Topic: Asterisk and Firewall Issue

[SARK devs]

Selintra guys, any idea ?

Our view hasn't changed.  We'd simply use a different carrier. There are lots to choose from and this is the only one we've ever heard of who requires special firewall rules.

Kind Regards

S

 

[edeganay]

ok no problem, I just wantes to get the thing further
(and actually, it works fine...)

Thanks eveybody, I'll keep you in touch

Edd

[arne]

For later refference and for the full story.

I decided to make a test to try to build in string filtering capability to a SME 8 B4, just to have tested it.

It appeared to be much simpler than expected as the SME 8 B4 actually appear to have the string filtering capability built into its kernel (!!!!)
(So the planned kernel modification for the test were not neccessary to do.)

So I just made a minor adjustment to the command line supplied from the sip telephony vendor:

iptables -I INPUT -p udp -m udp --dport 5060 -m string --string "Cirpack KeepAlive Packet" --algo bm --to 65535 --source 123.123.123.123 -j DROP

And then on the 8.0 B4 it looks like it is just working:

[root@sme8b4 ~]# iptables -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       udp  --  123.123.123.123      anywhere            udp dpt:5060 STRING match "Cirpack KeepAlive Packet" ALGO name bm TO 65535

As it is showed the rule is on the top where it will have the full effect.

Anyhow I think it would not work for the 7.4, and also it is a much bether choice to change telephony vendor than to use firewall hacks like this.

Also tested Asterisk 1.6 on SME 8 B4 using this guide with some minor modifications: https://asterisk.org/downloads/yum

Looks like it is working ok, and that the SME 8 B4 technically can run both the firewall mod, to do string filtering, and the new Asterisk version that might not have a problem with the KeepAllive request (So there actually might not be any need for filtering at all).

.. Just interesting to find out.
 

[arne]

Just for later refference:

I tried to use the template fragment modification method for the SME 8.0 B4 as mentioned in http://wiki.contribs.org/Firewall "Block incomming ip" and I replaced filtering rule based on source ip with a string/data content filtering rule.

This showed that the SME 8.0 Beta were capable of doing such string/data content filtering based on standard template modifications according to existing procedures for the 7.4.

Technically it should then be possible to block harmfull content from open ports and to apply effective rules like: Open port 80 for all traffic, exept for that traffic with unwanted content ..

This blocking of unwanted content should be possible to do for Asterisk and any other server functions.

It should also be possible to apply other rules for stopping mishaped and spoofed packets via this aditional DenyRiffRaff custom fragment.

Technically it should also be possible to design and apply data content filtering rules that is designed from what you find as hacking atempts and unwanted traffic in the log.

Don't know how such content filtering can put extra load on processor or slow down traffic.

The Asterisk filtering issue for the SME 8.0 B4 should be possible to handle like this:

Custom templates
Block incoming packets with unwanted content
I want to block All traffic from some unwanted data content to my server.
Create a custom template and block data content

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
pico -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff

iptables -A INPUT -p udp -m udp --dport 5060 -m string --string "Cirpack KeepAlive Packet" --algo bm --to 65535 --source 123.123.123.123 -j DROP



expand and restart

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart