I’ve been using the responsive firewall module for about 3 months now, and more or less it seems to be working as it should. I have 8 home users who sign in intermittently from outside the firewall. Users are using Bria 4.4.0 79956 as the SIP client. The PBX itself sits on our internal network behind a Fortigate firewall, with the appropriate ports forwarded. (Off the top of my head, 5060 for CHAN_SIP, 5061 for PJSIP, 200 incoming ports specified in the SIP configuration for RTP media, and 443 for SSL.) The SIP ALG has been completely disabled on the firewall, and the firewall allows and NATs all outbound traffic from a public IP address that is expressly dedicated to that server and nothing else. STUN correctly detects the public IP address of the PBX. Most users also have a VPN connection into the internal network, however, I would much prefer that all of the SIP traffic not traverse the VPN. These users sometimes need to disconnect and connect to other tunnels while on phone calls, and setting the public IP address of the server allows them to stay connected to the server while changing network configurations. (This has been working this way for several years.)
I had an incident a few weeks ago where a single user got blocked by the Responsive Firewall after rebooting his cable modem, (and likely getting a new IP address) but I just wrote this off as a fluke. That user hasn’t reported any problems since that incident.
Monday, I had a different user report that he was unable to connect, with the same error. I was out of the office, and directed him to use the internal IP address over his VPN connection to connect to the server, and that temporarily resolved the problem. Today, he changed the domain back to the public IP address, and he was able to connect, I am assuming because the Responsive Firewall hadn’t detected him as a hacker. His IP address was listed in the “Registered Endpoints” section in the firewall. However, about an hour later, he reported being unable to connect again. There were no blocked hosts showing, and his address was still showing in the “Registered Endpoints,” however, the status page listed that there were currently 4 blocked hosts. It looked like there was either a display issue, or something wrong with the firewall.
I disabled the firewall and re-enabled it, but he was still listed in “Registered Endpoints” and not showing in the “Blocked Hosts.” SIP debug showed absolutely no traffic coming from his IP address, though, and he was not registered. I restarted the “Intrustion Detection” service under “System Admin” and his IP address was now showing in the blocked hosts tab. (I didn’t think to list the IPTABLES before doing this, though, although I imagine I would have seen him in the blocked list.)
I grepped his IP address within the /var/log/asterisk folder, and didn’t see anything interesting. The ./fail2ban log showed several successful “ChallengeSent” and “SuccessfulAuth” entries for his IP address, and the ./full log showed successful registrations, but nothing that looked like any reason he may have been blocked.
Both of the affected users are using the system defined CHAN_SIP port/driver to connect, in case that’s important. I’m slowly migrating some users to PJSIP, and our SIP trunk is currently using PJSIP.
What else can I check on my system to find out why the firewall is blocking his address? Might there be something in Bria that would cause the firewall to classify him as an attacker? Are there any settings that I could tweak in order to prevent users from being seen as attackers?
Any help would be greatly appreciated.