VoIP Firewall: Difference between revisions

From AAISP Support Site
mNo edit summary
mNo edit summary
Line 57: Line 57:


=Example FireBrick Config=
=Example FireBrick Config=
Allow Voiceless inbound to your VoIP Phone:
Allow all from the FireBrick to LAN, this is all you need if you register your VoIP Phone to FireBrick:
<syntaxhighlight>
<syntaxhighlight>
<rule-set name="Firewall: LAN" target-interface="LAN" no-match-action="reject" comment="Default firewall rule for traffic to LAN">
<rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/>
<rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/>
</syntaxhighlight>
Allow inbound calls to your VoIP Phone, if you have registered it directly to voiceless:
<syntaxhighlight>
<rule name="SIP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="2001:8b0::1" target-port="5060" action="accept"/>
<rule name="SIP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="2001:8b0::1" target-port="5060" action="accept"/>
<rule name="RTP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="2001:8b0::1" target-port="1024-65535" protocol="17" action="accept"/>
<rule name="RTP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="2001:8b0::1" target-port="1024-65535" protocol="17" action="accept"/>
</rule-set>
</syntaxhighlight>
</syntaxhighlight>
Allow Voiceless inbound to your Snom Phone:
Allow inbound calls to your Snom Phone, if you have registered it directly to voiceless:
<syntaxhighlight>
<syntaxhighlight>
<rule-set name="Firewall: LAN" target-interface="LAN" no-match-action="reject" comment="Default firewall rule for traffic to LAN">
<rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/>
<rule name="SIP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="2001:8b0::1" target-port="5060" action="accept"/>
<rule name="SIP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="2001:8b0::1" target-port="5060" action="accept"/>
<rule name="RTP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="2001:8b0::1" target-port="49152-65534" protocol="17" action="accept"/>
<rule name="RTP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="2001:8b0::1" target-port="49152-65534" protocol="17" action="accept"/>
</rule-set>
</syntaxhighlight>
</syntaxhighlight>



Revision as of 20:06, 19 August 2014

Go to the VoIP Category

This is what we suggest firewall-wise for VoIP customers:

Firewall Requirements on Voiceless Platform
Ports Source
SIP (IPv4) UDP 5060 81.187.30.110 - 81.187.30.119

90.155.3.0/24, 90.155.103.0/24 (NEW)

SIP (IPv6) UDP 5060 2001:8b0:0:30::5060:0/112

2001:8b0:5060::/48 (NEW)

RTP (IPv4) UDP 1024-65535 81.187.30.110 - 81.187.30.119

90.155.3.0/24, 90.155.103.0/24 (NEW)

RTP (IPv6) UDP 1024-65535 2001:8b0:0:30::5060:0/112

2001:8b0:5060::/48 (NEW)

The IPs marked as NEW were added in August 2014 for room for a planned expansion. Customers should add these additional IPs to their firewall rules as we expect to be using them soon.


Firewall Requirements on Legacy 'C' Platform
Ports Source
SIP UDP 5060 81.187.30.110 - 81.187.30.119
RTP UDP 1024-65535 Everywhere


SIP is the call routing information that creates and manages calls. In practice if you allow port 5060 from the outside world you'll see attacks and possibly receive spam phone calls. We do not recommend leaving 5060 open unless you really know what you are doing. Phones rarely use ports as low as 5060 for media.

RTP is the actual media (eg, the audio). On the older call servers it will be as direct as possible the media can be sent from anywhere on the internet. Using the new call servers it is only from the same call server as the SIP control messages. On most phones you can configure which ports to use for RTP, so you can restrict this range further. For example, on a Snom Phone the default range for RTP is 49152 to 65534.


Example FireBrick Config

Allow all from the FireBrick to LAN, this is all you need if you register your VoIP Phone to FireBrick:

<rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/>

Allow inbound calls to your VoIP Phone, if you have registered it directly to voiceless:

<rule name="SIP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="2001:8b0::1" target-port="5060" action="accept"/>
<rule name="RTP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="2001:8b0::1" target-port="1024-65535" protocol="17" action="accept"/>

Allow inbound calls to your Snom Phone, if you have registered it directly to voiceless:

<rule name="SIP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="2001:8b0::1" target-port="5060" action="accept"/>
<rule name="RTP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="2001:8b0::1" target-port="49152-65534" protocol="17" action="accept"/>


Other things to Firewall

  • Don't allow access to your phone or servers web configuration pages from the Internet.
  • If you run your own server and allow phones to use it from your WAN/Internet, then lock this down as much as possible - perhaps only allow access to your PBX from the Internet via a VPN.


NAT

Avoid using NAT where possible. However, some NAT gateways provide an adequate SIP ALG (e.g. Technicolor TG582), and some devices provide NAT that works with the new call server (e.g. FireBrick 2500/2700 and many simple NAT routers). If NAT works, then well done, but if not we cannot guarantee to be able to make it work. See: VoIP NAT


Further VoIP Security

  • Please see our VoIP Security page for further information on securing your phones, accounts and VoIP systems.