[Firehol-support] Firewall logic

Daniel Heckl daniel.heckl at gmail.com
Wed Nov 1 14:44:53 GMT 2017


Costa,

I refer to your last message from Januar 2016 regarding RTP rules in
FireHOL.

Is there any other solution to implement (with FireHOL) a custom rule to
allow traffic to a specific port range (my own RTP ports) from specific ip
ranges (their RTP servers)?

Your solution is working fine, but allows full access to all ports of the
RTP servers without looking on the src port range (10000:10100).

Daniel

server_myrtp_ports="udp/10000:10100" # use the same ports as in
/etc/asterisk/rtp.conf
client_myrtp_ports="any"

and

server_theirrtp_ports="udp/any" # the providers may use any port for RTP
client_theirrtp_ports="any"

Then, at your internet interface, replace these:

        server4 sip accept src "${telekom} ${sipgate_sip}"
        server4 rtp accept src "${telekom} ${sipgate_rtp}"
        client4 all accept dst "${telekom} ${sipgate_sip} ${sipgate_rtp}"

with these:

        server4 sip,myrtp accept src "${telekom} ${sipgate_sip}"
        client4 sip,theirrtp accept dst "${telekom} ${sipgate_sip}
${sipgate_rtp}"



More information about the Firehol-support mailing list