How to use Cell Phones without Opening SIP port for all IP addresses

I use the OpenVPN server built in to the distro as well as I have also used the OpenVPN server built into PFsense (open source router platform) then just place the OpenVPN client on the cell phone. Connect to the vpn then to your FreePBX server via your Bria, Zoiper, or your choice of soft phone. Works awesome and totally secure.

The new freepbx firewall and responsive firewall are big game changers. Incredibly secure and does all the heavy lifting for you. Its a big reason why I am investing time in FreePBX.

Using a sip app from a roaming mobile phone is a trivial issue. I register mine to a border controller and then to a FreePBX installation from there.

Since you are running local you could probably pick up a small Sangoma SBC and work out all your issues. :wink:

I want to stay away from VPN’s as often they are too complex to understand for some execs that “just want it to work”.

As for the SBC, I do have one but the config looked very complex. Lol

I guess I will have to give in and do the responsive firewall. :slight_smile:

Hi!

Everything is possible… If someone found a vulnerability in one of the services on your PBX he could later try to hack the rest of your network from there especially if it is on your LAN…

Many people don’t expect an attack to come from the inside and don’t protect the servers/devices on their LAN well enough…

My PBX is in another segment (ie not the LAN) for that reason. It doesn’t allow all traffic by default (essentially what enterprise grade routers/firewalls call a DMZ which is different from what a home router/firewall calls a DMZ) so I have to open ports for each protocol I want to allow inbound traffic from or outbound traffic to and put the appropriate ACLs…

With one (or multiple) quad ports NICs on a dedicated firewall running something like pfSense (which is what I use), it becomes pretty easy to decide to put servers/devices which are more exposed to the Internet in a different network segment…

As for opening holes in your firewall, I don’t use this for SIP but my mobile phone updates an entry on a dynamic DNS site and I use this entry in the ACLs of my firewall… Once in a while the firewall verifies if my IP changes and changes its rules accordingly… Many routers and mobile apps can do this…

Good luck and have a nice day!

Nick

Yes I did deploy a few on VLANs but it’s not feasible for all clients. We use Sophos Firewalls so with no UPnP we have allow traffic both ways. Not just inbound.

That DDNS trick is neat. Never thought of that.

I know there is 100 ways to setup access, I am more or less looking for best practice and with Tony’s response I guess I will try the built in firewall, I am just wondering if it’s better using eth0 for WAN directly connected to modem and eth1 on a VLAN for the internal Network or keeping it behind a 2ns IPS/Firewall

If that’s the route you would like to go, I would suggest you select an obscure port for sip, and only open up sip to the world (if you must offer the UCP as well, I would suggest you select an obscure port that also).

Selecting an obscure port will keep you away from most bots looking for pbx systems on 5060, but there are still some that attempt to scan your systems ports for vulnerabilities it can exploit.

That was actually going to be my fist suggestion. If you can get the phone to register with DDNS, you can use the DDNS hostname as your IP and add that to your “safe” list.

Be warned that this makes your PBX’s correct operation reliant on your DNS working flawlessly, so if you have any sketchiness built into your system, make sure it isn’t DNS that’s not working 100%.

This would only be for cell phones so DDNS would work. I will try that and the PBXFirewall and see how well it works. My security guys just got me going about how PBX hacking is the next big thing. So its got me scared about allowing all these connections in.

Hi!

Please keep in mind that your cell phones might change IPs during the day and that the change of rules on your firewall won’t be instantaneous…

In my case I use pfSense and it tries to re-resolve the FQDNs used in aliases (this is how I do it) each 300 seconds by default…

You can lower it but it puts more burden on your DNS…

See : Firewall — Aliases | pfSense Documentation

Of course your firewall might have different delays and no possibility to tune them…

Good luck and have a nice day!

Nick

I have switched from SIP based softphones on my cell phones, to Zoiper. I use Zioper IAX protocol. IAX has a few HUGE advantages, #1 works with NAT with no issues at all, same can not be said for SIP. #2 you only need to open one port on your firewall and point it at your PBX. #3 being a far less used protocol, it is not one of the main things hackers go after.

1 Like

This is an interesting way of looking at it. I will actually try that tonight.

I’m opposed to opening ports to all traffic. It is just too risky.

Your options are:

  1. OpenVPN - I use this and it works great. The Distro includes OpenVPN. You just have to generate the keys and put the configuration files in the correct place and start the server. OpenVPN has apps for both Android and iOS.

  2. Port knocking. Google it. Ward Mundy (of PBX In A Flash) has some scripts available that allow you to implement port knocking easily. He calls them “Travellin’ Man.”

  3. Register your external devices with an ITSP rather than with your PBX. This is really the easiest way. For example, you could setup a trunk with Callcentric, and then set-up each of your external VOIP phones to register as extensions with Callcentric.

I read Tony’s suggestion of using responsive firewall. But, without more details as to how it works (and what its limitations might be), I cannot recommend it.

VPN works, DDNS client + port forwarding works, I have tried them but in reality it’s not really practical to implement.
With a couple of users it’s fine but if you have 50+ it’s really a pain to set up. Manage FQDN and VPN for all of your users, teaching them how to set them up on their cell phones or doing it for them, we decided that was too much.

It’s my hope that Sangoma will sooner or later add mobile integration to Zulu with mobile soft phone clients, one-click setup simplicity, conferencing and WebRTC apps (+screen sharing), etc, something like 3CX has.

In the meantime you can run a trunk from your FPBX machine to a PBX in the cloud where you have your mobile soft clients run off of a 3CX installation. You don’t need to worry about VPN and FQDN then.
It works and here is how it’s done:
http://nerdvittles.com/?p=21498

http://wiki.freepbx.org/display/FPG/Responsive+Firewall

Is that documented on a ticket in the Issues area yet, or is it just a hope… Feature requests are free, as far as I know.

Lorne, I read that portion of the Wiki before I posted my comment. There’s a lot of generality there, but almost no detail.

What would help give you a better understanding of how the Adaptive Firewall works, without giving away all of the specifics on how to avoid or defeat the AF?

I’m asking because I’m pretty sure the Adaptive Firewall is conceptually pretty simple. In practice or code? No. In concept, Yes. The AF opens the appropriate port and monitors success and failure for systems connecting. If a system connects, it’s allowed and nothing “managerial” happens. If it fails, a set of heuristics is applied and the offender is either allowed more tries or is blocked for some specified period.

Yeah, it’s pretty generic, but I think it describes my understanding of the process pretty clearly.

Now, the trick is that the number of connections per period is one of the heuristics. If you phone connects, and disconnects, and connects, etc. (edge of coverage area, for example), your phone could be identified as a “bad actor” and get flagged. Once that happens, you won’t be able to connect for a while. We’ve seen that with people on bad local networks, but I think some work was done in that area to make it work a little less “reactively”.

I know this has nothing to do with the original post and maybe should be split off into its own post but I also would like to chime in.

I agree with @cynjut regarding a better understanding how it works, but more important to me is to allow us more control over the variables. We can only turn it on or off at this point.

1 Like

I actually like @cynjut’s response as well. It really puts it in a nutshell why its secure. Pretty much the chances of someone getting it right on the first try are 1 in 100 million meaning if you do no problem, no ports blocked. If its not sucessful then it gets policed on the first few trys and jailed after a number of failures.

I think this does in fact have a lot to do with cell phones/remote connections because it’s now explaining how i can trust the firewall for opening it to the world and using just the built in firewall for straight cell phone connection.

Now the question is… my PBX is behind a Sophos UTM Firewall, will a simple port forward work or do i need to do a full 1 to 1 NAT from a static IP to the PBX using the AF? It said it doesn’t want any other firewalls in its way in the Wiki/setup docs

I am by no stretch of the imagination an expert on this stuff, but if you want to put a firewall in front of the server, you should put firewall rules in place for your expected incoming traffic.

The adaptive firewall should recognize the source of the log-in attempts, so the jail should still work fine. Try it and see. The worst that can happen is that it doesn’t work reliably, and you’ll know in a few minutes if it’s blocking or not.

This is one of those cases where the experience of doing it out-trumps all of the conjecture in the world. @xrobau is the only person that I think can definitively tell you if one thing or another should or shouldn’t work, and even then he might throw up his hands and say “Go for it and let’s see what happens next.”