Define VoIP Traffic Firewall Rules

For packets whose source IP addresses are known, it's recommended to define VoIP firewall rules that allow receipt of calls or packets from this network and block all calls from elsewhere. These rules can be defined per source IP address, port, protocol, and network IP interface. If an incoming packet is received from an invalid source (as defined in the firewall), the call or packet is discarded.

Below is a list of recommended guidelines when configuring the VoIP firewall:

Add firewall rules per network interface: It's recommended to configure firewall rules for packets from source IP addresses received on the OAMP interface and each SIP Control (SIP) interface (configured in the IP Interfaces table). A less recommended alternative is to define a single rule that applies to all interfaces (by configuring the 'Use Specific Interface' parameter to Disable).
Define bandwidth limitation per rule: For each IP network interface, it's advised to configure a rate-limiting value (byte rate, burst bytes and maximum packet size). Bandwidth limitation prevents overloading (flooding) of your network and thereby, helps in preventing attacks such as DoS on your device (on each network).
Define rules as specific as possible: Define the rules as detailed as possible so that they block only the intended traffic.
Add an ICMP firewall rule: ICMP is typically used for pinging. However, malicious attackers can send over-sized (floods) ICMP packets to a specific network address. Therefore, it's recommended to define a rule for limiting these packets.
Add a rule to block all traffic: You must define a firewall rule that blocks all incoming traffic (i.e., block all protocol traffic from all source IP addresses and ports for all interfaces). This rule must be the last rule listed in the table, so that rules above it that allow specific traffic are valid (otherwise, all traffic is blocked).
If the 'Prefix Length' field on the Firewall Settings page is set to "0", the rule will apply to all IP addresses, regardless of whether an IP address is specified in the 'Source IP' field. Thus, if you need to apply a rule to a specific IP address, make sure that you also set the 'Prefix Length' field to a value other than "0".
The device provides built-in firewall rules that allow High Availability (HA) traffic between Active and Redundant devices on the Maintenance network interface.

The Layer 3-4 VoIP traffic firewall rules are configured in the Firewall table (Setup menu > IP Network tab > Security folder > Firewall). The following table shows a configuration example of firewall rules:

Configuration Example of Firewall Rules in the Firewall Table

Parameter

Index

 

1

2

3

4

5

Match

'Source IP'

12.194.231.76

12.194.230.7

0.0.0.0

192.0.0.0

0.0.0.0

'Prefix Length'

16

16

0

8

0

'Start Port / End Port'

0-65535

0-65535

0-65535

0-65535

0-65535

'Protocol'

Any

Any

icmp

Any

Any

'Use Specific Interface'

Enable

Enable

Disable

Enable

Disable

'Interface Name'

WAN

WAN

None

Voice

None

Action

'Byte Rate'

0

0

40000

40000

0

'Burst Bytes'

0

0

50000

50000

0

'Action Upon Match'

Allow

Allow

Allow

Allow

Block

 

Index 1 and 2: Typical firewall rules that allow packets ONLY from specified IP addresses (e.g., proxy servers). Note that the prefix length is configured.
Index 3: A more "advanced” firewall rule - bandwidth rule for ICMP, which allows a maximum bandwidth of 40,000 bytes/sec with an additional allowance of 50,000 bytes. If, for example, the actual traffic rate is 45,000 bytes/sec, then this allowance would be consumed within 10 seconds, after which all traffic exceeding the allocated 40,000 bytes/sec is dropped. If the actual traffic rate then slowed to 30,000 bytes/sec, the allowance would be replenished within 5 seconds.
Index 4: Allows traffic from the LAN voice interface and limits bandwidth.
Index 5: Blocks all other traffic.