[Firehol-support] Firewall logic

Tsaousis, Costa costa at tsaousis.gr
Mon Jan 18 23:32:28 CET 2016


Daniel,

The isolation of the interfaces you have done seems good.

There are a few issues though:

The key problem is that RTP may or may not work, or occasionally work for
you.
The problem is the port-range your providers may use.

I suggest to edit /etc/asterisk/rtp.conf and set a specific port range for
rtp.

Then define these:

server_myrtp_ports="udp/10000:10100" # use the same ports as in
/etc/asterisk/rtp.conf
client_myrtp_ports="any"

and

server_theirrtp_ports="udp/any" # the providers may use any port for RTP
client_theirrtp_ports="any"

Then, at your internet interface, replace these:

        server4 sip accept src "${telekom} ${sipgate_sip}"
        server4 rtp accept src "${telekom} ${sipgate_rtp}"
        client4 all accept dst "${telekom} ${sipgate_sip} ${sipgate_rtp}"

with these:

        server4 sip,myrtp accept src "${telekom} ${sipgate_sip}"
        client4 sip,theirrtp accept dst "${telekom} ${sipgate_sip}
${sipgate_rtp}"

The above say:

1. They can connect only to the RTP ports you have defined in
/etc/asterisk/rtp.conf (check myrtp defines the same)
2. You can connect to any RTP port they may use

Generally, if your asterisk registers your SIP account to them, there
should be no need for the 'server' statement. Your asterisk should keep the
ports open for them to talk back to you. Test it. Comment out the server
line and try to get incoming calls. If it works you don't need the 'server'
line at all. If you are not going to get incoming calls from them, then you
don't need the server statement for sure.

Costa



On Mon, Jan 18, 2016 at 3:42 PM, Daniel Heckl <daniel.heckl at gmail.com>
wrote:

> No idea?
>
> Daniel Heckl <daniel.heckl <at> gmail.com <http://gmail.com/>> writes:
> > On my server mainly asterisk and an monitoring server is running.
> > Because of the sip server, it is very important that
> > no unauthorized has access to sip port.
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support
>


More information about the Firehol-support mailing list