DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Firewall not blocking (2850)

More
08 Dec 2013 20:33 #78447 by lesd
Firewall not blocking (2850) was created by lesd
I have a PBX behind the router and need to open some ports for use by a specific trunk provider.

I have set up the rules but it does not seem to work properly, so I would be grateful for some guidence.

I have opened UDP ports 5060 and 10000-20000 and forwarded them to the PBX but want to only allow traffic through if coming from any of five specific source IPs.

So in my Default Data Filter I have filter rule 2:

Source IP: Group 'Anveo' which I have set up as an IP group consisting of 5 IPs
Destination IP: Any
Service Type: 'SIP' which I set up as a Service Type Group consisting of two Service Type Objects:-
TCP/UDP; Source port: 1- 65535; Dest Port 10000-20000
TCP/UDP; Source port: 1- 65535; Dest Port 5060
Filter: Pass Immediately

Filter Rule 3 is then:

Source IP:Any
Destination IP: Any
Service Type: 'SIP' as per above
Filter: Block Immediately

Despite the above, Probes to port 5060 (at least) are getting through to the PBX from unauthorised external IPs.

What have I missed?
Les

Please Log in or Create an account to join the conversation.

More
10 Dec 2013 11:11 #78453 by sicon
Replied by sicon on topic Re: Firewall not blocking (2850)
the firewall works logically top down
You need the Block rule at the top with action "Block unless further match"
Then put your pass rule under it.
It works as we have mitels etc that need similar settings

Please Log in or Create an account to join the conversation.

More
10 Dec 2013 11:31 #78456 by lesd
Replied by lesd on topic Re: Firewall not blocking (2850)
I must say I find that very counter intuative but I have reversed the order of the two rules and changed 'Block Immediately' to 'Block if no further match' and we will see what happens.

What I do not understand is why my way does not work.

My Pass immediately rule should pass the SIP ports for the specified IPs only and the next rule should block those SIP forts from any other source.
Les

Please Log in or Create an account to join the conversation.

More
10 Dec 2013 11:43 #78457 by lesd
Replied by lesd on topic Re: Firewall not blocking (2850)
Just checked my PBX log and 3 and 5 minutes after I made the change I still had attack entries logged, so port 5060 connections are still getting through from unauthorised source IPs.
Les

Please Log in or Create an account to join the conversation.

More
10 Dec 2013 13:05 #78462 by sicon
Replied by sicon on topic Re: Firewall not blocking (2850)
Dammit! :cry:
Do you have any other rules in the Data Filter

If it was mine (sorry for the dodgy screen shots) it would be something like this



Followed by

Please Log in or Create an account to join the conversation.

More
10 Dec 2013 18:09 #78465 by lesd
Replied by lesd on topic Re: Firewall not blocking (2850)

sicon wrote: Do you have any other rules in the Data Filter

Yes. I have 3 further independent rules in the same filter set relating to controlling DNS lookups (restricted to OpenDNS for all PCs other than my mail server). Is that a problem? Should they go in a different filter set?

Your example is basically the same as I have except for rule 3 I have Destination IP as 'All' while you have 'PBX Switch'
Les

Please Log in or Create an account to join the conversation.

Moderators: Chris