Equivalent of nf_conntrack on firewalld for dynamically opening SIP RTP ports

1
votes

When using netfilter/iptables you could set nf_conntrack to read your SIP signalling messages on port 5060 and it would automatically open up the required RTP ports for audio to pass for that call.

Can anyone please explain or help me find the equivalent for doing this with firewalld on CentOS 7?

I know I can open up an entire range but I like only having necessary ports open.

EDIT 1 - This suggests that nf_conntrack is scheduled for a later release, but that info is at least 8 months old (as it's referred to here, dated 16th April). Is there another way?

1
networkingsipfirewallcentos7freeswitch
if there is no service listening on UDP ports 10000-20000 on the server, what is the risk to open those to the public?lee
Maybe there's none, but "bad things" do happen to established software so I don't like having ports open to the world that don't need to be. If they need to be then fine, but with iptables they didn't so I wondered what the equivalent was, if any, with firewalld.David Wylie

1 Answers

2
votes

In /etc/firewalld/services, create a service definition, i.e. sip.xml with the following contents:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SIP</short>
  <description>SIP over UDP on port 5060</description>
  <port protocol="udp" port="5060"/>
  <module name="nf_conntrack_sip"/>
</service>

To permanently add that to your default zone:

# firewall-cmd --add-service=sip --permanent

And to apply that:

# firewall-cmd --reload

At this point, if you look at lsmod, you should see that the nf_conntrack_sip module is loaded, e.g. 

# lsmod |grep sip

nf_conntrack_sip       33860  0
nf_conntrack          105702  7 nf_nat,nf_nat_ipv4,nf_nat_ipv6,xt_conntrack,nf_conntrack_sip,nf_conntrack_ipv4,nf_conntrack_ipv6