VoIP Firewall: Difference between revisions

VoIP Firewall (view source)

Revision as of 14:46, 1 November 2018

1,486 bytes added , 1 November 2018

m

Add explanation

Adsb

editor

466

edits

Revision as of 18:50, 23 November 2017 (view source) AA-Andrew (talk \| contribs) mNo edit summary ← Older edit		Revision as of 14:46, 1 November 2018 (view source) Adsb (talk \| contribs) m (Add explanation) Newer edit →
(2 intermediate revisions by the same user not shown)
'''SIP''' is the call routing information that creates and manages calls. In practice if you allow port 5060 from the outside world you'll see attacks and possibly receive spam phone calls. We do not recommend leaving 5060 open unless you really know what you are doing. Phones rarely use ports as low as 5060 for media. '''RTP''' is the actual media (e.g., the audio). On our platform the RTP will come from the same call server IP address as the SIP control messages. On most phones you can configure which ports to use for RTP, so you can restrict this range further. Note that RTP actually uses 2 consecutive port numbers, you should specify an even number and RTP will also use that port number +1. For example, on a Snom Phone the default range for RTP is 49152 to 65534, so the firewall needs to allow the port number range 49152 to 65535. As another example, Grandstream phones and ATAs tend to default to using 5004 as the RTP port, so you need to allow ports 5004-5005 through the firewall. On routers which need one rule per IP address range you can halve the number of firewall rules needed as long as the source IP address ranges for SIP and RTP are the same and that the RTP port range you specify includes 5060. In CIDR notation, the IPv4 range 81.187.30.110 - 81.187.30.119 needs two blocks: <syntaxhighlight> <rule name="SIP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="1.2.3.4" target-port="5060" action="accept"/> <rule name="RTP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="1.2.3.4" target-port="49152-~~65534~~65535" protocol="17" action="accept"/> </syntaxhighlight> =Example consumer router config= The following example is for an AAISP-supplied ZyXEL router. It assumes you have locked down the RTP port range on clients to ports 5000-5098. Because the Custom Destination Port range covers port 5060 we get away with half the rules - 6, rather than 12! {\| class="wikitable" !colspan="7"\|Firewall Rules on the AAISP VoIP Platform \|- !Filter name !Source IP Address !IP Type !Protocol !Custom Destination Port !Policy !Direction \|- \|VoIP6A \|2001:8b0:0:30::5060:0/112 \|IPv6 \|UDP \|5000-5999 \|ACCEPT \|WAN to LAN \|- \|VoIP6B \|2001:8b0:5060::/48 \|IPv6 \|UDP \|5000-5999 \|ACCEPT \|WAN to LAN \|- \|VoIP4A \|81.187.30.110/31 \|IPv4 \|UDP \|5000-5999 \|ACCEPT \|WAN to LAN \|- \|VoIP4B \|81.187.30.112/29 \|IPv4 \|UDP \|5000-5999 \|ACCEPT \|WAN to LAN \|- \|VoIP4C \|90.155.3.0/24 \|IPv4 \|UDP \|5000-5999 \|ACCEPT \|WAN to LAN \|- \|VoIP4D \|90.155.103.0/24 \|IPv4 \|UDP \|5000-5999 \|ACCEPT \|WAN to LAN \|- \|} =Other things to Firewall=