate, as it failed to provide area of snomONE functions especially around PnP provisioning in my case. So once again, I am asking for the exhaustive list of the server ports that snomONE truly requires for its full operation.

 

Thanks.

Share this post


Link to post
Share on other sites

In newer versions of iptables, you can actually use a owner rule: Try "iptables -m owner --help" to see if that is available on your system.

 

Unfortunately that option only applies to OUTPUT and not INPUT. I do not have any OUTPUT restrictions on my iptables setting for now. Also in order to use this rule for OUTPUT restrictions, I will have to make a dedicated user for snomONE, which is a securer practice than what snomONE installer does. It still does not solve the issue with INPUT.

 

Do you really not have an actual exhaustive list of the ports used by snomONE?

 

Thank you.

Share this post


Link to post
Share on other sites

There is no "exhaustive" list. It all depends on the port settings in the PBX. But anyway because this is of general interest, here is a summary:

 

  • SIP: Here you may have zero, one or more UDP, zero, one or more TCP or TLS ports. The port numbers are set in the web interface of the PBX. Ports may be bound to IPv4 and IPv6 addresses. By default, they are bound to both. Default is 5060 for UDP, 5060 and 5061 for TCP/TLS.
  • HTTP: Here you may have zero, one or more TCP or TLS ports. The port numbers are set in the web interface of the PBX. Ports may be bound to IPv4 and IPv6 addresses. By default, they are bound to both. Default is 80 and 443.
  • TFTP: Here you may have zero, one or more UDP ports. The port numbers are set in the web interface of the PBX. The default port is 69 (both for IPv4 and IPv6)
  • SNMP: Here you may have zero, one or more UDP ports. The port numbers are set in the web interface of the PBX. The default port is 161 (both for IPv4 and IPv6)
  • NTP: Here you may have zero, one or more UDP ports. The port numbers are set in the web interface of the PBX. The default is no port.
  • LDAP: Here you may have zero, one or more TCP ports. The port numbers are set in the web interface of the PBX. The default port is 389 (both for IPv4 and IPv6)
  • RTP: Here you have to specify a port range. Default is 49152 to 65535. If you want to lower the risk that other (potentially malicious) applications grab traffic from those ports, you should make the port range shorter; but for every call that you want to run on the system you must have at least 4 ports available. For example, if your system should be able to support 10 concurrent calls, you need to have at least 40 ports in that range.

Share this post


Link to post
Share on other sites

There is no "exhaustive" list. It all depends on the port settings in the PBX. But anyway because this is of general interest, here is a summary:

 

  • SIP: Here you may have zero, one or more UDP, zero, one or more TCP or TLS ports. The port numbers are set in the web interface of the PBX. Ports may be bound to IPv4 and IPv6 addresses. By default, they are bound to both. Default is 5060 for UDP, 5060 and 5061 for TCP/TLS.
  • HTTP: Here you may have zero, one or more TCP or TLS ports. The port numbers are set in the web interface of the PBX. Ports may be bound to IPv4 and IPv6 addresses. By default, they are bound to both. Default is 80 and 443.
  • TFTP: Here you may have zero, one or more UDP ports. The port numbers are set in the web interface of the PBX. The default port is 69 (both for IPv4 and IPv6)
  • SNMP: Here you may have zero, one or more UDP ports. The port numbers are set in the web interface of the PBX. The default port is 161 (both for IPv4 and IPv6)
  • NTP: Here you may have zero, one or more UDP ports. The port numbers are set in the web interface of the PBX. The default is no port.
  • LDAP: Here you may have zero, one or more TCP ports. The port numbers are set in the web interface of the PBX. The default port is 389 (both for IPv4 and IPv6)
  • RTP: Here you have to specify a port range. Default is 49152 to 65535. If you want to lower the risk that other (potentially malicious) applications grab traffic from those ports, you should make the port range shorter; but for every call that you want to run on the system you must have at least 4 ports available. For example, if your system should be able to support 10 concurrent calls, you need to have at least 40 ports in that range.

 

What you just mentioned above is covered by the list of ports I have posted initially, right?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...