dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
862
share rss forum feed


lacibaci

join:2000-04-10
Export, PA
Reviews:
·voip.ms
·Callcentric

SIP scanners help (USG50)

Can somebody help me setup rule(s) to defeat SIP scanners? I would like to setup a firewall rule that would reject all connection attempts to port 5060 not coming from the following IP range:

204.11.192.0/24 (204.11.192.0 - 204.11.192.255)
66.193.176.0/24 (66.193.176.0 - 66.193.176.255)

This is for USG50.

Thanks,
Lac



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

Basically you create a service object with that port, unless you want both TCP and UDP on that port and then easier just to select PORT in firewall rules and select any for type of protocol.
Then create an address object for range 1 and another address object for range 2.
Then a group address object containing both 1 and 2
Create a single address object for the IP that is to receive all these incoming sips (destination).
Then you create a wan to lan firewall rule allowing any user, from SOURCe of the group range, to that destination address service, on the desired port (and protocol) Set rule to ALLOW
Next, after that you create a rule any user, any source to that destination to that service but DENY.

If this is not on a 1 to 1 mapping IP, and its on your NAT, then you will have to make a similar virtual mapping rule.
Here you simply allow traffic on that port to make it through to the destination IP.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment



lacibaci

join:2000-04-10
Export, PA

Will this also work if I have SIP ALG enabled?



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

I have no idea.
Maybe with sip alg you dont need a virtual server as the only change??



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to lacibaci

said by lacibaci:

I would like to setup a firewall rule that would reject all connection attempts to port 5060 not coming from the following IP range:

204.11.192.0/24 (204.11.192.0 - 204.11.192.255)
66.193.176.0/24 (66.193.176.0 - 66.193.176.255)

As already mentioned, create firewall rule(s) to allow WAN-to-LAN connections for the port 5060 only from the two above IP ranges.
As for SIP_ALG or NAT you don't need to do additional changes as those are tied to port which is not changing.

VoIP is two protocol communication (similar to FTP) you have control protocol SIP on 5060 which you're addressing here and RTP (data or voice) protocol which ports are managed dynamically by SIP_ALG (SIP_ALG is sniffing SIP for RTP info and opens appropriate ports on firewall).


lacibaci

join:2000-04-10
Export, PA
reply to lacibaci

All right, thanks guys.



dnoyeB
Ferrous Phallus

join:2000-10-09
Southfield, MI
Reviews:
·Comcast
reply to lacibaci

I thought SIP ALG only tried to keep sessions going for SIP. I didn't think the SIP ALG would open ports for RTP. That will be done by the Modem anyway right?

Anyway I don't think you need SIP ALG if you are going to manually open the ports. In this case the ports will always be open (for the IP range). SIP ALG shouldn't hurt, but I don't think it will help.
--
dnoyeB
"Then said I, Wisdom [is] better than strength: nevertheless the poor man's wisdom [is] despised, and his words are not heard. " Ecclesiastes 9:16



lacibaci

join:2000-04-10
Export, PA

Right. SIP ALG affects signaling only. I would turn it off once I define the firewall rules.