Which traffic should I allow?

Hi!

I put my FreePBX box in another subnet because one of my VoIP provider (the one I use for T.38) forces me to open ports without having an ACL on them.

This subnet is more restrictive as to what outbound traffic it allows (essentially it’s a DMZ but I preferred not to say it like that as there is confusion as to what a DMZ is…) and I would like to keep it that way.

What kind of outbound trafffic should I allow besides the following?

Traffic whose destination is

  • HTTP (TCP port 80)
  • HTTPS (TCP port 443)
  • NTP (UDP port 123)
  • SIP (TCP/UDP port 5060 and apparently 5061 as well)

My guess is that I must add the RTP ports as well but in this case should ports 10000-20000 (UDP IIRC) be the source or the destination?

Thank you very much for your help!

Nick

Pretty well anything that

netstat -paunt

returns needs protections especially if listening on 0.0.0.0, If you are multihomed, you will also need to take into account your routing.

Generally associated RTP traffic open SIP connections should be allowed without further structured rules, they are both necessary and almost always harmless

Hi!

Inbound traffic is already taken care of, I only allow port 5060 and 5061 (TCP and UDP) from my SIP providers and RTP ports (10000-20000 UDP) are open for everyone for my FreePBX box.

The rest is blocked (no SSH, no Asterisk, no MySQL, etc…).

It’s the outbound traffic I am not sure what I should allow (I want to be as restrictive as possible).

Thank you very much for your help!

Nick

Unless your server or your LAN is compromised and you are routing that traffic through your box then you just don’t need to do that.

If you are concerned otherwise then make sure NTP and DNS traffic is allowed or you will break things , if you want to do any useful network analysis you will also need top allow whois and traceroute traffic.

I would also advise you to change 5060,5061,22 and any other “well known” ports to something else for incoming traffic, RTP connections are not a problem apart from possible MITM vectors that can leak your audio. My guess is that approximately 98.79% of successful penetration will happen on those three ports :wink:

Hi!

NTP is allowed as I said above but I had forgotten to say that DNS was as well (actually the firewall proxies the request and forwards them to a DNS I host).

I was taking care of the outside mail server and our DNSes for many years at work and I don’t want to forget what I learned… (-;

5060, 5061 TCP and UCP have ACLs on them, only my SIP provider or my LAN has access to them.

22 (SSH) is only allowed from my LAN.

My provider doesn’t say which ports they use so I guess I will just permit UDP traffic that comes from the PBX to the Internet without restrictions…

Thank you and have a nice day!

Nick

If you are using a mail server then netstat will show you what you need to allow out, that will depend on how you have it set up.

For anything else then tcpdump will expose all traffic (known and unknown) you will need to examine that issue and build your iptables to suit, there is no one size fits all here.