Firewall rules

Discussion in '3CX Phone System - General' started by svenvil, Jul 25, 2014.

Thread Status:
Not open for further replies.
  1. svenvil

    Joined:
    Jun 24, 2014
    Messages:
    7
    Likes Received:
    0
    Just need a little clarification as to how firewall rules should be set up.

    I have a Juniper SSG 140. I have disabled SIP ALG.
    I have a MIP that is mapped to my private IP.
    I have created a service that allows the required ports as per http://www.3cx.com/docs/firewall-router-configuration-voip/. So i have an inbound rule allowing 5060, 5000 and 9000-9049 (UDP and TCP where required as per doco).

    When i log this rule, the only traffic that hits it is port 5060.

    Its not until i create an outbound rule for any destination, any source on any port that i get audio, and when i log that rule, calls are using random ports above 19000, or they appear to start on the correct port but get translated when hitting the destination (See attachment).

    Should it be going out within the 9000-9049 range?

    Have i missed something in terms of my firewall config to stop the ports getting translated to something above 19000, or is this behavior to be expected?

    Is the expectation that you need an outbound any/any rule for 3cx, as it is not listed on the link for firewall config?

    I'd really like to be able to lock this server down so that only the required ports are open in and out and I can't seem to get that to work due to the higher port range handling the call.

    Any help would be appreciated.
    cheers
     

    Attached Files:

  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,739
    Likes Received:
    281
    Haven't used that particular router, so I'm not an expert by any means. However, as far as rules for outbound traffic...generally this is not required. The internal devices "know" what public IP they are communicating with, and use whatever ports are required. Some routers do incoming port translations. It seems to work in a lot of cases although the 3CX Firewall Checker will complain about it.

    Since ports 9000 to 9049 are forwarded for incoming traffic, that is what I would expect to find using them. Outgoing will use other ranges, but, again, is usually free to do so.

    I would not worry too much about "locking down" ports outbound, open it as you did, and run the Firewall Checker. It is pretty certain that any threat to your network, short of a trojan already on your server,, is going to come from outside. If you are really concerned, you might want to look at something like Zonealarm, or an equivilant
     
  3. bardissi

    bardissi Member

    Joined:
    Jan 31, 2012
    Messages:
    318
    Likes Received:
    0
    Agreed let all outbound traffic loose.
     
  4. 3CXNP

    3CX Support

    Joined:
    Apr 25, 2014
    Messages:
    44
    Likes Received:
    0
    Hey there Snenvil,

    The ports you need to have open on your firewall are

    5060 TCP/UDP - SIP
    5090 TCP/UDP - Tunnel
    9000-9049UDP - RTP (Audio)
    5000 - HTTP Presence
    5001 - HTTPS Presence

    That is for incoming traffic. Only open as much ports as you necessarily need.

    We do NOT recommend that you install a zone alarm or antivirus on the PBX. Use the firewall and your internal anti hacking settings in the PBX to secure it. If you are worried about malware on your PBX then that means you have to start uninstalling other software which may be sharing the PBX.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. svenvil

    Joined:
    Jun 24, 2014
    Messages:
    7
    Likes Received:
    0
     
  6. jpillow

    jpillow Well-Known Member

    Joined:
    Jun 20, 2011
    Messages:
    1,342
    Likes Received:
    0
    It sounds like the issues falls back to how that firewall handles SIP ALG, and NAT as the ports are changing at the firewall.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. svenvil

    Joined:
    Jun 24, 2014
    Messages:
    7
    Likes Received:
    0
    OK, so after a bit of messing about I now have one rule with only the required 3cx ports. I no longer have an outbound any/any.

    In case anyone is using a Juniper SSG 140, here's what i did.

    1) create a MIP with your desired external IP mapping to your 3CX server's internal IP.
    2)create a custom service using the 3cx ports defined in their firewall doco.
    3)create a policy from untrust to untrust and allow only the custom service that you created.
    4)under security ->ALG, enable SIP on the basic tab, then enable SIP again on the SIP tab. ( I had this all disabled previously as that seemed to be the prefferred option)

    All traffic relating to SIP now hits this rule, and this rule only, where as before part was hitting the inbound rule, and part was hitting the outbound any/any.

    thanks for your help all.
     
Thread Status:
Not open for further replies.