So... how cool would this be?? The Best of Both Worlds in an integrated UI.
Well, as this was released just as I looked at Asterisk again after a few year absence, and Asterisk 12 has a few features I'm trying to get running for family, I took this for a spin.
Here's what I've noticed so far:
a) the installer script for both Incredible*11 and *12 hangs when IPv6 is available, either IPv6 only or dual-stack. While V6 only networks are rare (outside labs and my house), dual-stack is increasingly common and many OS's, including Ubuntu, prefer IPv6 if both are available.
When the script activates ip6tables, the [lack of] policy breaks further installation, as it can't reach any Ubuntu mirrors, which are generally IPv6 enabled.
I suggest a default equal to that of IPv4: allow anything sourced from localhost (already there), allow TCP established sessions (as return traffic for outgoing sessions: http/ftp/wget for the install to continue), and the return traffic for DNS.
I'm more familiar with hardware firewalls than iptables, so I'm not sure if the state ESTABLISH/RELATED work with UDP traffic to lock down DNS even further, and only allow return DNS queries from servers the VM queried.. The term 'established' implies TCP traffic on a hardware firewall, but the iptables/netfilter may be smarter, as the traffic originates from itself.
Here's a starting equivalent, although no SIP providers are added. I'm not aware of any native IPv6 SIP providers, and if you're working through a NAT64, you would use your own prefix.
It would at least let installation complete without hanging.
This is what I'm running to get started:
root@vittles12:~# cat /etc/iptables/rules.v6
# Generated by ip6tables-save v1.4.21 on Sat Nov 1 19:18:10 2014
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s ::1 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
#Allow SIP from our trunk providers. Currently set to NAT64 range with hardware firewall
-A INPUT -s 64:ff9b::/96 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
# Kitchen Sink entries below give full access to all server ports
# Assigned /48
-A INPUT -s 2001:xxxx:yyyy::/48 -j ACCEPT #Example only: internal address space.
COMMIT
# Completed on Sat Nov 1 19:18:10 2014
root@vittles12:~#
With ip6tables fixed, I tried to test the PJSIP implementation now a part of Asterisk 12 and 13, and also the default for port 5060. I am unable to get it to listen on either UDP or TCP over IPv6. I'm not sure if this is FreePBX not expecting anyone to use it, or it's not enabled in compilation. Some googling for both PJSIP and Asterisk's PJSIP is inconsistent with what's supported. General consensus is it must enabled with a compile flag for the original PJSIP source, but it's not clear (to me) if this needs to be enabled with compiling Asterisk, or it's there by default, or what.
I tried adding configuration to the pjsip.transport.conf file and restarting asterisk manually, but it still wouldn't listen on IPv6.
I'm going to try downloading and compiling asterisk in a separate VM to test and play with the options, but that's on my list of things to do.
Thanks,
Joel