Results 1 to 7 of 7
  1. #1
    Newbie
    Join Date
    Mar 2021
    Posts
    4

    Default SIP Trunk Being Blocked cant create rule with FQDN

    Not new to Untangle or Untangle Forums (created a new username for our company after becoming an Untangle partner this year) but its been a while since we have been on here.

    We use VOIP via PBXact and FreePBX on-premise PBX’s at our shop and a lot of our clients. We specifically use SipStation as our VOIP SIP Trunk provider for all of these PBX’s.

    SipStation has us open/forward port 5061 to the LAN Static IP of our PBX. Obviously leaving port 5060/5061 wide open is a security issue and they suggest restricting Source to their FQDN (trunk1.freepbx.com and trunk2.freepbx.com)…. They do not provide Source IP’s because they change sometimes they said…

    https://wiki.freepbx.org/display/ST/...tationservice?

    We are trying to implement this in NG Firewall on our test box before rolling the NG Firewall out to our clients as we like to test everything in a real world environment before rolling out so we don’t have any issues onsite at clients.

    When checking Thread Prevention Reports for Non-Web based Events filtered for port 5061, we see it properly blocked 3 attempts from overseas (UK and China)….But…..we also see its blocked traffic from our SIP Trunk providers IP's multiple times as well.

    The problem, when I go to Threat Prevention>Rules and try creating a Pass rule for Port 5061 with Source Address it will NOT allow us to enter a FQDN as directed by our SIP Trunk provider…only an IP which for reasons stated above we cannot use…

    How do we restrict incoming Port 5061 traffic to FQDN only so all the other hack attempts are still blocked???

    Any direction or who I can speak to about this would be excellent.
    Last edited by defcomllc; 04-05-2021 at 08:29 AM.

  2. #2
    Untangle Ninja
    Join Date
    May 2008
    Posts
    1,492

    Default

    Click help on the lower right of this page?

  3. #3
    Newbie
    Join Date
    Mar 2021
    Posts
    4

    Default

    I did that...not getting anything on passing a FQDN in Threat Prevention..... Coming up that you can only use IP's only in Rules... So not sure if there is another way to pass their FQDN.....

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,808

    Default

    Use policy manager...

    Push critical services into policies that don't have apps that do stupid things to servers like Threat Prevention.

    It's VoIP, you should have bypassed it at least long ago... two bypass rules, one source address VoIP server, a 2nd destination address VoIP server.

    VoIP + Layer 7 inspection = jitter at a bad time, and it will cause a call to go wonky, probably your CEO, and probably during a really important call. SIP is bypassed by default for a reason...
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Newbie
    Join Date
    Mar 2021
    Posts
    4

    Default

    Thanks for the reply.

    So I do have Bypass Rules in Network Config>Bypass Rules for all my port forwards and Source Addresses (when the provider gives me one). My VOIP system is working great, I have no call issues, I just saw some of my SIP Trunk traffic being blocked by Threat Prevention which is why I brought this up...

    Your suggestion to create Bypass rules for Source Address to VOIP Server is the exact issue I started this thread for... It only allows me to input a Source Address IP, not a Source Address FQDN which is what my SIP Trunk provider requires...... per their Wiki here:

    https://wiki.freepbx.org/display/ST/...tationservice?

    That is exactly what Im trying to do but unfortunately it wont let me enter a FQDN......

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,808

    Default

    And you won't get to... because resolving a DNS name in a firewall rule is a very old proven to be patently dumb thing to do. And if you've ever worked with a security device that allows it, they're being really... REALLY stupid. There is plenty online to read as to why, I won't go into it here.

    If you have a PBX onsite however the game changes because you simply bypass stuff going into and out of IT, because that's "Static" and you're fine. If you have VoIP phones using a cloud PBX that has a moving IP address, you put them into a VLAN, and you bypass everything into and out of that VLAN.

    There are ways to do this stuff sanely via IP address, there is no need to add the security and performance nightmare associated with DNS resolution in firewall rules.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Newbie
    Join Date
    Mar 2021
    Posts
    4

    Default

    No, I havent had ever needed to pass a source address as a FQDN. SipStation says to do it that way, but Ive been using them for a long time now without any issues of just passing all traffic for CHANSIP and PJSIP Bind Ports with onsite PBX. The PBX and phones are in a VLAN. They work fine and so do remote phones. I just recently switched to using Untangle for a bunch of clients vs Ubiquiti Security Gateways before. The PBX and all the local and remote physical phones and mobile softphones have been working great.

    I just noticed today that some traffic was being blocked from Sipstation to the PBX while other hacking attempts from China and other overseas countries were also blocked. The PBX is also running a Responsive firewall that blocks malicious traffic at the PBX as well so Im not too concerned. Ill just pass it all and forget about it. It was weird when Sipstations Wiki said to pass traffic from their FQDN to port 5061 instead of a IP....


    "What network ports do I need to forward to my PBX in order to use my SIPStation service?

    We recommend forwarding ports UDP/5060 and UDP/10000-20000 for standard FreePBX/Asterisk-based installs. If using newer versions of FreePBX, port 5160 is the default port for ChanSIP so that may be the port you need to forward. Check Asterisk SIP Settings for the bind port of ChanSIP. It may be possible to get your service working without port forwarding, but optimal service will be obtained with the above mentioned ports. You can lock down port UDP/5060 or UDP/5160 depending on bind port of ChanSIP to the trunk1.freepbx.com and trunk2.freepbx.com FQDNs for additional security, but please note, we do from time to time change the IP addresses associated with these FQDNs. Therefore it is best to use the FQDN and not an IP Address. You cannot lock down UDP/10000-20000 to any specific IP address, since the media of a phone call can come from hundreds of different IP addresses."

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2