Configuring Firewall Rules

The Firewall table lets you configure up to 50 firewall rules, which define network traffic filtering rules (access list) for incoming (ingress) traffic. The access list offers the following firewall possibilities:

Blocking traffic from known malicious sources
Allowing traffic only from known "friendly" sources, while blocking all other traffic
Mixing allowed and blocked network sources
Limiting traffic to a user-defined rate (blocking the excess)
Limiting traffic to specific protocols and specific port ranges on the device

For each packet received on the IP network interface, the device searches the table from top to bottom until the first matching rule is found. The matched rule can permit (allow) or deny (block) the packet. Once a rule in the table is located, subsequent rules further down the table are ignored. If the end of the table is reached without a match, the packet is accepted.

The rules configured by the Firewall table apply to a very low-level network layer and overrides all other security-related configuration. Thus, if you have configured higher-level security features (e.g., on the Application level), you must also configure firewall rules to permit this necessary traffic. For example, if you have configured IP addresses to access the device's Web and Telnet management interfaces in the Management Access List table (see Configuring Management Access List), you must configure a firewall rule that permits traffic from these IP addresses.
You can configure firewall rules only if you are a Security Administrator or Master level user.
The device supports dynamic firewall pinholes for media (RTP/RTCP) traffic negotiated in the SDP offer-answer of SIP calls. The pinhole allows the device to ignore its firewall and accept the traffic on the negotiated port. The device automatically closes the pinhole once the call terminates. Therefore, it is unnecessary to configure specific firewall rules to allow traffic through specific ports. For example, if you have configured a firewall rule to block all media traffic in the port range 6000 to 7000 and a call is negotiated to use the local port 6010, the device automatically opens port 6010 to allow the call.
Setting the 'Prefix Length' field to 0 means that the rule applies to all packets, regardless of the defined IP address in the 'Source IP' field. Thus, it is highly recommended to set the parameter to a value other than 0.
It is recommended to add a rule at the end of your table that blocks all traffic and to add firewall rules above it that allow required traffic (with bandwidth limitations). To block all traffic, use the following firewall rule:
Source IP: 0.0.0.0
Prefix Length: 0 (i.e., rule matches all IP addresses)
Start Port - End Port: 0-65535
Protocol: Any
Action Upon Match: Block
The Firewall table supports up to 500 IP addresses (manually configured IP addresses or DNS-resolved IP addresses).
If the device needs to communicate with AudioCodes OVOC, you must also add rules to allow incoming traffic from OVOC. For more information, see Configuring Firewall Rules to Allow Incoming OVOC Traffic.

The following procedure describes how to configure firewall rules through the Web interface. You can also configure it through ini file [AccessList] or CLI (configure network > access-list).

To configure a firewall rule:
1. Open the Firewall table (Setup menu > IP Network tab > Security folder> Firewall).
2. On the table's toolbar, click New to add the row at the next available index number, or select a row before which you want to add the row and then click Insert; the following dialog box appears:

3. Configure a firewall rule according to the parameters described in the table below.
4. Click Apply, and then restart the device with a save-to-flash for your settings to take effect.

Firewall Table Parameter Descriptions

Parameter

Description

Match

'Index'

Defines an index number for the new table row.

Note: Each row must be configured with a unique index.

'Description'

description

[AccessList_Description]

Defines an arbitrary name to easily identify the row.

'Source IP'

source-ip

[AccessList_Source_IP]

Defines the IP address (or DNS name) or a specific host name of the source network from where the device receives the incoming packet.

The default is 0.0.0.0.

'DNS Query Type'

dns-query-type

[AccessList_DnsQueryType]

Defines the DNS query (request) type used by the device to query the DNS server to resolve the domain name into an IP address(es). This is applicable only if you have configured the 'Source IP' parameter with an FQDN.

[1] A = (Default) The device performs an A-record DNS query, which is resolved into an IPv4 address(es).
[2] AAAA = The device performs an AAAA-record DNS query, which is resolved into an IPv6 address(es).
[3] CNAME A = The device performs a canonical name A-record query, which is resolved into an IPv4 address(es). A CNAME query is followed by an A-record address query and the resultant IP address is used.
[4] CNAME AAAA = The device performs a canonical name query, which is resolved into an IPv6 address(es). A CNAME query is followed by an AAAA-record address query and the resultant IP address is used.
[5] SRV A = The device performs an SRV A-record query, which is resolved into an IPv4 address(es). An SRV query is followed by an A-record address query and the resultant IP address is used. The firewall rule is active only if all the hostnames received from the SRV query were successfully resolved.
[6] SRV AAAA = The device performs an SRV AAAA-record query, which is resolved into an IPv6 address(es). An SRV query is followed by an AAAA-record address query and the resultant IP address is used. The firewall rule is active only if all the hostnames received from the SRV query were successfully resolved.

Note:

For DNS resolutions, you also need to configure a DNS server:
Third-party (external) DNS server: If you select an IP Interface for the firewall rule (see the 'Interface Name' parameter below), the device uses the DNS server configured for the IP Interface.
Device's integrated DNS server: You can configure domain name to IP address mapping in the device's Internal DNS table (see Configuring the Internal DNS Table) and Internal SRV table (see Configuring the Internal SRV Table).
The device performs DNS resolution periodically (i.e., resolved addresses are not persistent).
You can do an nslookup to query the DNS server to obtain domain name or IP address mapping, using the CLI command nslookup.

'Source Port'

src-port

[AccessList_Source_Port]

Defines the source UDP/TCP ports of the remote host from where the device receives the incoming packet.

The valid range is 0 to 65535. The default is 0.

Note:

When set to 0, this field is ignored and any source port matches the rule.
The source ports used for outgoing TCP and TLS connections are not configurable and are dynamically determined by the device in the range of 32,768-61,000.

'Prefix Length'

prefixLen

[AccessList_PrefixLen]

Defines the IP network mask (prefix length) of the IP address configured in the 'Source IP' parameter (above).

IPv4: 0-32. For example:
A value of 8 corresponds to IPv4 subnet class A (network mask of 255.0.0.0).
A value of 16 corresponds to IPv4 subnet class B (network mask of 255.255.0.0).
A value of 24 corresponds to IPv4 subnet class C (network mask of 255.255.255.0).
A value of 32 represents a single host (i.e., the specific IPv4 address configured in the 'Source IP' parameter).
IPv6: 0-128. For example:
A value of 64 corresponds to subnet xxxx:xxxx:xxxx:xxxx::.
A value of 128 represents a single host (i.e., the specific IPv6 address configured in the 'Source IP' parameter).

The default is 32. A value of 0 means that the rule applies to all packets.

The IP address of the sender of the incoming packet is trimmed in accordance with the prefix length (in bits) and then compared to the parameter ‘Source IP’.

Note:

A value of 0 applies to all packets, regardless of the configured IP address (in the 'Source IP' parameter). Therefore, you must configure the parameter to a value other than 0.
The parameter is mandatory.

'Start Port'

start-port

[AccessList_Start_Port]

Defines the first UDP/TCP port in the range of ports on the device on which the incoming packet is received. From the perspective of the remote IP entity, this is the destination port. To configure the last port in the range, see the 'End Port' parameter (below).

The valid range is 0 to 65535. The default is 0.

Note: When the protocol type isn't TCP or UDP, the entire range must be provided.

'End Port'

end-port

[AccessList_End_Port]

Defines the last UDP/TCP port in the range of ports on the device on which the incoming packet is received. From the perspective of the remote IP entity, this is the destination port. To configure the first port in the range, see the 'Start Port' parameter (above).

The valid range is 0 to 65535. The default is 65535.

Note: When the protocol type isn't TCP or UDP, the entire range must be provided.

'Protocol'

protocol

[AccessList_Protocol]

Defines the protocol type (e.g., UDP, TCP, ICMP, ESP or Any) or the IANA protocol number in the range of 0 (Any) to 255.

The default is Any.

Note:

The parameter also accepts the string value "HTTP", which implies selection of the TCP or UDP protocols and the appropriate port numbers as defined on the device.
To specify SIP ports, configure rules with the UDP and TCP protocols for the required SIP Interfaces.

'Use Specific Interface'

use-specific-interface

[AccessList_Use_Specific_Interface]

Defines if you want to apply the rule to all IP interfaces or only a specific IP interface, configured in the IP Interfaces table (see Configuring IP Network Interfaces). In other words, the rule applies to packets that are received from the configured IP address ('Source IP' parameter) and received on this IP interface(s).

[0] Disable = The rule applies to all IP Interfaces.
[1] Enable = (Default) The rule applies to a specific IP Interface only, which you assign using the 'Interface Name' parameter (below).

'Interface Name'

network-interface-name

[AccessList_Interface_x]

Assigns an IP Interface (see Configuring IP Network Interfaces) to the rule.

By default, no value is defined.

Note: The parameter is applicable only if you configure the 'Use Specific Interface' parameter (above) to Enable.

Action

 

'Action Upon Match'

allow-type

[AccessList_Allow_Type]

Defines the firewall action if the rule is matched.

Allow = (Default) Permits the packets.
Block = Rejects the packets

'Packet Size'

packet-size

[AccessList_Packet_Size]

Defines the maximum allowed packet size.

The valid range is 0 to 65535. The default is 0.

Note: When filtering fragmented IP packets, this parameter relates to overall (re-assembled) packet size (and not to the size of each fragment).

'Byte Rate'

byte-rate

[AccessList_Byte_Rate]

Defines the expected traffic rate (bytes per second). This is the allowed bandwidth for the specified protocol.

The default is 0.

In addition to this parameter, the 'Burst Bytes' parameter provides additional allowance such that momentary bursts of data may utilize more than the configured byte rate, without being interrupted.

For example, if 'Byte Rate' is configured to 40000 and 'Burst Bytes' to 50000, then this implies the following: the allowed bandwidth is 40000 bytes/sec with extra allowance of 50000 bytes. If, for example, the actual traffic rate is 45000 bytes/sec, this allowance would be consumed within 10 seconds, after which all traffic exceeding the allocated 40000 bytes/sec is dropped. If the actual traffic rate then slowed to 30000 bytes/sec, the allowance would be replenished within 5 seconds.

'Burst Bytes'

byte-burst

[AccessList_Byte_Burst]

Defines the tolerance of traffic rate limit (number of bytes).

The default is 0.

Statistics

'Match Count'

[AccessList_MatchCount]

(Read-only) Displays the number of packets accepted or rejected by the rule.

The table below provides an example of configured firewall rules:

Configuration Example of Firewall Rules

Parameter

Firewall Rule

 

1

2

3

4

5

'Source IP'

12.194.231.76

12.194.230.7

0.0.0.0

192.0.0.0

0.0.0.0

'Prefix Length'

16

16

0

8

0

'Start Port and End Port'

0-65535

0-65535

0-65535

0-65535

0-65535

'Protocol'

Any

Any

icmp

Any

Any

'Use Specific Interface'

Enable

Enable

Disable

Enable

Disable

'Interface Name'

WAN

WAN

None

Voice-Lan

None

'Byte Rate'

0

0

40000

40000

0

'Burst Bytes'

0

0

50000

50000

0

'Action Upon Match'

Allow

Allow

Allow

Allow

Block

The firewall rules in the above configuration example do the following:

Rules 1 and 2: Typical firewall rules that allow packets ONLY from specified IP addresses (e.g., proxy servers). Note that the prefix length is configured.
Rule 3: A more "advanced” firewall rule - bandwidth rule for ICMP, which allows a maximum bandwidth of 40,000 bytes/sec with an additional allowance of 50,000 bytes. If, for example, the actual traffic rate is 45,000 bytes/sec, then this allowance would be consumed within 10 seconds, after which all traffic exceeding the allocated 40,000 bytes/sec is dropped. If the actual traffic rate then slowed to 30,000 bytes/sec, the allowance would be replenished within 5 seconds.
Rule 4: Allows traffic from the LAN voice interface and limits bandwidth.
Rule 5: Blocks all other traffic.