Yes if you have a static IP address, that is exactly what I do with my SIP provider, no SIP register is required. But even in that case you don't need to add a firewall rule for UDP 5060, but rather set "qualify=yes" in the SIP peer and the outbound SIP NOTIFY packet will open a UDP state in the firewall without needing to add a static firewall rule. The best feature is if/when the SIP provider's IP address changes, no firewall rules need to be changed.
Lonnie On Jun 15, 2014, at 7:57 PM, Darrick Hartman wrote: > Some sip providers route by IP. If that's the case, find out the provider's > IP addresses and only allow inbound signalling on port 5060 from these > addresses. > > > > -----Original Message----- > From: Lonnie Abelbeck [li...@lonnie.abelbeck.com] > Received: Sunday, 15 Jun 2014, 7:49PM > To: AstLinux Users Mailing List [astlinux-users@lists.sourceforge.net] > Subject: Re: [Astlinux-users] Is this fairly typical and what, if anything > can I do? > > Adrian, > > There is no doubt that configuring SIP through NAT'ed firewalls can be > confusing. This is one reason that AstLinux is often also used as the edge > router and firewall to eliminate an NAT'ing to/from the public internet for > the SIP traffic. I understand your AstLinux is sitting behind a NAT > firewall, so your sip.conf needs a nat=force_rport or such, or at least not > nat=no . > > I have never personally used sipgate, but I doubt that opening (forwarding) > UDP 5060 is required, usually it is not. Opening UDP 5060 is usually only > required when external (internet) SIP devices register to your asterisk. For > the moment let's say you only want to send and receive calls via sipgate, and > local LAN phones register to your local asterisk via SIP. > > In this case you will need to only forward (via edge router) a range of UDP > ports that exactly match the "rtpstart" and "rtpend" values in the > "/etc/asterisk/rtp.conf" file, the defaults of 10000 and 20000 are more than > you need, probably "rtpstart=10000" and "rtpend=10200" will be more than > adequate, make a similar change. > > You should also enable the firewall in AstLinux, even when it is behind > another edge firewall, being careful to allow "Pass EXT->Local, TCP, 0/0, > 22,80,443" to allow SSH, HTTP and HTTPS access for administration from your > local LAN. Also specify "Pass EXT->Local, UDP, 0/0, 10000-10200" to allow > the rtp.conf port range. Finally if local phones are reaching asterisk via a > single network interface then "Pass EXT->Local, UDP, 0/0, 5060" is also > needed. > > Now *only* forward on your edge router the UDP port range 10000-10200 to your > internal AstLinux box. Make sure if your edge router has any SIP "features" > , "ALG", etc. disable them. > > Note -> It is important that your SIP peer in asterisk is the *only* device > that registers with your sipgate account, assuming you only have one account. > Any other SIP phones should register with your local asterisk, and use > "directmedia=no" in all your local sip.conf contexts, then use your > extensions.conf to route you local SIP phones to your various other peers. > It can get confusing when two different devices register to the same account, > keep it simple. > > Now, when your sipgate peer in asterisk registers to sipgate, the outbound > packet will open a UDP state in both the AstLinux firewall and your edge > firewall to the remote sipgate SIP server. You may want to add "qualify=yes" > in your sip.conf sipgate peer to make sure the that path (and state) is > regularly 'tickled'. Both inbound and outbound sipgate calls will use this > UDP path for signaling, the RTP (voice) will use UDP ports 10000-10200. > > IMHO, that is my advice. > > For the sake of argument, let's say you actually need to allow UDP 5060 via > the internet, forwarded to your AstLinux box... in this case AstLinux offers > a couple firewall plugins to help secure your system: > > Firewall Plugins > http://doc.astlinux.org/userdoc:tt_firewall_plugins > > 1) If you have a remote SIP peer specified with a DNS name, which can be a > single or several in a round-robin, or even a dynamic DNS address, the > "DynDNS Host Open" firewall plugin can be configured to allow UDP 5060 for > only that DNS name, for example: > -- > DYNDNS_HOST_OPEN_UDP="sip.example.com~5060" > -- > > 2) If you allow SIP connections from any internet source it is recommended to > enable the "Adaptive Ban" firewall plugin, at a minimum specify "asterisk" in > ADAPTIVE_BAN_TYPES, for example: > -- > ADAPTIVE_BAN_TYPES="asterisk" > -- > from your logs below the Adaptive ban plugin would have blocked IPv4 address > 82.205.1.22 automatically. > > Hope this gets you down the correct path. Clearly we can't tell you how to > configure your system, you have to figure that out for yourself, and there > will be some trial and error as we all have done. In the end you have a very > useful PBX and a useful skill. > > Lonnie > > > On Jun 15, 2014, at 5:33 PM, Adrian Hodgson wrote: > > > > > Is this fairly typical and what, if anything can I do? > > > > > > Jun 15 21:44:39 astpbx local0.notice asterisk[406]: > > NOTICE[446][C-00000095]: chan_sip.c:25533 in handle_request_invite: Failed > > to authenticate device 1004<sip:1...@xxx.xxx.xxx.xxx>;tag=7169f612 > > Jun 15 21:45:13 astpbx local0.notice asterisk[406]: NOTICE[446]: > > chan_sip.c:28073 in handle_request_register: Registration from '"1020" > > <sip:1...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11464' - Wrong > > password > > Jun 15 21:46:07 astpbx local0.notice asterisk[406]: > > NOTICE[446][C-00000096]: chan_sip.c:25533 in handle_request_invite: Failed > > to authenticate device 777<sip:7...@xxx.xxx.xxx.xxx>;tag=9e45a2aa > > Jun 15 21:46:09 astpbx local0.notice asterisk[406]: > > NOTICE[446][C-00000097]: chan_sip.c:25533 in handle_request_invite: Failed > > to authenticate device 777<sip:7...@xxx.xxx.xxx.xxx>;tag=93513e43 > > Jun 15 21:46:11 astpbx local0.notice asterisk[406]: > > NOTICE[446][C-00000098]: chan_sip.c:25533 in handle_request_invite: Failed > > to authenticate device 777<sip:7...@xxx.xxx.xxx.xxx>;tag=7594d687 > > Jun 15 21:46:46 astpbx local0.notice asterisk[406]: NOTICE[446]: > > chan_sip.c:28073 in handle_request_register: Registration from '"271" > > <sip:2...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11453' - Wrong > > password > > Jun 15 21:47:38 astpbx local0.notice asterisk[406]: NOTICE[446]: > > chan_sip.c:28073 in handle_request_register: Registration from '"cc1001" > > <sip:cc1...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11446' - Wrong > > password > > Jun 15 21:48:07 astpbx local0.notice asterisk[406]: NOTICE[446]: > > chan_sip.c:28073 in handle_request_register: Registration from '"7012" > > <sip:7...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11428' - Wrong > > password > > Jun 15 21:48:53 astpbx local0.notice asterisk[406]: NOTICE[446]: > > chan_sip.c:28073 in handle_request_register: Registration from '"9012" > > <sip:9...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11455' - Wrong > > password > > Jun 15 21:49:51 astpbx local0.notice asterisk[406]: NOTICE[446]: > > chan_sip.c:28073 in handle_request_register: Registration from '"3012" > > <sip:3...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11428' - Wrong > > password > > Jun 15 21:57:57 astpbx local0.notice asterisk[406]: NOTICE[446]: > > chan_sip.c:28073 in handle_request_register: Registration from '"630" > > <sip:6...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11461' - Wrong > > password > > Jun 15 21:59:13 astpbx local0.notice asterisk[406]: NOTICE[446]: > > chan_sip.c:28073 in handle_request_register: Registration from '"271" > > <sip:2...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11442' - Wrong > > password > > Jun 15 21:59:35 astpbx local0.notice asterisk[406]: NOTICE[446]: > > chan_sip.c:28073 in handle_request_register: Registration from '"301" > > <sip:3...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11461' - Wrong > > password > > Jun 15 22:01:24 astpbx local0.notice asterisk[406]: NOTICE[446]: > > chan_sip.c:28073 in handle_request_register: Registration from '"5012" > > <sip:5...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11457' - Wrong > > password > > Jun 15 22:01:32 astpbx local0.notice asterisk[406]: NOTICE[446]: > > chan_sip.c:28073 in handle_request_register: Registration from '"22" > > <sip:2...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11411' - Wrong > > password > > Jun 15 22:01:46 astpbx local0.notice asterisk[406]: NOTICE[446]: > > chan_sip.c:28073 in handle_request_register: Registration from '"cc1001" > > <sip:cc1...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11445' - Wrong > > password > > Jun 15 22:03:08 astpbx local0.notice asterisk[406]: > > NOTICE[446][C-0000009a]: chan_sip.c:25533 in handle_request_invite: Failed > > to authenticate device 1004<sip:1...@xxx.xxx.xxx.xxx>;tag=08778401 > > Jun 15 22:10:50 astpbx local0.notice asterisk[406]: > > NOTICE[446][C-0000009b]: chan_sip.c:25533 in handle_request_invite: Failed > > to authenticate device 5905<sip:5...@xxx.xxx.xxx.xxx>;tag=ebb5bfdf > > Jun 15 22:10:51 astpbx local0.notice asterisk[406]: > > NOTICE[446][C-0000009c]: chan_sip.c:25533 in handle_request_invite: Failed > > to authenticate device 5905<sip:5...@xxx.xxx.xxx.xxx>;tag=477e39fb > > Jun 15 22:10:52 astpbx local0.notice asterisk[406]: > > NOTICE[446][C-0000009d]: chan_sip.c:25533 in handle_request_invite: Failed > > to authenticate device 5905<sip:5...@xxx.xxx.xxx.xxx>;tag=c0c61d2d > > Jun 15 22:10:53 astpbx local0.notice asterisk[406]: > > NOTICE[446][C-0000009e]: chan_sip.c:25533 in handle_request_invite: Failed > > to authenticate device 5905<sip:5...@xxx.xxx.xxx.xxx>;tag=d823cabd > > Jun 15 22:10:54 astpbx local0.notice asterisk[406]: > > NOTICE[446][C-0000009f]: chan_sip.c:25533 in handle_request_invite: Failed > > to authenticate device 5905<sip:5...@xxx.xxx.xxx.xxx>;tag=8037e8da > > Jun 15 22:19:02 astpbx local0.notice asterisk[406]: > > NOTICE[446][C-000000a1]: chan_sip.c:25533 in handle_request_invite: Failed > > to authenticate device 0123456<sip:0123...@xxx.xxx.xxx.xxx>;tag=5dc1fe53 > > Jun 15 22:21:26 astpbx local0.notice asterisk[406]: > > NOTICE[446][C-000000a2]: chan_sip.c:25533 in handle_request_invite: Failed > > to authenticate device 2001<sip:2...@xxx.xxx.xxx.xxx>;tag=22c19a11 > > Jun 15 22:23:05 astpbx local0.notice asterisk[406]: > > NOTICE[446][C-000000a3]: chan_sip.c:25533 in handle_request_invite: Failed > > to authenticate device 205<sip:2...@xxx.xxx.xxx.xxx>;tag=acc15539 > > Jun 15 22:23:07 astpbx local0.notice asterisk[406]: > > NOTICE[446][C-000000a4]: chan_sip.c:25533 in handle_request_invite: Failed > > to authenticate device 205<sip:2...@xxx.xxx.xxx.xxx>;tag=db760146 > > Jun 15 22:23:09 astpbx local0.notice asterisk[406]: > > NOTICE[446][C-000000a5]: chan_sip.c:25533 in handle_request_invite: Failed > > to authenticate device 205<sip:2...@xxx.xxx.xxx.xxx>;tag=c87a5446 > > Jun 15 22:23:37 astpbx local0.warn asterisk[406]: WARNING[446]: > > chan_sip.c:4176 in retrans_pkt: Retransmission timeout reached on > > transmission 653f78ffb65531d477b7269677de0da2 for seqno 2 (Critical > > Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retrans > > Jun 15 22:26:13 astpbx local0.notice asterisk[406]: > > NOTICE[446][C-000000a7]: chan_sip.c:25533 in handle_request_invite: Failed > > to authenticate device 209<sip:2...@xxx.xxx.xxx.xxx>;tag=dcf7b74e > > Jun 15 22:39:48 astpbx local0.notice asterisk[406]: > > NOTICE[446][C-000000a8]: chan_sip.c:25533 in handle_request_invite: Failed > > to authenticate device 2001<sip:2...@xxx.xxx.xxx.xxx>;tag=b589c4fb > > > > > > I have ports 5060 and 5004 fowarded through my router to my pbx UDP only, > > to keep my sipgate account working, no others. > > > > I guess this is typical of someone scanning for access to various systems. > > > > Cheers > > > > Adrian > > ------------------------------------------------------------------------------ > HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions > Find What Matters Most in Your Big Data with HPCC Systems > Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. > Leverages Graph Analysis for Fast Processing & Easy Data Exploration > http://p.sf.net/sfu/hpccsystems > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > ------------------------------------------------------------------------------ > HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions > Find What Matters Most in Your Big Data with HPCC Systems > Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. > Leverages Graph Analysis for Fast Processing & Easy Data Exploration > http://p.sf.net/sfu/hpccsystems_______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
