NO JOY Firewall settings review

[LesD]

PIAF Installed Version = 2.0.6.3 under *VIRTUALBOX*
│ FreePBX Version = 2.11.0.11
│ Running Asterisk Version = 1.8.18.0
│ Operating System = CentOS release 6.3 (Final)
│ Kernel Version = 2.6.32-279.14.1.el6.i686 - 32 Bit

I have noticed entries in the log like

[2013-12-07 19:49:23] NOTICE[1846] chan_sip.c: Registration from '"22526" <sip:[email protected]:5060>' failed for '79.143.188.22:5088' - No matching peer found
[2013-12-07 19:51:12] NOTICE[1846] chan_sip.c: Registration from '"43670" <sip:[email protected]:5060>' failed for '79.143.188.22:5071' - No matching peer found
[2013-12-07 19:55:29] NOTICE[1846] chan_sip.c: Sending fake auth rejection for device 88<sip:[email protected]>;tag=c256b796

and Fail2Ban has been blocking IPs so I have reviewed my firewall settings and would appreciate some guidence as to what I should have open and what not.

I use a DrayTek 2850 router/firewall.

I have no external phones connected to the system.

I have various SIP trunks (the main one being a Sipgate.co.uk trunk) and one Anveo trunk set up following advice from this forum.

My firewall settings are:

Open ports: UDP 5060 and UDP 10000-20000
Firewall Rules:
1: Source IP: Anveo SIP POPS; Service Type: SIP; Pass Immediately
2: Source IP: Any; Service Type: SIP; Block Immediately

Anveo SIP POPS is the list of five IPs belonging to Anveo
Service Type SIP is defined as UDP/TCP ports 5060 and 10000-20000

As far as I can see the above should only let through traffic on the open ports if coming from Anveo.

If I close the open ports 5060 and 10000-20000 I get:

- Incoming Anveo calls do not ring - as expected.
- Incoming calls to my Sipgate trunk result in one way sound - Far end cannot hear me.

Unless I open 5060 there is only one way sound.

There is a double question here: First, why do I need 5060 open for the Sipgate trunk and second if I do open it how does it help as it should be stopped by my firewall settings.

The conclusion to my second question is that the firewall setting is not working properly which in turn answers how these probes are getting through.

I need to get to the bottom of why the firewall is not blocking properly, but why am I getting one way sound if 5060 is closed?

 

[islandtech]

under sip settings - do you have your external IP and local network defined?

 

[LesD]

Yes - but ...

I have 2 internet lines connected to my router so I can only specify one of them in SIP settings.

I do have a Load-balance rule in place that all outgoing connections from my PIAF VM should use WAN1 so all trunk registrations should only be going out via WAN1.

I did have the ports open also on WAN2 but the firewall should have blocked that also as the rules do not specify which WAN. However I have now closed the WAN2 ports.

But back to the one way sound - which is what I assume you were referring to - the IP under SIP settings does match the IP that should be used for trunk registrations.

 

[miguel]

Put nat yes

 

[LesD]

It is set to Yes

 

[miguel]

I would define a different rule lets say 1 rule would be anveo so i would enter udp 5060 for that ip and another rule udp 10000:20000, do you have An static externas ip? If so put it In the whitelist

 

[LesD]

do you have An static externas ip?

Yes

If so put it In the whitelist

I do not understand. Which whitelist? Why do I need to whitelist my own IP?

 

[miguel]

Define your problem again please

 

[miguel]

You can try to set it On webmin

 

[LesD]

Define your problem again please

Very good idea. In fact I have been doing some more testing and have concluded the problem is slightly different from that previously described.

Let us limit my query at this point to why do I need to open ports to make two way sound work.

The problem seems to be ports 10000-20000 rather than 5060 (confusion due to both port ranges being defined in the same rule block).

Also the direction of the one way voice was stated wrong.

So let us start again.

It seems that unless I explicitly open ports 10000-20000 then I get one way sound on incoming calls to my sipgate.co.uk SIP trunk.

Outgoing calls seem to be fine.

The one way sound menifests itself in that I cannot hear the caller but they can hear me.

In case it helps, my trunk Peer details are

username=xxxxxxxxx
type=peer
secret=xxxxxxxxx
qualify=yes
nat=yes
insecure=very
host=sipgate.co.uk
fromuser=xxxxxxxxx
fromdomain=mydomain.com
dtmfmode=rfc2833
disallow=all
context=from-trunk
canreinvite=no
authuser=xxxxxxxxx
allow=ulaw

 

[miguel]

Open ports 10000 and 20000 udp forward it to the pbx

 

[LesD]

I have done that and so it works.

My question is that I understood there was no need to open any ports as long as all the phones were inside the network.

 

[miguel]

Well you do not have to open the ports from the router but from the pc running piaf

 

[LesD]

I do not understand. PIAF is the 'PC'. Even though it runs as a VM on a host machine it behaves exactly like a stand alone PC on the network.

Its own firewall is set on instalation and I have never touched that. Whatever ports need to be opened are already open.

If I do not open 10000-20000 on the router and forward it to PIAF then I get the one way sound problem.