Proper firewall rules for security 5060 and 5061

I know this has been asked before many times but all posts say close port 5060 to the external world. Would that not also block the trunk as well?

I was having a problem with SIP connection attempts from RIPE ip blocks, and I entered all the relevant IP blocks I can find in to the Blacklist in the Firewall GUI. However when running Tshark I see there still being registration attempts from those IP blocks.
89.163.140.244 -> 192.168.1.110 SIP/SDP 834 Request: INVITE sip:[email protected]:5060 | , with session description
1680.118175 192.168.1.161 -> 192.168.1.110 CLASSIC-STUN 64 Message: Binding Request
1684.487889 192.168.1.110 -> 192.168.1.161 SIP 594 Request: OPTIONS sip:[email protected]:5060 |
1684.500339 192.168.1.161 -> 192.168.1.110 SIP 495 Status: 200 OK |
1685.949753 192.168.1.163 -> 192.168.1.110 CLASSIC-STUN 64 Message: Binding Request
1695.948912 192.168.1.163 -> 192.168.1.110 CLASSIC-STUN 64 Message: Binding Request
1700.073956 192.168.1.161 -> 192.168.1.110 CLASSIC-STUN 64 Message: Binding Request
1705.948929 192.168.1.163 -> 192.168.1.110 CLASSIC-STUN 64 Message: Binding Request

Secondly, under Intrusion Detection I do not see those ip addresses being banned.

Is there something wrong with my config then?

Yes, but there was no response, because it was blocked, so, everything’s working fine.

I am trying to lockdown the freepbx server with CSF rules. I am running in to a problem with whitelisting RTP servers for Plivo. They do release server IP for their SIP servers, but refuse to provide their RTP server IPs. I was able to find their rtsp server ip through a site which uses the plivo backbone, but it seems like Plivo has changed their IPs again so CSF is block legitimate RTP ip addresses.

Any ideas on how to do solve this issue?

Should I just not run csf, and let the freepbx firewall take care of the rest?

You should never be attempting to filter RTP. Always allow all RTP traffic through - UDP ports 10000 to 20000, usually.

This is not a security issue, and in fact, having a large range of ports open INCREASES your security.

Basically, just forward all traffic as it comes in, and don’t worry about it.

Saying that, yes, use FreePBX Firewall 8)

ok thanks

About closing port 5060-5061… If you have no incomming connections (external phones…), then YES, keep them closed. Your PBX will still be able to get through your firewall and create an OUTBOUND connection (Notice the direction). Same for RTP traffic.

If you DO have external devices, the YES you need a SIP port to go through as well as RTP Port. For the RTP, you could put it on another non-standard port, 5065 fro example. Your external connections then need to have that added to their connection and you should be good. Most scanners will check 5060-61 and 5080 as those seem to be the more common ports.

Since RTP is used to transmit Media after the SIP setup, I would imagine that any RTP packets not know to go with a SIP setup will simply be discarded.

Thank you for the reply mpelchat.

I take it that RTP are always outbound?

Is it correct that SIP ports need to be left open for trunk providers?

The problem I am facing is how to block these sorts of request:
66.85.76.170 -> 192.168.1.110 SIP/SDP 806 Request: INVITE sip:[email protected]:5060

I am not familiar with iptables. I have whitelisted all the source IPs for SIP ports from my trunk providers, I do not have external SIP clients. I have left RTP ports open inbound/outbound.

How do I create a explicit rule to block all other requests on 5060,5061?

RTP isn’t always outbound. During a conversation, there will be two streams,1 in and 1 out, both on different ports.

In the case were asterisk is connecting to a ITSP, the SIP connection is outbound. RTP then uses the ports assigned by Asterisk for media stream. In the case of a external phone, the SIP and RTP are initiated by the Phone which is outside the local network, so the ports have to be opened and traffic directed to the PBX.

To block ports, normally you don’t have to do anything. Firewalls usually block ALL traffic by default, and YOU have to open ports.

Now as a point of detail, I am refering to an actual firewall device the would usually by connected to the Modem. Sometime also included are part of the Router/WIFI device most homes and SMBs now have. In my case, I have our ISP modem connected to a dedicated Firewall which controls bandwidth, Firewall, NAT (which is actually what this discussion is about - Network Address Translation), SPAM, etc…

If by trunk providers, you mean to connect to YOUR service provider, you do NOT need to open ports, THEY do. If YOU are the service provider, then YES you do… and you should learn more before selling the service.

Marc

I am not selling service. I am using Plivo and Twilio. I was having issues with both and had to place our server on DMZ. The machine is sitting behind a fios router/firewall. I can forward only port 5060 and 5061 to it, and that’s the minimum that will allow it to receive inbound calls.

What am I missing here about not needing to open ports on my end? Plivo terminates the call via SIP and it can’t reach my server if I don’t have a port open.

IT’s rather odd that you should HAVE to put it in the DMZ. It sound like you may have bigger issues.

One of the problems is that your MAY have a SIP Helper enables on your firewall. They tend to mess with he IP adresses inside the SIP Packets to deal with network translation (Firewalls). Asterisk can handle this easily if properly configured. In your firewall, look for something called SIP Helper, or SIP ALG, and disable it.

In my case, I don’t run on port 5060 and am able to connect to my ITSP which does. It took a bit of research, but it is quite doable. All my clients are also on a non-standard port, and can connect to my system (both different). When the SIP Connection is started, some of the info shared in the IP address to contact it and Port. When the connection is to external IP, Asterisk (FPBX) uses the external IP defined in the SIP settings, otherwise it uses the local IP.

how do you connect your pbx to the itsp (your sip trunk provider)? if you use ip authentication, then yes you must open the call control ports (standard is 5060 for sip) and forward them to your pbx. if you are using registration (i.e. your pbx registers with the sip trunk provider) you should not need to open any ports on your external firewall but check the udp session timers on the firewall. if you are using authentication, then also use the freepbx provided firewall and simply whitelist your trunk providers call control ip address(es) and turn off everything under the responsive firewall tab

Is it possible to restrict 5060 to only certain source IP’s? i.e., I only want SIPSTATION to be able to reach me on 5060, everyone else should be denied. How can i set that up with FreePBX’s firewall?

The FreePBX Firewall will automatically adjust to allow trunk traffic without any config from you. Just enable the firewall, disable responsive firewall, and ensure all your voip protocols under Services are set to “Internal”.