Firewall

From FreeSWITCH Wiki
Jump to: navigation, search

Firewall

If you are going to route traffic across your network, you need to ensure that you do not have a firewall blocking traffic on the specified network paths. Commonly firewalls are installed at egress points, where your local network connects to the internet. You may also run a firewall on the server itself. This is not always the case in some corporate environments. If you are not responsible for your network, you may wish to contact the group or individuals who are responsible for it.

Information they may need to enable traffic would include the port numbers. Various protocols use different ports for different things. Some you need bi-directional connectivity, some you only need outbound. Depending on your call scenario you may only need to allow connections that are initiated by your system. If you have any problems with protocols not working, it is recommended that you disable your firewall to the FreeSWITCH™ system, place a test call, and see if the problem persists. A misconfigured firewall is responsible for many common problems.


FireWall Ports Network Protocol Application Protocol Description
1719 UDP H.323 Gatekeeper RAS port
1720 TCP H.323 Call Signaling
3478 UDP STUN service Used for NAT traversal
3479 UDP STUN service Used for NAT traversal
5002 TCP MLP protocol server
5003 UDP Neighborhood service
5060 UDP & TCP SIP UAS Used for SIP signaling (Standard SIP Port, for default Internal Profile)
5070 UDP & TCP SIP UAS Used for SIP signaling (For default "NAT" Profile)
5080 UDP & TCP SIP UAS Used for SIP signaling (For default "External" Profile)
8021 TCP ESL Used for mod_event_socket *
16384-32768 UDP RTP/ RTCP multimedia streaming Used for audio/video data in SIP and other protocols
5066 TCP Websocket Used for WebRTC
7443 TCP Websocket Used for WebRTC

* Note: Think carefully about opening the ESL port to the external world and change the default password. There are ESL commands to run any system commands or to crash FreeSWITCH for call recovery testing. Allowing public access is therefore a security risk.

Note the ports may vary depending on which modules you have loaded and their configuration, for instance you may have more or fewer SIP profiles, and you may have changed many of the above ports including SIP,RTP,ESL etc.

Linux (netfilter iptables)

NOTE: YOU MUST DO THIS IF YOU ARE USING AN IPTABLES FIREWALL!!! IF YOU HAVE MORE THAN ONE SIP PROFILE, YOU MUST ADD THE PORTS OF YOUR OTHER PROFILES!!!

The nf_conntrack_sip and nf_conntrack_h323 modules will watch unencrypted SIP/H323 and automatically open the firewall ports required for RTP if you are accepting packets with the RELATED state. SIP and H323 packets after the first packet will be in the ESTABLISHED state. If you allow any RELATED,ESTABLISHED packets before processing new/unknown packets, then your firewall will accept subsequent packets much sooner, resulting in lower CPU usage and latency.

This may only apply to packets on the standard ports (UDP/5060, TCP/5060, TCP/1720) as it requires that the firewall recognizes the SIP/H323 protocol the packets are using.

This is of course not possible for encrypted connections, as the firewall cannot look inside the VoIP packets to get the RTP IPs and ports.

Module options

You may need to adjust the following options in some configurations, e.g. setting sip_direct_media=0 for bypass media (either done by FreeSWITCH's bypass_media or by a gateway).

Module Option Description Values Default*
nf_conntrack_sip sip_direct_signalling Expect incoming calls from registrar only* 0/1 1
nf_conntrack_sip sip_direct_media Expect Media streams between signalling endpoints only 0/1 1
nf_conntrack_sip sip_timeout Timeout for the master SIP session Integer 3600
nf_conntrack_sip ports Port numbers of SIP servers* List of up to 8 port numbers (comma-separated) eg. 5060,5070,5080 5060
nf_conntrack_h323 default_rrq_ttl Use this TTL if it's missing in RRQ Integer 300
nf_conntrack_h323 gkrouted_only Only accept calls from gatekeeper Integer 1
nf_conntrack_h323 callforward_filter Only create call forwarding expectations if both endpoints are on different sides (determined by routing information) Integer 1

Module options are given when loading the module, e.g. "modprobe nf_conntrack_sip ports=5060,5080" to use a non-default setting. Modules will need to be unloaded and reloaded to change their options.

The two most commonly used options are "ports" and "sip_direct_media".

You can check the current module parameter values by viewing the special files in /sys/module/nf_conntrack_sip/parameters/

How To configure the module

  • If your distribution supports /etc/modules.conf:
    • open /etc/modules.conf in an editor
    • add the line:
      • options nf_conntrack_sip [options]


  • If your distribution supports /etc/modprobe.d/:
    • Create a file 50-nf_conntrack_sip.conf and open in an editor
    • add the line:
      • options nf_conntrack_sip [options]


  • If your module is loaded using modprobe (eg. in rc.local):
    • modprobe nf_conntrack_sip [options]


Notes:

  • sip_direct_signalling=1 and gkrouted_only=1 will still allow all incoming calls if you have a rule such as "-p udp --dport 5060 -j ACCEPT" for the protocol, since you are explicitly allowing signaling instead of relying on the module.
  • Default values are taken from linux-source-2.6.26 on Debian 2010/02/26, and may vary in different versions.

Side effects:

Invalid SIP packets may be silently dropped by iptables even if all packets are allowed (e.g. if they have no CSeq header). This should not be an issue for FreeSWITCH, since it only sends valid SIP packets.