Rexxer

Some tips for me and other

Asterisk + rules for a firewall

16/08/2012 admin News, Unified Communications, 0

IPFW:

  1. Firewall comand

fwcmd=”/sbin/ipfw -q”

  1. Interface setup
  2. Outside interface

oip=”<your external ip address>”

  1. * pbx ip

pbxip=”<your * internal ip>”

  1. VoIP Traffic – SIP & IAX

${fwcmd} add pass tcp from ${oip} to ${pbxip} 5060 keep-state in
${fwcmd} add pass tcp from ${pbxip} to any 5060 keep-state out
${fwcmd} add pass udp from ${oip} to ${pbxip} 5060 keep-state in
${fwcmd} add pass udp from ${oip} to ${pbxip} 4569 keep-state in
${fwcmd} add pass udp from ${oip} to ${pbxip} 2727 keep-state in
${fwcmd} add pass udp from ${oip} to ${pbxip} 9999-20001 keep-state in
${fwcmd} add pass udp from ${pbxip} to any keep-state out

PF:

  1. Your inet interface

ext = rl0

  1. SIP (TCP)

voip_tcp = “5060”

  1. SIP, IAX2, IAX, RTP, MGCP (UDP)

voip_udp = “{5060, 4569, 5036, 9999 >< 20001, 2727}”

pf pass in on $ext inet proto tcp from any to any port $voip_tcp flags S/SA keep state
pf pass out on $ext inet proto tcp all flags S/SA keep state
pf pass in on $ext inet proto udp from any to any port $voip_udp keep state
pf pass out on $ext proto udp all keep state

pf.conf on gateway router/asterisk box with QoS

        1. macros ####

ext_if=”xl0″ # 172.16.0.2
int_if=”xl1″ # 10.0.0.1
lan_net = “10.0.0.0/24”
table <blocked> persist
table <routed> persist

    1. machines

ext_ip = “172.16.0.2”
siphost = “172.16.0.3”
voip = “10.0.0.4”

        1. options ####

set skip on lo0
set optimization conservative
set block-policy drop
set loginterface $ext_if
scrub in all

        1. QoS stuff #######

altq on $ext_if priq bandwidth 520Kb queue { q_pri, q_def, q_bulk, q_crap }
queue q_pri priority 7
queue q_def priority 5 priq(default)
queue q_bulk priority 1
queue q_crap priority 0

          1. NAT ####

nat on $ext_if from <routed> -> $ext_ip

          1. rules ####

block drop out quick on $ext_if proto { udp, icmp, tcp } from any to <blocked>
block drop in quick on $ext_if proto { udp, icmp, tcp } from <blocked> to any
block drop in on $ext_if from any to any
pass in on $ext_if from $lan_net to any

    1. basic

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass in on $int_if proto icmp all keep state

    1. asterisk

pass in from any to $siphost
pass in quick proto udp from any to any port 4569
keep state queue (q_pri)
pass out quick proto udp from any to any port 4569
keep state queue (q_pri)

    1. default

pass out on $ext_if proto tcp from $ext_if to any flags S/SA
keep state queue (q_def, q_pri)
pass in on $ext_if proto tcp from any to $ext_if flags S/SA
keep state queue (q_def, q_pri)

Leave a Reply

Recent Posts

Categories

Meta

Rexxer

Designed by Ugesi. Powered by WordPress.