Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 24 May 2016 19:24:18 +1000
From:      Graham Menhennitt <graham@menhennitt.com.au>
To:        freebsd-ipfw@freebsd.org
Subject:   SIP registrations getting through firewall
Message-ID:  <c7ff2c2a-d25e-5c83-5aff-c491e1d2ab9b@menhennitt.com.au>

Next in thread | Raw E-Mail | Index | Archive | Help
Hello IPFW list,

I'm running IPFW on FreeBSD 10-Stable. I thought I'd blocked any bad
things coming in from the outside world. However, I'm seeing SIP
registration attempts logged by Asterisk and I don't understand how
they're getting through. A sample log message is:
    chan_sip.c: Registration from '"1201"
<sip:1201@xxx.xxx.xxx.xxx:5060>' failed for '5.56.133.46:5061' - Wrong
password
(where the 'x's are my external IP address). SIP registrations should
only come from the phones on my internal network.

Could somebody please explain why this is getting through and what I
should do to prevent it. One thing I will do is only have Asterisk bind
to my internal NICs. But I'd like to know what the problem with the
firewall is too.

Below are my IPFW rules. The VPN and IPv6 connections are not up.

Thanks in advance for any assistance,
    Graham



# stop spoofing
add deny all from LAN_NET to any in via OUTSIDE_IF
add deny all from WIFI_NET to any in via OUTSIDE_IF

# allow anything on the LAN
add allow all from any to any via LAN_IF

# and from the VPN
add allow all from any to any via VPN_IF

# allow anything from the wireless network to the outside world (but not
to the LAN)
add allow ip from any to not LAN_NET via WIFI_IF

# create a table of addresses to block
table 1 flush
# add RFC1918 nets
table 1 add 10.0.0.0/8
table 1 add 172.16.0.0/12
table 1 add 192.168.0.0/16
# and draft-manning-dsua-03.txt nets
table 1 add 0.0.0.0/8
table 1 add 169.254.0.0/16
table 1 add 192.0.2.0/24
table 1 add 224.0.0.0/4
table 1 add 240.0.0.0/4
# stop entries in the table coming in on the outside interface
add deny all from table(1) to any in recv OUTSIDE_IF

# similarly for IPv6
table 2 flush
# Stop unique local unicast address on the outside interface
table 2 add fc00::/7
# Stop site-local on the outside interface
table 2 add fec0::/10
# Disallow "internal" addresses to appear on the wire.
table 2 add ::ffff:0.0.0.0/96
# Disallow packets to malicious IPv4 compatible prefix.
#table 2 add ::224.0.0.0/100 gives error "Use IPv4 instead of v4-compatible"
#table 2 add ::127.0.0.0/104 ditto
table 2 add ::0.0.0.0/104
#table 2 add ::255.0.0.0/104 ditto
#
table 2 add ::0.0.0.0/96
# Disallow packets to malicious 6to4 prefix.
table 2 add 2002:e000::/20
table 2 add 2002:7f00::/24
table 2 add 2002:0000::/24
table 2 add 2002:ff00::/24
#
table 2 add 2002:0a00::/24
table 2 add 2002:ac10::/28
table 2 add 2002:c0a8::/32
#
table 2 add ff05::/16
# block these addresses both incoming and outgoing
add deny all from table(2) to any via IPV6_IF
add deny all from any to table(2) via IPV6_IF

# block sshguard entries
add reset ip from table(22) to me

# allow setup of incoming SSH, IMAPS, and OpenVPN
add allow tcp from any to me ssh setup
add allow tcp from any to me6 ssh setup
add allow tcp from any to me imaps setup
add allow tcp from any to me6 imaps setup
add allow tcp from any to me openvpn setup
add allow tcp from any to me6 openvpn setup
add allow udp from any to me openvpn

# allow IPP, IMAPS, and SMTP from wireless
add allow ip from any to LAN_NET dst-port printer setup via WIFI_IF
add allow ip from any to me dst-port ipp setup via WIFI_IF
add allow ip from any to me dst-port smtp setup via WIFI_IF
add allow ip from any to me dst-port imaps setup via WIFI_IF

# allow some ICMP types but nothing else
add allow icmp from any to any icmptypes 0,3,8,11
add deny icmp from any to any

#add allow ipv6 from any to any

# NAT
# redirect ports to PS4
nat 1 config if OUTSIDE_IF same_ports redirect_port tcp PS4_ADDR:1935
1935 redirect_port tcp PS4_ADDR:3478 3478 redirect_port tcp
PS4_ADDR:3479 3479 redirect_port tcp PS4_ADDR:3480 3480 redirect_port
udp PS4_ADDR:3478 3478 redirect_port udp PS4_ADDR:3479 3479
add nat 1 ip4 from any to any via OUTSIDE_IF

# and block the above table again outbound
add deny all from table(1) to any out xmit OUTSIDE_IF

# allow TCP through if setup succeeded
add pass tcp from any to any established

# allow IP fragments to pass through
add pass all from any to any frag

# allow TCP ports needed for PS4
add allow tcp from any to PS4_ADDR 1935 in via OUTSIDE_IF setup
add allow tcp from any to PS4_ADDR 3478 in via OUTSIDE_IF setup
add allow tcp from any to PS4_ADDR 3479 in via OUTSIDE_IF setup
add allow tcp from any to PS4_ADDR 3480 in via OUTSIDE_IF setup
add allow udp from any to PS4_ADDR 3478 in via OUTSIDE_IF
add allow udp from any to PS4_ADDR 3479 in via OUTSIDE_IF

# allow DNS & NTP queries out to the world (and their replies back in)
add allow udp from me to any 53 keep-state
add allow udp from me to any 123 keep-state
# but no other UDP in from outside
add deny udp from any to any in via OUTSIDE_IF
# and allow any other UDP
add allow udp from any to any

# reject all setup of incoming connections from the outside
add deny tcp from any to any in via OUTSIDE_IF setup

# reject all setup of incoming connections from the IPV6 tunnel
add deny tcp from any to any in via gif0 setup

# reject all setup of incoming connections from the wireless
add deny tcp from any to any in via WIFI_IF setup

# allow setup of any other TCP connection
add pass tcp from any to any setup

# Everything else is denied by default, unless the
IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel config file.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?c7ff2c2a-d25e-5c83-5aff-c491e1d2ab9b>