On 6/18/10 1:58 PM, Code Ghar wrote: > You both are right that VoIP is a very broad term. So let me clarify. I > am running Asterisk behind pfSense with multiple endpoints, such as ATAs > and softphones, registering to this Asterisk server. Then I have some > trunks with carriers and such. On the carrier side I am not too worried > because I know their IPs and can create rules to allow traffic from them > unhindered. However, on the other side are registered endpoints, for > which there is not definitive IP. Users could plug it in their home, > office, hotel, etc. Then there are some malicious users who try to brute > force their way into the Asterisk server sending a flood of registration > attempts. To allow legitimate use and to mitigate fraudulent > registrations, one way would be to have a reasonable upper limit to > connections per second. This way unusually large attempts can be blocked > at the firewall level instead of letting Asterisk deal with it. > > In this scenario if I set, say 5 max connections per second, then from > one IP there can be 5 different states. In this case if a malicious user > sends 6 registration attempts in one second then the first five would be > allowed and the sixth would be dropped. > > On the flip side, if a legitimate user has two SIP endpoints coming from > the same IP, then they can still establish two calls, one from each > endpoint, as there would be four states: in and out for both endpoints. > This still leaves a third connection or state for some breathing space. > > Did I understand this correctly?
Yes. My experience with the rate-limiting stuff is that pf can take a little while (seconds) to recognize and respond to brute-force attacks. This may be due to high attack rates or less-than-studly hardware or both. Either way, blocking might not be instantaneous, but ultimately pfSense will drop further connection attempts. dn > > > On Fri, Jun 18, 2010 at 3:33 PM, Chris Buechler <cbuech...@gmail.com > <mailto:cbuech...@gmail.com>> wrote: > > On Fri, Jun 18, 2010 at 4:08 PM, Code Ghar <codeg...@gmail.com > <mailto:codeg...@gmail.com>> wrote: > > In the pfSense book, there's a section (6.6.9.3) titled "Maximum New > > Connections / Per Second". It says that "Any IP address exceeding that > > number of connections within the given time frame will be blocked > for one > > hour." When using VoIP, which uses UDP, if one IP sends calls to > your VoIP > > switch with pfSense in the middle, there's one state established. > Within > > that state if that same IP sends, say 5 messages in a second, are > these > > messages considered 5 connections in one state or 1 connection in > one state? > > With the typical SIP, one connection is one state, regardless of how > many packets come over that state, it's one connection. If there are > 50 SIP phones NATed to one public IP connecting to you, that's going > to be 50 simultaneous SIP connections, plus RTP for calls. In cases > like an Internet outage at that location, you'll see a bunch of > connections opened quickly. > > That could more accurately read "Maximum new states / per second". > > As David noted, with a wide variety of things that "VoIP" can cover, > it's hard to say. Generally you have up to two connections/states per > SIP endpoint. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > <mailto:support-unsubscr...@pfsense.com> > For additional commands, e-mail: support-h...@pfsense.com > <mailto:support-h...@pfsense.com> > > Commercial support available - https://portal.pfsense.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
