How to use Cell Phones without Opening SIP port for all IP addresses

Is that documented on a ticket in the Issues area yet, or is it just a hope… Feature requests are free, as far as I know.

Lorne, I read that portion of the Wiki before I posted my comment. There’s a lot of generality there, but almost no detail.

What would help give you a better understanding of how the Adaptive Firewall works, without giving away all of the specifics on how to avoid or defeat the AF?

I’m asking because I’m pretty sure the Adaptive Firewall is conceptually pretty simple. In practice or code? No. In concept, Yes. The AF opens the appropriate port and monitors success and failure for systems connecting. If a system connects, it’s allowed and nothing “managerial” happens. If it fails, a set of heuristics is applied and the offender is either allowed more tries or is blocked for some specified period.

Yeah, it’s pretty generic, but I think it describes my understanding of the process pretty clearly.

Now, the trick is that the number of connections per period is one of the heuristics. If you phone connects, and disconnects, and connects, etc. (edge of coverage area, for example), your phone could be identified as a “bad actor” and get flagged. Once that happens, you won’t be able to connect for a while. We’ve seen that with people on bad local networks, but I think some work was done in that area to make it work a little less “reactively”.

I know this has nothing to do with the original post and maybe should be split off into its own post but I also would like to chime in.

I agree with @cynjut regarding a better understanding how it works, but more important to me is to allow us more control over the variables. We can only turn it on or off at this point.

1 Like

I actually like @cynjut’s response as well. It really puts it in a nutshell why its secure. Pretty much the chances of someone getting it right on the first try are 1 in 100 million meaning if you do no problem, no ports blocked. If its not sucessful then it gets policed on the first few trys and jailed after a number of failures.

I think this does in fact have a lot to do with cell phones/remote connections because it’s now explaining how i can trust the firewall for opening it to the world and using just the built in firewall for straight cell phone connection.

Now the question is… my PBX is behind a Sophos UTM Firewall, will a simple port forward work or do i need to do a full 1 to 1 NAT from a static IP to the PBX using the AF? It said it doesn’t want any other firewalls in its way in the Wiki/setup docs

I am by no stretch of the imagination an expert on this stuff, but if you want to put a firewall in front of the server, you should put firewall rules in place for your expected incoming traffic.

The adaptive firewall should recognize the source of the log-in attempts, so the jail should still work fine. Try it and see. The worst that can happen is that it doesn’t work reliably, and you’ll know in a few minutes if it’s blocking or not.

This is one of those cases where the experience of doing it out-trumps all of the conjecture in the world. @xrobau is the only person that I think can definitively tell you if one thing or another should or shouldn’t work, and even then he might throw up his hands and say “Go for it and let’s see what happens next.”