Koozali.org: home of the SME Server

SAIL - trying it out

WillKemp

SAIL - trying it out
« on: May 14, 2006, 08:25:48 AM »
I spent most of this weekend installing and configuring SAIL (2.1.11-181 as i couldn't manage to get onto the FTP server to d/l a more recent version).

I've been using Asterisk for about a year and a half now and have always preferred configuring it by editing the config files, but i've finally been convinced to give SAIL a try (by Burnat). So i've been trying to transfer my configs (6 ITSP  SIP accounts and 2 IAX2, and various dialplan bits to make it operate like a landline phone with extras...)

It's been reasonably easy so far, although at the moment i don't seem to be able to get incoming calls working, but i'm sure i'll work that out soon enough. There are a couple of things that i think are worth commenting on though.

1) Firewall: I'm fairly fluent in iptables, but i've been struggling to try and work out how to configure the firewall to only allow access to ports 5060 and 4569 from my ITSPs servers. I haven't quite cracked this one yet.

I think it would be very desirable to have this happen by default, rather than for those ports to be open to the whole internet - which is horribly risky! Until i can get this firewall stuff working properly, i've got no intention of switching to SAIL from my existing system.

2) Trunklines: It seems to be a mistake to have the identifier for a service set automatically from its username. For a start, this makes the incorrect assumption that these are always going to be unique. Secondly, it makes it very hard to identify which service you're working with. My usernames are mostly numerical - between 5 and 11 digits - although one is letters, and with most of them it's not easy to see at a glance which service it refers to.

It would be a better idea to have an identifier which the user can configure for each service. That way, you can see what you're working with and you can guarantee they're unique.

Regards
Will

Offline SARK devs

  • ****
  • 2,806
  • +1/-0
    • http://sarkpbx.com
SAIL - trying it out
« Reply #1 on: May 14, 2006, 11:17:12 AM »
Hi will,

First of all, thanks for a most constructive post.  Stuff like this really helps us improve the product.  Here are our observations/questions...

Oh, and apologies about the download server, we're reconfiguring our network this weekend.  You should be able to get -193 (the latest update) on Monday.

Quote
1) Firewall: I'm fairly fluent in iptables, but i've been struggling to try and work out how to configure the firewall to only allow access to ports 5060 and 4569 from my ITSPs servers. I haven't quite cracked this one yet.

I think it would be very desirable to have this happen by default, rather than for those ports to be open to the whole internet -


OK, observation first.  There are three levels of abstraction in the system.  SAIL admin operates at the highest level.  The on-line/panels bit generates the asterisk .conf files, nothing else.  Below that we have Asterisk which we enhance by the addition of a C code AGI which handles the majority of SAIL/Asterisk's real-time associative/logic processing.  Finally we have SME Server which manages CentOS (including the firewalls).   Neither SAIL, nor Asterisk are firewall aware.  

However, your point about allowing/denying access at the carrier level is interesting.  Our question is... How do you achieve this with your existing asterisk system?   What firewall rules did you implement ...and where is/was your firewall?  ...onboard with the asterisk instance or elsewhere?

Quote
2) Trunklines: It seems to be a mistake to have the identifier for a service set automatically from its username. For a start, this makes the incorrect assumption that these are always going to be unique. Secondly, it makes it very hard to identify which service you're working with.


We really aren't sure we've understood this so if we're answering the wrong question, please bear with us.  There are two "user" names to deal with.  The SIP/IAX user name (which is almost always a DID number in the case of a Trunk - only siblings use name strings) and the account user name which is used for account validation.  SIP/IAX Trunk user names are unique within a domain (or should be) since they form part of the url.  If on the other hand, you are referring to sibling Trunks (which seems more likely to us), then yes we use a concatenation of the two system names to define the SIP/IAX peer/user and yes if two systems have the same name in different domains, this could lead to a clash (just as it can with things like IPsec etc).   This is an issue we've debated quite heavily at Selintra. We really like the current Sibling solution because it is very simple  (just two simple data elements need to be defined on each sibling node).  However, we could expose the system generated names to allow you to specify your own and perhaps add a higher level reference qualifier.  We'll certainly give it some thought.

Kind Regards

Selintra

WillKemp

SAIL - trying it out
« Reply #2 on: May 14, 2006, 12:24:57 PM »
Quote from: "selintra"
Neither SAIL, nor Asterisk are firewall aware.

No, i know Asterisk isn't, but doesn't SAIL open the SIP, RTP and IAX2 ports? Although maybe that's at installation time...

Quote
However, your point about allowing/denying access at the carrier level is interesting.  Our question is... How do you achieve this with your existing asterisk system? What firewall rules did you implement ...and where is/was your firewall?  ...onboard with the asterisk instance or elsewhere?

I've got a script (called rc.iptables) which runs at boot time. I do stuff like:

# sipgate.co.uk - 217.10.79.219
iptables -A INPUT -i $IEXT -s 217.10.79.219 -p udp --dport 5060 -m state --state NEW,INVALID -j LOG --log-level debug --log-prefix "FW ASTERISK "
iptables -A INPUT -i $IEXT -s 217.10.79.219 -p udp --dport 5060 -m state --state NEW,INVALID -j ACCEPT

Quote
Quote
2) Trunklines: It seems to be a mistake to have the identifier for a service set automatically from its username. For a start, this makes the incorrect assumption that these are always going to be unique. Secondly, it makes it very hard to identify which service you're working with.


We really aren't sure we've understood this so if we're answering the wrong question, please bear with us.  There are two "user" names to deal with.  The SIP/IAX user name (which is almost always a DID number in the case of a Trunk - only siblings use name strings)

Almost always, yes - but not always always! My Voipgate (IAX) account username is a name string.

Quote
and the account user name which is used for account validation.

I'm talking about the label which begins the sip.conf/iax.conf config stanza - e.g., [1432324]
Peer name or line: 1432324

However, while i was having a look a few seconds ago to try and work out exactly which field of the config page that comes from, i realised that these labels come from DID/SIP User Name: and SIP/IAX Peer Name: in the "New Trunk" page. I didn't really know what the significance of those fields in that page were, so i'd set them all to the username - obviously not necessarily the right thing to do...

Maybe i should have read the SARK/SAIL Documentation Pages before i did the configuration - or at least before i posted a message complaining about what appears to be a non-existent problem! ;-)

Offline JonB

  • *
  • 351
  • +0/-0
SAIL - trying it out
« Reply #3 on: May 14, 2006, 12:45:18 PM »
Will,

Allowing only access from your ITSP's is easy enough.

From console

for SIP

#config setprop SIP AllowHosts xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy

for IAX2

#config setprop IAX2 AllowHosts xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy

Then do

#signal-event remoteaccess-update

Where the hosts is a comma seperated list of ip addresses

I don't believe this should be done by default at all as it disables Road warrior access from softphone etc. This should documented and left to individuals choice.

Jon
...

WillKemp

SAIL - trying it out
« Reply #4 on: May 14, 2006, 01:03:23 PM »
Quote from: "JonB"
#config setprop SIP AllowHosts xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy
[......]
#signal-event remoteaccess-update

Thanks for that. I tried that earlier, but had some problems that made me think  the firewall was blocking stuff it shouldn't have been. I can't remember exactly what the story was now, so i'll give it another try and double check.

Quote
I don't believe this should be done by default at all as it disables Road warrior access from softphone etc. This should documented and left to individuals choice.

I guess it's a question of whether security is more important than ease of access or not... Personally, i'd prefer not having to risk ever needing to deal with a rootkit again over not having to bother with opening a port if i need to! ;-)

Offline chris burnat

  • ****
  • 1,135
  • +2/-0
    • http://www.burnat.com
SAIL - trying it out
« Reply #5 on: May 14, 2006, 01:30:38 PM »
Quote from: "JonB"

Allowing only access from your ITSP's is easy enough.


Hello Jon, I am still using the workaround you had provided for opening the firewall, but now have 191 installed.  Does this mean that the custom template I had created [90InboundUDP20rtp_udp] is no longer required?

And: Is there a db command to allowing only access from the ITSP's for Port 10,000 to 20,000?
Many thanks. chris.
- chris
If it does not work out of the box, please fill in a Bug Report @ Bugzilla (http://bugs.contribs.org)  - check: http://wiki.contribs.org/Bugzilla_Help .  Thanks.

Offline SARK devs

  • ****
  • 2,806
  • +1/-0
    • http://sarkpbx.com
SAIL - trying it out
« Reply #6 on: May 14, 2006, 01:51:54 PM »
Quote
but doesn't SAIL open the SIP, RTP and IAX2 ports? Although maybe that's at installation time...

Yes we do, rather reluctantly, open 5060, 4569 and 10000-20000  at install time.  We really have no business doing this but in the absence of any visual/graphical firewall controls within SME Server, and the absolute absence of any ability to open a port range, we felt we had to to make life easier for those who just want to install SAIL and have it work "out of the box".

In truth, in these days of widespread symmetrical RTP, including Asterisk's nascent ability in this area, it's not usually necessary to open the RTP ports at all if the SAIL box is in server-gateway mode (you'll still need to open/forward them if you are running server-only in the green or orange zones).  

We'll put up a note on the Docs pages covering the issues so that people can decide according to their individual circumstances.  

Kind Regards

jeff@selintra

Offline JonB

  • *
  • 351
  • +0/-0
SAIL - trying it out
« Reply #7 on: May 14, 2006, 02:14:17 PM »
Jeff,

It should be easy enough to have a global setting Private/Public

and set the db properties

config setprop SIP access private or public
config setprop IAX2 access private or public
signal-event remoteaccess-update

on save

The RTP custom-template would need to be scripted differently to do the same thing.

Jon
...

Offline SARK devs

  • ****
  • 2,806
  • +1/-0
    • http://sarkpbx.com
SAIL - trying it out
« Reply #8 on: May 14, 2006, 02:40:47 PM »
Quote
It should be easy enough to have a global setting Private/Public


Yeah, you're right mate.  We'll put it on the list.  
 
Best

Jeff

WillKemp

SAIL - trying it out
« Reply #9 on: May 14, 2006, 11:52:04 PM »
Quote from: "selintra"
Yes we do, rather reluctantly, open 5060, 4569 and 10000-20000  at install time.  We really have no business doing this but in the absence of any visual/graphical firewall controls within SME Server, and the absolute absence of any ability to open a port range, we felt we had to to make life easier for those who just want to install SAIL and have it work "out of the box".

Well, maybe giving people the option of allowing access to the whole world, allowing access only to specific ITSP servers, or not allowing access at all, would make opening the firewall a bit more palatable...?

It would be nice to have a tick box in the "New Trunk" section to allow incoming connections from this service. And perhaps one in the global settings to allow incoming connections from the entire world.

By the way, now i've got that thing about the sip.conf/iax.conf config stanza names clear, maybe i'll be able to get incoming calls working. I doubt it would have helped having two stanzas with the same name for each service! ;-) No time to reconfigure and test it now, but i'll have a look at it this evening.

Will