A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.voip (UK VOIP)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.voip (UK VOIP) (uk.telecom.voip) Discussion of topics relevant to packet based voice technologies including Voice over IP (VoIP), Fax over IP (FoIP), Voice over Frame Relay (VoFR), Voice over Broadband (VoB) and Voice on the Net (VoN) as well as service providers, hardware and software for use with these technologies. Advertising is not allowed.

Firewall question



 
 
Thread Tools Display Modes
  #1  
Old March 7th 06, 12:04 PM posted to uk.telecom.voip
Dave Saville
external usenet poster
 
Posts: 64
Default Firewall question

I have been reading up on VOIP and firewalls - Seems they don't mix too well
:-)

Now if one does not have a VOIP/SIP aware firewall then the only option is to
open up to UDP traffic. This comes, quite rightly, with all sorts of dire
warnings. But *if* the specific IP address being used was dedicated to phone
hardware rather than a computer I can't think of any problems it could cause.

Am I missing something?

--

Regards

Dave Saville

NB Remove -nospam for good email address


  #2  
Old March 7th 06, 04:16 PM posted to uk.telecom.voip
Thomas Sandford
external usenet poster
 
Posts: 39
Default Firewall question

"Dave Saville" wrote in message
. uk...
I have been reading up on VOIP and firewalls - Seems they don't mix too
well
:-)

Now if one does not have a VOIP/SIP aware firewall then the only option is
to
open up to UDP traffic. This comes, quite rightly, with all sorts of dire
warnings. But *if* the specific IP address being used was dedicated to
phone
hardware rather than a computer I can't think of any problems it could
cause.

Am I missing something?


Not really, in terms of the security side of things. You can actually tie
things down a bit tighter than allowing any UDP through.

Most half decent ATAs/phones will allow you to specify the range of RTP
ports used.

For example my Sipura SPA-3000 is set to use RTP ports 16384-16482.

So a working lockdown configuration for this unit would be:

Allow incoming TCP to Sipura port 5060
[SIP on TCP is in the spec, though I've never actually seen it in practice]
Allow incoming UDP to Sipura port 5060
[incoming SIP]
Allow incoming UDP to Sipura port 16384-16482
[incoming RTP]
Allow outgoing UDP from Sipura to any external port

[of course if someone finds a buffer overflow exploit in the SIP or RTP
handling code of your VOIP hardware then all bets are off!]

If your system is doing NAT as well as firewalling there are all sorts of
other problems though...
--
Thomas Sandford


  #3  
Old March 7th 06, 07:11 PM posted to uk.telecom.voip
techpro
external usenet poster
 
Posts: 10
Default Firewall question

My SMC Barricade 7404 router/firewall managed to mess up Voip even when
the firewall was completely disabled. Foolishly, thinking that SMC made
good stuff, I replaced it with a 7908VoWBRA (or something like that)
with built in SIP support. After a firmware upgrade, the built in SIP
client works (though I can't access Sipgate voicemail because it
doesn't do DTMF out of band. But it still won't work with a soft phone
client.

SMC tech support never came back with a solution. They don't seem
interested in fixing their firmware. If you're using an SMC firewall,
just give up!
--
Julian Moss
The PC Guru: www.the-pc-guru.com

  #4  
Old March 7th 06, 09:26 PM posted to uk.telecom.voip
Joe Harrison
external usenet poster
 
Posts: 84
Default Firewall question

I don't tell my firewall anything about my SIP and STUN setup (apart from
QoS.) There are no forwarded ports, no nothing it just works.

Joe


  #5  
Old March 7th 06, 11:08 PM posted to uk.telecom.voip
Chris
external usenet poster
 
Posts: 4
Default Firewall question

In message , Jono
writes
on 07/03/2006, Joe Harrison supposed :
I don't tell my firewall anything about my SIP and STUN setup (apart from
QoS.) There are no forwarded ports, no nothing it just works.

Joe


....and the make is?


Can't comment on OP but i have no problems with my linksys WRT54G and
PAP2, possibly because they both support uPnP.
--
Chris
  #6  
Old March 8th 06, 02:33 PM posted to uk.telecom.voip
Joe Harrison
external usenet poster
 
Posts: 84
Default Firewall question


"Jono" wrote in message
k...
on 07/03/2006, Joe Harrison supposed :
I don't tell my firewall anything about my SIP and STUN setup (apart

from
QoS.) There are no forwarded ports, no nothing it just works.

Joe


....and the make is?


Oop sorry Linksys WRT54G with Alchemy reflash. Rechecked the config in case
I had actually needed to do something for SIP and forgot... but no.


  #7  
Old March 9th 06, 12:07 AM posted to uk.telecom.voip
stephen
external usenet poster
 
Posts: 381
Default Firewall question

"Dave Saville" wrote in message
. uk...
I have been reading up on VOIP and firewalls - Seems they don't mix too

well
:-)

Now if one does not have a VOIP/SIP aware firewall then the only option is

to
open up to UDP traffic. This comes, quite rightly, with all sorts of dire
warnings.


maybe this is backwards and you need a router which is SIP / Voip aware for
the protocol you are using?

But *if* the specific IP address being used was dedicated to phone
hardware rather than a computer I can't think of any problems it could

cause.

A lot of the hardware in a phone or ATA or whatever may be more general
purpose under the surface, so you should sort of assume it may be vulnerable
to something and get attacked rather than expect that it is OK

FWIW a fair number of IP phones use TFTP to grab code upgrades and config
files. TFTP is not exactly secure.....

Am I missing something?


i know this isnt much help if you already have the router (although
complaining about it to the manufacturer might help when they design the
next model) - but a SIP aware router should be what you look for. Fixing up
a compromise is only a fall back approach.

--

Regards

Dave Saville

NB Remove -nospam for good email address

--
Regards

- replace xyz with ntl


  #8  
Old March 9th 06, 09:29 PM posted to uk.telecom.voip
alexd
external usenet poster
 
Posts: 331
Default Firewall question

stephen wrote:

maybe this is backwards and you need a router which is SIP / Voip aware
for the protocol you are using?


What's a SIP/VoIP aware router?

--
http://ale.cx/ (AIM:troffasky) )
20:29:04 up 1 day, 1:19, 1 user, load average: 0.01, 0.05, 0.01
This is my BOOOOOOOOOOOOOOOOOOOOOMSTICK

 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
XP firewall question R.H. uk.comp.home-networking (UK home networking) 6 June 19th 04 03:04 PM
Firewall - question.... foreverArsenal uk.telecom.broadband (UK broadband) 0 August 12th 03 01:07 AM
Firewall - question.... The Natural Philosopher uk.telecom.broadband (UK broadband) 0 August 11th 03 11:35 PM
Firewall - question.... Colin Wilson uk.telecom.broadband (UK broadband) 3 August 11th 03 10:29 PM


All times are GMT +1. The time now is 10:54 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.