[Firehol-support] Firewall logic

Tsaousis, Costa costa at tsaousis.gr
Wed Nov 1 20:37:46 GMT 2017 

Hi,

I guess this will do:

server_theirrtp_ports="udp/any" # the providers may use any port for RTP
client_theirrtp_ports="10000:10100"

However, even without this change, the firewall will not allow them to
access anything else on your servers.
This is because we said: client sip,theirrtp

client = you initiated the connection

This is UDP traffic, but still the linux kernel connection tracker, knows
who opened the socket.
So, although we didn't check the source port, they will be able to send you
traffic only on sockets you opened.

The iptables statements generated look like these (use 'firehol explain' to
see them yourself):

# Rules for theirrtp client, with server port(s) 'udp/ any' and client
port(s) 'any'
/sbin/iptables -t filter -A in_world -p udp -m conntrack --ctstate
ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_world -p udp -m conntrack --ctstate
NEW\,ESTABLISHED -j ACCEPT

On the input, we only accept traffic on ESTABLISHED sockets.
On the output, we accept traffic on both NEW and ESTABLISHED sockets.
So, they cannot open a socket to you.

After the change above, the rules become:

# Rules for theirrtp client, with server port(s) 'udp/ any' and client
port(s) '10000:10100'
/sbin/iptables -t filter -A in_world -p udp --dport 10000:10100 -m
conntrack --ctstate ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_world -p udp --sport 10000:10100 -m
conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT

So, the ports are now evaluated to allow the traffic.

Costa


On Wed, Nov 1, 2017 at 4:44 PM, Daniel Heckl <daniel.heckl at gmail.com> wrote:

> Costa,
>
> I refer to your last message from Januar 2016 regarding RTP rules in
> FireHOL.
>
> Is there any other solution to implement (with FireHOL) a custom rule to
> allow traffic to a specific port range (my own RTP ports) from specific ip
> ranges (their RTP servers)?
>
> Your solution is working fine, but allows full access to all ports of the
> RTP servers without looking on the src port range (10000:10100).
>
> Daniel
>
> server_myrtp_ports="udp/10000:10100" # use the same ports as in
> /etc/asterisk/rtp.conf
> client_myrtp_ports="any"
>
> and
>
> server_theirrtp_ports="udp/any" # the providers may use any port for RTP
> client_theirrtp_ports="any"
>
> Then, at your internet interface, replace these:
>
>         server4 sip accept src "${telekom} ${sipgate_sip}"
>         server4 rtp accept src "${telekom} ${sipgate_rtp}"
>         client4 all accept dst "${telekom} ${sipgate_sip} ${sipgate_rtp}"
>
> with these:
>
>         server4 sip,myrtp accept src "${telekom} ${sipgate_sip}"
>         client4 sip,theirrtp accept dst "${telekom} ${sipgate_sip}
> ${sipgate_rtp}"
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support

More information about the Firehol-support mailing list