On 8/12/05, Chris Bagnall <m0n0wall at minotaur dot cc> wrote:
> I've been doing some research this evening whilst trying to get SIP working
> reliably over NAT through a client's asterisk server. The aim was to try and
> work out exactly how wide a port range needs to be open for enough RTP
> streams for their needs.
> 
> Whilst playing around with different port ranges I noticed that disabling a
> firewall rule and hitting apply doesn't appear to disable it immediately.
> If, for example, I kill the rule allowing port 5060 inbound (SIP), it stands
> to reason I shouldn't be able to make any inbound calls successfully. This
> isn't the case - inbound calls work perfectly despite the rule not being
> present.
> 
> Any idea what's causing this? 

my guess would be the state table, as removing a rule doesn't remove
any existing states for that rule.  Though I would think a new
connection would attempt to create a new state, I'm not familiar at
all with SIP so I don't know.

> 
> I note that if I do the same thing, to for example, a webserver (firewall
> allowing port 80 inbound), it stops working from the outside immediately.
>

Because a HTTP request will have to create a new connection, and hence
state, every time.  If someone was downloading a file from you via
HTTP and you disabled the rule, it wouldn't cut off that session
immediately.


> (oh, if anyone can answer the original point of all this - how wide an RTP
> range does one need - I'd be most grateful)
> 

not a clue, sorry.  :)

-Chris