[Freeswitch-users] Firewall mysteriously starts blocking calls to port 5060

Giovanni Maruzzelli gmaruzz at gmail.com
Sun May 5 22:08:02 UTC 2019


On Sun, May 5, 2019 at 11:15 PM Kevin Olbrich <ko at sv01.de> wrote:

> ... the reason TCP also works "mostly" most likely will be the sip helper
> which is loaded by default on shorewall.
>

ouch! Thanks Kevin, very very good to know (and scary, for a control freak)!
-giovanni


> It will automatically punch holes into your firewall to make the protocols
> work (similiar to FTP, etc.).
> I've also noticed problems with bad SIP packets (bots) that cause the sip
> helper to stall which would lead to the problem you described.
>
> Kevin
>
>
> Am Sa., 4. Mai 2019 um 18:14 Uhr schrieb Chad Phillips <
> chad at apartmentlines.com>:
>
>> It wasn't a fail2ban issue...
>>
>> This particular provider says they only send SIP traffic over UDP, and I
>> had only opened TCP traffic to port 5060 in my firewall.
>>
>> The part I don't understand is how I was able to receive any calls at all
>> from them without UDP/5060 open -- it worked for hours with my new firewall
>> config up. That's just weird...
>>
>> Also, can anybody explain why a provider would use UDP for SIP traffic?
>> From my brief reading of the spec, it does seem to be a valid protocol to
>> use, but UDP's fire and forget approach seems a poor choice for this task.
>>
>> On Fri, May 3, 2019 at 11:56 AM David Villasmil <
>> david.villasmil.work at gmail.com> wrote:
>>
>>> Hello,
>>>
>>> I'd say this is a question for shorewall. But since you're here, is
>>> there maybe some flood-prevention mechanism that would block it? Did you
>>> check shorewall's log to try and find the reason it was blocked?
>>>
>>> Regards,
>>>
>>> David Villasmil
>>> email: david.villasmil.work at gmail.com
>>> phone: +34669448337
>>>
>>>
>>> On Fri, May 3, 2019 at 6:07 PM Chad Phillips <chad at apartmentlines.com>
>>> wrote:
>>>
>>>> Recently I reconfigured my firewall (via Shorewall) to block all
>>>> inbound traffic to port 5060, except for whitelisted IP addresses from my
>>>> inbound DID providers. After setup, we ran tests and everything worked fine
>>>> for all incoming calls across all providers.
>>>>
>>>> Then a few hours later, calls from one of our providers started being
>>>> blocked. All calls from our other providers continued coming through fine.
>>>> Upon restarting our firewall service, the blocked calls from the single
>>>> provider started coming through again.
>>>>
>>>> Between our successful tests and the start of the issue, there were
>>>> zero changes made to the server.
>>>>
>>>> So why would my firewall suddenly start blocking inbound traffic from a
>>>> whitelisted IP that it was previously letting through??
>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>>
>>>> The FreeSWITCH project is sponsored by SignalWire
>>>> https://signalwire.com
>>>> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
>>>> services.
>>>> Build your next product on our scalable cloud platform.
>>>>
>>>> Join our online community to chat in real time
>>>> https://signalwire.community
>>>>
>>>> Professional FreeSWITCH Services
>>>> sales at freeswitch.com
>>>> https://freeswitch.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> https://freeswitch.com/oss
>>>> https://freeswitch.org/confluence
>>>> https://cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> https://freeswitch.com
>>>
>>> _________________________________________________________________________
>>>
>>> The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
>>> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
>>> services.
>>> Build your next product on our scalable cloud platform.
>>>
>>> Join our online community to chat in real time
>>> https://signalwire.community
>>>
>>> Professional FreeSWITCH Services
>>> sales at freeswitch.com
>>> https://freeswitch.com
>>>
>>> Official FreeSWITCH Sites
>>> https://freeswitch.com/oss
>>> https://freeswitch.org/confluence
>>> https://cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> https://freeswitch.com
>>
>> _________________________________________________________________________
>>
>> The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
>> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
>> services.
>> Build your next product on our scalable cloud platform.
>>
>> Join our online community to chat in real time
>> https://signalwire.community
>>
>> Professional FreeSWITCH Services
>> sales at freeswitch.com
>> https://freeswitch.com
>>
>> Official FreeSWITCH Sites
>> https://freeswitch.com/oss
>> https://freeswitch.org/confluence
>> https://cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> https://freeswitch.com
>
> _________________________________________________________________________
>
> The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
> services.
> Build your next product on our scalable cloud platform.
>
> Join our online community to chat in real time
> https://signalwire.community
>
> Professional FreeSWITCH Services
> sales at freeswitch.com
> https://freeswitch.com
>
> Official FreeSWITCH Sites
> https://freeswitch.com/oss
> https://freeswitch.org/confluence
> https://cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> https://freeswitch.com



-- 
Sincerely,

Giovanni Maruzzelli
OpenTelecom.IT
cell: +39 347 266 56 18
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20190506/b5d05b84/attachment-0001.html>


More information about the FreeSWITCH-users mailing list