<p dir="ltr">The problem is there were some SIP port scanner constantly scanning ip address for SIP known port in internet, when they found they automatically and systematically try to break SIP authentification and try to make routing. It very vicious world out there for SIP. Changing the port is the least defense we can do very minimaly. Of course they other solution like put on sbc or something but in depend on circumstances. So what ever that we can control such as our deployed softphone or ip phone, we change its the default SIP port listener.</p>
<p dir="ltr">My own solution is always open source. In the hacking case I was put our solution in the partner network. I cannot control my partner what hardware they are using. And in sip/netwotk world we do interconnecting with all kind of hardware and software, whether commercial and oss.</p>
<p dir="ltr">Donny</p>
<div class="gmail_quote">On Oct 23, 2013 10:10 PM, "hcoin" <<a href="mailto:hcoin@quietfountain.com">hcoin@quietfountain.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Donny, It's a balancing act, people
choose commercial routers because they want it all to 'just work'
and not have to get into the guts of it. That's what please
expect and pay for-- 'just working', you pay for not being forced
to learn the guts and 'deal with it'. <br>
<br>
My policy has been that if the commercial router doesn't come with
a staff member at the commercial company to make the problem go
away, go to an open source solution. If you're going to be made
to 'deal with it', then you might as well have access to all the
guts, all the tools, the whole thing yourself. Otherwise you wind
up working for free making someone else's commercial product
better, and who knows if the next release will break your fix or
not. No, if you are being forced to deal with a problem in the
guts of commercial software yourself, you aren't getting any value
and the answer is find out whether an open source version is solid
enough and if it is go with that. Might was well learn
'everything' about something you can compile yourself if it comes
down to that. You pick up a lot of dubious skills though, for
example I can now edit freeswitch transport protocols and the sip
stack. A thing I hope never to have to do.... Seriously whoever
came up with RTP and SIP using a bezillion ports and the whole NAT
nightmare.... arg. Look how much of freeswitch is not dealing
with telephone and talk issues, but routing issues. It's half a
router itself. <br>
<br>
This business of weaving together products made by various
vendors: routers, soft phones, pstn-voip legacy boxen,
freeswitch, routers, 'guis on top of X', it's every bit as tough
as programming. In programming you control 'the world' and have a
narrow focus. This business of integrating lots of work by lots
of folks, not for the timid.<br>
<br>
<br>
On 10/23/2013 01:42 AM, Donny Hardyanto wrote:<br>
</div>
<blockquote type="cite">
<p>I am now practicing not using standard port because some hacks
couple month ago. It was quite bad, it cost thousand of dollars
and we cannot find the culprit IP address because the router ALG
rewrites them and there is no accessible log on the router.</p>
<p>Donny</p>
<div class="gmail_quote">On Oct 23, 2013 1:17 PM, "hcoin" <<a href="mailto:hcoin@quietfountain.com" target="_blank">hcoin@quietfountain.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Anthony and Donny, thanks for replying.<br>
<br>
Putting a packet capture on the line revealed the problem
to be a combination of quirks in both linphone (windows
version ignores fs nonstandard destination port) and
dns-forwarder (override of <a href="http://foo.bar.com" target="_blank">foo.bar.com</a>
fails if <a href="http://foo.bar.com" target="_blank">foo.bar.com</a>
is a cname on the public internet, not an A record). The
call was coming in on the external profile because the dns
forwarder was letting the resolution go to the public
internet and so the local systems were sending out to the
router, which sent it back in to... the external
interface. However, I do now know how to watch calls
pass through freeswitch and have read most of the source
code in the sofia endpoint, nta, nua, etc. etc... and had
lots of fun with gdb stepping around watching the packets
flow.<br>
<br>
The main lession I think is worth sharing is this: Use
5060 for sip. If you are thinking of various profiles
using the same address but different ports on the one
hand, or on the other hand using ip aliases so each
profile uses the 'standard' ports but a different ip--- go
with the ip alias approach. So in
/etc/network/interfaces , supposing your main nic is eth0:<br>
<br>
iface eth0 inet dhcp <-- or whatnot on your
system><br>
..<br>
post-up ifup eth0:1<br>
pre-down ifdown eth0:1<br>
..<br>
<br>
<br>
iface eth0:1 inet static<br>
address <something unique on the lan><br>
netmask <etc.><br>
<br>
Problems all melted away as if they never were.<br>
<br>
Thanks again for trying to help! I even bought the
freeswitch book. Ka-Ching for someone on this list...<br>
<br>
<br>
<br>
On 10/22/2013 06:38 PM, Anthony Minessale wrote:<br>
</div>
<blockquote type="cite">
<p dir="ltr">Did you change all the fields in the new
profile you duplicated that were relevant to the name
like name...</p>
<p dir="ltr">I usually cp internal.xml new.xml then edit
new.xml and global replace internal with new right off
the bat.</p>
<p dir="ltr">You might find your mistake faster if you
backup and revert to default sip profiles from sample
and slowly make changes again.</p>
<div class="gmail_quote">On Oct 22, 2013 1:04 AM, "hcoin"
<<a href="mailto:hcoin@quietfountain.com" target="_blank">hcoin@quietfountain.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br>
This has been a really frustrating problem, I'm sure
the answer is<br>
simple but I just can't see it.<br>
<br>
I had several extensions registered to the internal
profile, sending<br>
calls out the external profile to a sip-pstn gateway,
all seemed fine.<br>
<br>
Then created another internal profile, using a
different sip port on the<br>
same lan address, because of 'no device left behind'
and NAT issues..<br>
<br>
All seemed well, all the phones register normally.
Looking at the<br>
databases in FS they all show the proper ports, the
proper domains, etc.<br>
<br>
However, every single call gets picked up as a new
call via<br>
sophia/external/... and it hits the public dialplan
normally -- except<br>
that's the wrong plan, it should hit the default plan
and be identified<br>
as sofia/internal/.... and so forth.<br>
2013-10-22 00:31:11.001600 [NOTICE]
switch_channel.c:1034 New Channel<br>
sofia/external/<a href="mailto:hcoin@pbx.foobar.com" target="_blank">hcoin@pbx.foobar.com</a>
[28ed125a-3adb-11e3-9cc1-cbb8efb09b83]<br>
<br>
What could possibly be the reason phones registered on
the internal<br>
profile have their new calls identified as
sophia/external and don't hit<br>
the correct plan? Both the phones and the freeswitch
are on the same<br>
subnet. This should be so vanilla. What am I
missing?<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www..freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication
Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www..freeswitchsolutions.com</a>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a>
Official FreeSWITCH Sites
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a>
FreeSWITCH-users mailing list
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
</pre>
</blockquote>
<br>
</div>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www..freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a>
Official FreeSWITCH Sites
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a>
FreeSWITCH-users mailing list
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
</pre>
</blockquote>
<br>
</div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div>