FOOD FOR THOUGHT Travelin Man 3 and ipset

[David Foxworth]

Wanted to offer up a suggestion concerning the firewall and use of ipsets. I see currently it is configured to block China, Russia, Palestine, N Korea, Ukraine, Moldavia.

Anyway, rather than blocking those countries specifically, how about using this type of logic:

/sbin/iptables -A INPUT -p tcp -m set ! --match-set us src -j DROP
/sbin/iptables -A INPUT -p udp -m set ! --match-set us src -j DROP

This is using the reverse logic of "! --match-set", in other words drop all packets that are not from the US. I realize this would only work for someone in the US that wanted to block all other countries but the US. In my case, I don't have any reason for International calls and therefore no reason to connect to a SIP provider outside the US.

I realize this is extreme and probably not for everyone, just a thought though...

 

[wardmundy]

For Travelin' Man 3, we've given up on blacklists. IPset was primarily for those that have a traditional web server that they want to protect. TM3 uses a whitelist only, and individual entries or FQDNs have to be entered before anybody gets access to your server. There are just too many compromised PCs in the U.S. and elsewhere to trust any other solution IMHO.

 

[David Foxworth]

Sorry, I should have mentioned, this was for TM3 for 3CX. I noticed that it opens up ports 5000, 5001, 5060, 5061, 5090, 9000-9500 and some other ports. Anyway, I feel a little more comfortable only allowing US IP addresses through to access those ports.

And actually, I lock most of them down for more restricted access, but I do leave 5001 and 5090 open for remote clients. Anyway, that may not be for everyone...

Thanks

 

[dicko]

Personally, I have not given up on blacklists, but dynamically adding the whole domain behind the offending host , not just the host, is surprisingly effective, I use CSF as a firewall, fail2ban as an ids and add all usual available blacklists, not just the voip ones, transformed from host to underlying network.

I do this because the knuckle-draggers are NOT just voip based, an open server WILL be probed for SIP, phpmyadmin, and any number of other vectors like wordpress or webmin and are then all redistributed to the "other knuckle-dragger" networks that so specialize,

True, you might get apple's network (never yet) or roadrunner occasionaly , but my whitelists, also done to the underlying network of the host to cover 99.9% of the DHCP served services out there , and using ipsets is also surprisingly effective.

But slowly and surely all your Palestinians or Chinese (who now of course use hosted machines in western countries) are rejected,

And you can STILL expose your UCP/FOP2/AVANTFAX and other useful services to your now well restricted "Internet"

So Whitelists are great but limiting and need continual tuning, Blacklists are also great but need continual tuning also. Put the two together and I find it all works and my clients never have to whine when they are in a hotel in Paris. We all jutst need to wait for the next general failure of the Asterisk/3CX/VOIP/WAZO whatever systems , you all know it WILL happen, it's just when ;-)