Call Us Today! 877.742.2583




Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


 

About

If you are going to route traffic across your network, you need to ensure that you do not have a firewall blocking traffic on the specified network paths. Commonly firewalls are installed at egress points, where your local network connects to the internet. You may also run a firewall on the server itself. This is not always the case in some corporate environments. If you are not responsible for your network, you may wish to contact the group or individuals who are responsible for it.

...

FireWall PortsNetwork ProtocolApplication ProtocolDescription
1719UDPH.323 Gatekeeper RAS port
1720TCPH.323 Call Signaling
3478UDPSTUN serviceUsed for NAT traversal
3479UDPSTUN serviceUsed for NAT traversal
5002TCPMLP protocol server
5003UDPNeighborhood service
5060UDP & TCPSIP UASUsed for SIP signaling (Standard SIP Port, for default Internal Profile)
5070UDP & TCPSIP UASUsed for SIP signaling (For default "NAT" Profile)
5080UDP & TCPSIP UASUsed for SIP signaling (For default "External" Profile)
8021TCPESLUsed for mod_event_socket *
16384-32768UDPRTP/ RTCP multimedia streamingUsed for audio/video data in SIP, Verto, and other protocols
5066TCPWebsocketUsed for WebRTC
7443TCPWebsocketUsed for WebRTC
8081-8082TCPWebsocketUsed for Verto


Note
titleESL SECURITY RISK

Think carefully about opening the ESL port to the external world and change the default password. ESL allows any system commands to be run or even to crash FreeSWITCH for call recovery testing. Allowing public access is therefore a security risk.

 


Note that the ports may vary depending on which modules you have loaded and their configuration, for instance you may have more or fewer SIP profiles, and you may have changed many of the above ports including SIP,RTP,ESL etc.

Linux netfilter iptables

 


Tip

THIS IS REQUIRED IF YOU ARE USING AN IPTABLES FIREWALL!!!

You must add the interface and port numbers for each sip_profile used in your FreeSWITCH installation.

 



The nf_conntrack_sip and nf_conntrack_h323 modules will watch unencrypted SIP/H323 and automatically open the firewall ports required for RTP if you are accepting packets with the RELATED state. SIP and H323 packets after the first packet will be in the ESTABLISHED state. If you allow any RELATED,ESTABLISHED packets before processing new/unknown packets, then your firewall will accept subsequent packets much sooner, resulting in lower CPU usage and latency.

...

Code Block
themeEmacs
titleExample iptables rules
collapsetrue
vim ~/iptables.fs.rules

*mangle
# mark SIP UDP packets with CS3
-A OUTPUT -p udp -m udp --sport 5060 -j DSCP --set-dscp-class cs3
# mark SIP UDP packets with CS3
-A OUTPUT -p tcp --sport 5060 -j DSCP --set-dscp-class cs3
# mark SIP TLS packets with CS3
-A OUTPUT -p tcp --sport 5061 -j DSCP --set-dscp-class cs3
# mark RTP packets with EF
-A OUTPUT -p udp -m udp --sport 16384:32768 -j DSCP --set-dscp-class ef
COMMIT
*filter
# Allows all loopback (lo0) traffic
-A INPUT -i lo -j ACCEPT
# Drop all traffic to 127/8 that doesn't use lo0
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic
-A OUTPUT -j ACCEPT
# Allow SSH connections (THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE)
-A INPUT -p tcp -m state --state NEW --dport 6245 -j ACCEPT
# Allow STUN service (Used for NAT traversal)
-A INPUT -p udp --dport 3478 -j ACCEPT
-A INPUT -p udp --dport 3479 -j ACCEPT
# Allow MLP protocol server 
-A INPUT -p tcp --dport 5002 -j ACCEPT
# Allow Neighborhood service
-A INPUT -p udp --dport 5003 -j ACCEPT
# Allow SIP UDP
-A INPUT -p udp --dport 5060 -j ACCEPT
# Allow SIP TCP
-A INPUT -p tcp --dport 5060 -j ACCEPT
# Allow SIP TLS
-A INPUT -p tcp --dport 5061 -j ACCEPT
# Allow RTP
-A INPUT -p udp --dport 16384:32768 -j ACCEPT
# Allow XML_RPC from another server (replace 192.168.0.122 with the IP that will access FS ESL)
-A INPUT -p tcp --dport 8080 -s 192.168.0.122 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT

 

 



These six rules below will block the vast majority of all sip scanner traffic that randomly scans the Internet. Use these rules in conjunction with Fail2Ban and you will be in good shape to avoid rogue attackers.

Code Block
languagebash
themeEmacs
titleSIP scanner iptables block
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "sipcli" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string "VaxSIPUserAgent" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string "friendly-scanner" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string "sipcli" --algo bm

 


Turn on the rules

iptables-restore < ~/iptables.fs.rules

...

Code Block
languagebash
themeEmacs
vim /etc/network/if-pre-up.d/iptables

#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules

chmod +x /etc/network/if-pre-up.d/iptables