DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

2850: Firewall issue.

More
28 Jul 2013 20:49 #77111 by lesd
2850: Firewall issue. was created by lesd
I have an Asterisk based switchboard (PIAF) on my network and have to be careful it does not get broken into.

Unfortunately, I have to have the SIP related ports open as I have one line coming from a specific provider that requires it.

So I have set up some firewall rules to let this provider through and block all other IPs. However, from the PIAF logs I can see that attacks are still getting through but fortunately are being rejected due to the use of strong passwords.

I have been trying to get to the bottom of this and have been getting strange results from various tests. Before blaming the router I would like to go through what I have done in case someone can spot a flaw in my setup.

Sorry for this rather long post, but I think the devil is in the detail so I have to spell out what I think are the relevant details.

The supplier in question is Anveo and they connect to me using one of 5 possible IPs (IP1, IP2, etc)
The ports that need to be open are: 5060 and 10,000 to 20,000.
PIAF runs with a local IP of 10.27.27.245

Basically what I need to do is

- open ports 5060 and 10,000 to 20,000 and forward then to 10.27.27.245
- use the firewall to limit incoming connections to these ports to only IP1, IP2 ...IP5.

My relevant 2850 Settings are:


Open Ports: UDP 5060-5060; UDP 10000-20000; Local computer: 10.27.27.245

IP Objects: (IPs of my service provider)
IP1;
IP2,
...
IP5

IP Group: "Anveo SIP POPs": IP1 - IP5 selected

Service Type Objects: (SIP ports)
"SIP Media": UDP ports 10000-20000;
"SIP Signalling": UDP port 5060-5060

Service Type Group: "SIP": The above two objects selected.

Firewall: To the "Default Data Filter" I have added two further rules

2: "Sip Authorised":
WAN > LAN;
Source IP: "Anveo SIP POPs";
Dest IP: Any
Service Type: "SIP"
Filter: Pass immediately

3: "Sip Other":
WAN > LAN;
Source IP: Any
Dest IP: Any
Service Type: "SIP"
Filter: Block immediately


I believe the above should achieve what I need.

Now we come to the strange results:

I have the Syslog tool running so I can see what is going on.

[Continued in next post as it is too large.....]
Les

Please Log in or Create an account to join the conversation.

More
28 Jul 2013 20:54 #77112 by lesd
Replied by lesd on topic Re: 2850: Firewall issue.
[.... continued]

Point 1:

As I mentioned, I am seeing in the PIAF logs the occasional 'break-in'. From the time of that event I can see in the syslog (User Access Log) entries like:

Code:
<150>Jul 28 18:39:50 Vigor2850: Open port: 198.15.88.182:5070 -> 10.27.27.245:5060 (UDP) <150>Jul 28 18:39:57 Vigor2850: Open port: 198.15.88.182:5076 -> 10.27.27.245:5060 (UDP) <150>Jul 28 18:39:59 Vigor2850: Open port: 198.15.88.182:5071 -> 10.27.27.245:5060 (UDP) <150>Jul 28 18:40:05 Vigor2850: Open port: 198.15.88.182:5074 -> 10.27.27.245:5060 (UDP)


Checking the firewall log - it is empty at that time. So firewall seems to be failing

Point 2:

If I have an incoming call on the sip line in question, then two entries appear in the firewall log, both relating to rule 2:2 showing [Pass] for port 5060 showing the incoming permitted IP. ([50.22.101.14] is the Anveo primary IP. [xx.80.53.34] is my own public IP

Code:
<134>Jul 28 16:24:43 Vigor2850: [FILTER][Pass][WAN->LAN/RT/VPN, 268:25:05 ][@S:R=2:2, 50.22.101.14:5060->10.27.27.245:5060][UDP][HLen=20, TLen=977] <134>Jul 28 16:24:43 Vigor2850: [FW_Session][Pass][1/60000][@S:R=2:2, 50.22.101.14:5060->xx.80.53.34:5060]


So the firewall appears to be working fine and letting through what it should.

Point 3:

I removed the SIP line provider's IP (the one used for most calls) from the IP group to check that the incoming call would then be blocked.

Indeed, the call was blocked and the firewall log showed the block.

[continued in next post....]
Les

Please Log in or Create an account to join the conversation.

More
28 Jul 2013 20:59 #77113 by lesd
Replied by lesd on topic Re: 2850: Firewall issue.
[Third and final part...]

(In the example below the sip line source is coming from IP [50.22.101.14]. I do not know the significance of IP [77.72.168.67] whether it is a coincidental break-in attempt or an unpublished IP from the sip line provider. The PIAF log does not show anything at this time)

Code:
<150>Jul 28 17:29:05 Vigor2850: Open port: 77.72.168.67:13164 -> 10.27.27.245:12980 (UDP) <134>Jul 28 17:29:05 Vigor2850: [FILTER][Block][WAN->LAN/RT/VPN, 269:29:23 ][@S:R=2:3, 77.72.168.67:13164->10.27.27.245:12980][UDP][HLen=20, TLen=200] <150>Jul 28 17:29:05 Vigor2850: Open port: 77.72.168.67:13164 -> 10.27.27.245:12980 (UDP) <150>Jul 28 17:29:05 Vigor2850: Open port: 77.72.168.67:13164 -> 10.27.27.245:12980 (UDP) <150>Jul 28 17:29:05 Vigor2850: Open port: 77.72.168.67:13164 -> 10.27.27.245:12980 (UDP) <150>Jul 28 17:29:05 Vigor2850: Open port: 77.72.168.67:13164 -> 10.27.27.245:12980 (UDP) <150>Jul 28 17:29:05 Vigor2850: Open port: 77.72.168.67:13164 -> 10.27.27.245:12980 (UDP) <150>Jul 28 17:29:05 Vigor2850: Open port: 77.72.168.67:13164 -> 10.27.27.245:12980 (UDP) <150>Jul 28 17:29:05 Vigor2850: Open port: 77.72.168.67:13164 -> 10.27.27.245:12980 (UDP) <150>Jul 28 17:29:05 Vigor2850: Open port: 77.72.168.67:13164 -> 10.27.27.245:12980 (UDP) <150>Jul 28 17:29:05 Vigor2850: Local User (MAC=08-00-27-A4-39-76): 10.27.27.245:12980 -> 77.72.168.67:13164 (UDP) <150>Jul 28 17:29:07 Vigor2850: Open port: 50.22.101.14:5060 -> 10.27.27.245:5060 (UDP) <134>Jul 28 17:29:07 Vigor2850: [FILTER][Block][WAN->LAN/RT/VPN, 269:29:25 ][@S:R=2:3, 50.22.101.14:5060->10.27.27.245:5060][UDP][HLen=20, TLen=977] <150>Jul 28 17:29:08 Vigor2850: Open port: 50.22.101.14:5060 -> 10.27.27.245:5060 (UDP) <150>Jul 28 17:29:09 Vigor2850: Open port: 50.22.101.14:5060 -> 10.27.27.245:5060 (UDP) <150>Jul 28 17:29:10 Vigor2850: Local User (MAC=08-00-27-A4-39-76): 10.27.27.245:12981 -> 77.72.168.67:13165 (UDP) <150>Jul 28 17:29:11 Vigor2850: Open port: 50.22.101.14:5060 -> 10.27.27.245:5060 (UDP) <150>Jul 28 17:29:15 Vigor2850: Open port: 50.22.101.14:5060 -> 10.27.27.245:5060 (UDP) <150>Jul 28 17:29:23 Vigor2850: Open port: 50.22.101.14:5060 -> 10.27.27.245:5060 (UDP) <150>Jul 28 17:29:39 Vigor2850: Open port: 50.22.101.14:5060 -> 10.27.27.245:5060 (UDP) <134>Jul 28 17:29:39 Vigor2850: [FILTER][Block][WAN->LAN/RT/VPN, 269:29:57 ][@S:R=2:3, 50.22.101.14:5060->10.27.27.245:5060][UDP][HLen=20, TLen=977]


So now we have this inconsistency between point 1 and point 3. Point 1 shows port 5060 being forwarded from an unauthorised IP and the firewall ignores it while Point 3 shows the firewall doing its job.

Any ideas as to why the firewall is not blocking these rogue connections but is blocking 'genuine' calls that happen to be coming from an unauthorised IP?
Les

Please Log in or Create an account to join the conversation.

More
29 Jul 2013 19:57 #77126 by lesd
Replied by lesd on topic Re: 2850: Firewall issue.
Problem solved. I slipped up when defining "SIP Signalling" Service Type Object

I specified Source Port as 5060 to 5060 and Destination Port as 5060 to 5060.

The Destination Port was correct but the source port should of course have have been 1 to 65535. The result was that I was only blocking connections targeting 5060 if they originated from 5060 rather than originating for any port.

Apologies again for the marathon post but it helped to clarify issues for me at least..

If you have been, thank you for listening.
Les

Please Log in or Create an account to join the conversation.

Moderators: Sami