VoIP Firewall: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 3: | Line 3: | ||
This is what we suggest firewall-wise for VoIP customers: |
This is what we suggest firewall-wise for VoIP customers: |
||
Avoid using NAT where possible. However, some NAT gateways provide an adequate SIP ALG (e.g. Technicolor TG582), and some devices provide NAT that works with the new call server (e.g. FireBrick |
Avoid using NAT where possible. However, some NAT gateways provide an adequate SIP ALG (e.g. Technicolor TG582), and some devices provide NAT that works with the new call server (e.g. FireBrick FB2700 and many simple NAT routers). If NAT works, then well done, but if not we cannot guarantee to be able to make it work. |
||
{| class="wikitable" |
{| class="wikitable" |
Revision as of 18:50, 23 November 2017
This is what we suggest firewall-wise for VoIP customers:
Avoid using NAT where possible. However, some NAT gateways provide an adequate SIP ALG (e.g. Technicolor TG582), and some devices provide NAT that works with the new call server (e.g. FireBrick FB2700 and many simple NAT routers). If NAT works, then well done, but if not we cannot guarantee to be able to make it work.
Firewall Requirements on the AAISP VoIP Platform | ||
---|---|---|
Target Ports | Source IPs | |
SIP (IPv4) | UDP 5060 | 81.187.30.110 - 81.187.30.119
90.155.3.0/24 90.155.103.0/24 |
SIP (IPv6) | UDP 5060 | 2001:8b0:0:30::5060:0/112
2001:8b0:5060::/48 |
RTP (IPv4) | UDP 1024-65535 | 81.187.30.110 - 81.187.30.119
90.155.3.0/24 90.155.103.0/24 |
RTP (IPv6) | UDP 1024-65535 | 2001:8b0:0:30::5060:0/112
2001:8b0:5060::/48 |
Customers should add all IPs above to their firewall rules even if you don't see traffic from or to them.
SIP is the call routing information that creates and manages calls. In practice if you allow port 5060 from the outside world you'll see attacks and possibly receive spam phone calls. We do not recommend leaving 5060 open unless you really know what you are doing. Phones rarely use ports as low as 5060 for media.
RTP is the actual media (e.g., the audio). On our platform the RTP will come from the same call server IP address as the SIP control messages. On most phones you can configure which ports to use for RTP, so you can restrict this range further. For example, on a Snom Phone the default range for RTP is 49152 to 65534.
In CIDR notation, the IPv4 range 81.187.30.110 - 81.187.30.119 needs two blocks:
81.187.30.110/31 81.187.30.112/29
Example FireBrick Config
Allow inbound calls to your VoIP Phone, if you register it with FireBrick:
<rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/>
Allow inbound calls to your VoIP Phone, if you register it with Voiceless:
<rule name="SIP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="1.2.3.4" target-port="5060" action="accept"/>
<rule name="RTP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="1.2.3.4" target-port="1024-65535" protocol="17" action="accept"/>
Allow inbound calls to your Snom Phone, if you register it with Voiceless:
<rule name="SIP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="1.2.3.4" target-port="5060" action="accept"/>
<rule name="RTP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="1.2.3.4" target-port="49152-65534" protocol="17" action="accept"/>
Other things to Firewall
- Don't allow access to your phone or servers web configuration pages from the Internet.
- If you run your own server and allow phones to use it from your WAN/Internet, then lock this down as much as possible - perhaps only allow access to your PBX from the Internet via a VPN.
NAT
Avoid using NAT where possible. However, some NAT gateways provide an adequate SIP ALG (e.g. Technicolor TG582), and some devices provide NAT that works with the new call server (e.g. FireBrick 2500/2700 and many simple NAT routers). If NAT works, then well done, but if not we cannot guarantee to be able to make it work. See: VoIP NAT
Further VoIP Security
- Please see our VoIP Security page for further information on securing your phones, accounts and VoIP systems.