d.davolio@mastertraining.it
2011-Apr-12 14:56 UTC
Can''t stop SIP (UDP?) traffic on my Server
Sure I''m missing something. I''m using Shorewall 4.0.6 on a Debian Etch server with kernel 2.6.24. The server is running asterisk 1.6 with few IP Phones registered to the asterisk, on the internal Interface eth0. The server has indeed a public interface eth1 used by asterisk to connect to external SIP providers. Now, I simply can''t prevent an external IP Phone from registering on my asterisk on interface eth1. I tried to stop the UDP traffic with this rule (rules file): DROP net:XX.XX.XX.XX fw udp 1024:65535 Where XX.XX.XX.XX is the public ip addres of the IP Phone. How could it be? The interface file looks like: net eth1 detect tcpflags,nosmurfs loc eth0 detect tcpflags,nosmurfs The policy file looks like: $FW all ACCEPT net $FW DROP info net loc DROP info net all DROP info all all REJECT info I really don''t know where to look for. Can anyone point me in the right direction? Thanks! ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
On 04/12/2011 07:56 AM, d.davolio@mastertraining.it wrote:> Sure I''m missing something. > I''m using Shorewall 4.0.6 on a Debian Etch server with kernel 2.6.24.A museum piece! :-)> The server is running asterisk 1.6 with few IP Phones registered to the > asterisk, on the internal Interface eth0. The server has indeed a public > interface eth1 used by asterisk to connect to external SIP providers. > Now, I simply can''t prevent an external IP Phone from registering on my > asterisk on interface eth1.> I tried to stop the UDP traffic with this rule (rules file): > > DROP net:XX.XX.XX.XX fw udp 1024:65535 > > Where XX.XX.XX.XX is the public ip addres of the IP Phone. How could it be?So long as there is traffic on the ''connection'', that rule won''t stop it. It will only stop *new* connections from being made. You need the same rule in the ESTABLISHED section of the rules file in order to stop traffic entirely. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
d.davolio@mastertraining.it wrote:>I''m using Shorewall 4.0.6 on a Debian Etch server with kernel 2.6.24. >The server is running asterisk 1.6 with few IP Phones registered to the >asterisk, on the internal Interface eth0. The server has indeed a public >interface eth1 used by asterisk to connect to external SIP providers. >Now, I simply can''t prevent an external IP Phone from registering on my >asterisk on interface eth1. >I tried to stop the UDP traffic with this rule (rules file): > >DROP net:XX.XX.XX.XX fw udp 1024:65535 > >Where XX.XX.XX.XX is the public ip addres of the IP Phone. How could it be? > >The interface file looks like: > >net eth1 detect tcpflags,nosmurfs >loc eth0 detect tcpflags,nosmurfs > >The policy file looks like: > >$FW all ACCEPT >net $FW DROP info >net loc DROP info >net all DROP info >all all REJECT infoFirstly, you only need to block port 5060 to stop SIP (assuming you aren''t running a non-standard port). Also be aware that SIP can use TCP as well as UDP. But I see that your policies will drop the traffic anyway, so a drop rule is redundant. As Tom has already pointed out, if the phone had a connection active before you invoked the firewall then that connection will remain open. Also check your rules file for anything that might be explicitly permitting the traffic. Lastly, check that you don''t have anything configured on your Asterisk setup that might be sending outbound SIP packets to the device - that would be enough to create an open connection which would permit inbound traffic as well. Not related to this, but make sure you use good strong passwords for your devices. We have to allow external access to our system at work to cater for home and mobile users - we regularly get brute force attacks, one day we had two separate attacks that overlapped ! -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
d.davolio@mastertraining.it
2011-Apr-13 10:01 UTC
Re: Can''t stop SIP (UDP?) traffic on my Server
On 04/12/2011 07:03 PM, Tom Eastep wrote:> On 04/12/2011 07:56 AM, d.davolio@mastertraining.it wrote: >> Sure I''m missing something. >> I''m using Shorewall 4.0.6 on a Debian Etch server with kernel 2.6.24. > A museum piece! :-) >Yes! It is! :) But it worked so fine so far...It''s a pity to dismiss it :)>> The server is running asterisk 1.6 with few IP Phones registered to the >> asterisk, on the internal Interface eth0. The server has indeed a public >> interface eth1 used by asterisk to connect to external SIP providers. >> Now, I simply can''t prevent an external IP Phone from registering on my >> asterisk on interface eth1. >> I tried to stop the UDP traffic with this rule (rules file): >> >> DROP net:XX.XX.XX.XX fw udp 1024:65535 >> >> Where XX.XX.XX.XX is the public ip addres of the IP Phone. How could it be? > So long as there is traffic on the ''connection'', that rule won''t stop > it. It will only stop *new* connections from being made. You need the > same rule in the ESTABLISHED section of the rules file in order to stop > traffic entirely. > > -TomThat was the problem. I was doing a mistake because seems that event If I drop all the connections on asterisk, stopping the daemon, the ip phone was able to register once started again. But the SECTION ESTABLISHED really match my traffic. Thanks!!! ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
d.davolio@mastertraining.it
2011-Apr-13 10:06 UTC
Re: [SOLVED} Can''t stop SIP (UDP?) traffic on my Server
On 04/12/2011 08:15 PM, Simon Hobson wrote:> d.davolio@mastertraining.it wrote: > >> I''m using Shorewall 4.0.6 on a Debian Etch server with kernel 2.6.24. >> The server is running asterisk 1.6 with few IP Phones registered to the >> asterisk, on the internal Interface eth0. The server has indeed a public >> interface eth1 used by asterisk to connect to external SIP providers. >> Now, I simply can''t prevent an external IP Phone from registering on my >> asterisk on interface eth1. >> I tried to stop the UDP traffic with this rule (rules file): >> >> DROP net:XX.XX.XX.XX fw udp 1024:65535 >> >> Where XX.XX.XX.XX is the public ip addres of the IP Phone. How could it be? >> >> The interface file looks like: >> >> net eth1 detect tcpflags,nosmurfs >> loc eth0 detect tcpflags,nosmurfs >> >> The policy file looks like: >> >> $FW all ACCEPT >> net $FW DROP info >> net loc DROP info >> net all DROP info >> all all REJECT info > Firstly, you only need to block port 5060 to stop SIP (assuming you > aren''t running a non-standard port). Also be aware that SIP can use > TCP as well as UDP.Yep, you are right. But I like to drop all the SIP (and RTP) traffic ;)> But I see that your policies will drop the traffic anyway, so a drop > rule is redundant. > > As Tom has already pointed out, if the phone had a connection active > before you invoked the firewall then that connection will remain > open. Also check your rules file for anything that might be > explicitly permitting the traffic. > > Lastly, check that you don''t have anything configured on your > Asterisk setup that might be sending outbound SIP packets to the > device - that would be enough to create an open connection which > would permit inbound traffic as well. >You are right again. I have some some external account registered to voip providers and generating udp traffic of course. Now I understand where I was wrong! Thanks again! ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo