[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Minimal Firewall Port set in H460.18/19 config



On Fri, May 4, 2012 at 12:07 PM, Florian von Kurnatowski <florian.von.kurnatowski@xxxxxxxxx> wrote:
Hi Jan,

thanks for the quick reply. The usecase here is different; this is to allow an external, Internet-based Endpoint to register with a central gatekeeper located in a DMZ. So for the purposes of firewall configuration, it's an inbound connection that needs to be clearly defined.

What is the minimum actual port list that you would recommend for the various parameters?

By default, with EnableH46018=1 and RTPMultiplexing=1, gnugk will use:

UDP 1719 (H.225 RAS)
TCP 1720 (H.225 CS)
UDP 3000 (RTP)
UDP 3001 (RTCP)

However, if you specify things yourself, you can change things to act more like a Tandberg VCS:

UDP 1719 (H.225 RAS)
TCP 2776 (H.225 CS)
UDP 2776 (RTP)
UDP 2777 (RTCP)

Like this:

[Gatekeeper::Main]
UnicastRasPort=1719

[RoutedMode]
CallSignalPort=2776
EnableH46018=1

[Proxy]
Enable=1
RTPMultiplexing=1
RTPMultiplexPort=2776
RTCPMultiplexPort=2777

The key thing that cannot be changed is that 1719, unless you specify DNS SRV records, and have endpoints and gateways that honor them.

If your endpoint and other neighboring gatekeepers honor DNS SRV records, you can change the 1719 above and below as well:


Note: You are only specifying the destination ports here.  The source ports used by your endpoint on the source side depend on whether the endpoint supports bi-directional multiplexing (Tandberg (Cisco) endpoints do not, but Spranto does, for example).

Most firewalls typically only concern themselves of destination ports and allowing the establishment of new stateful streams based solely on those destination ports. Beyond that point, they retain TCP handshaking state and remember UDP "pinhole" state to allow return traffic.

Some firewalls, particularly Juniper, act more like ACLs, and admins typically restrict source ports as well as destination 
ports on those.

When you talk with a Juniper firewall administrator, it is important that you also specify the source port range that your endpoints may use to originate ephemeral ports for TCP connections and UDP streams.

For example, Tandberg (Cisco) phones typically use a different source port range when configured as "static" vs "dynamic":


Dynamic:

 The system will allocate which ports to use when opening a TCP connection. The reason for doing this is to avoid using the same ports for subsequent calls, as some firewalls consider this as a sign of attack. When Dynamic is selected, the H.323 ports used are from 11000 to 20999. Once 20999 is reached they restart again at 11000. For RTP and RTCP media data, the system is using UDP ports in the range 2326 to 2487. Each media channel is using two adjacent ports, ie 2330 and 2331 for RTP and RTCP respectively. The ports are automatically selected by the system within the given range. Firewall administrators should not try to deduce which ports are used when, as the allocation schema within the mentioned range may change without any further notice.

Because of this, it is critical to discuss both "direction" and "source" or "destination" with respect to ports, or confusion will arise.

--
- Ian Blenke <ian@xxxxxxxxxx> http://ian.blenke.com
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________________

Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users
Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users
Homepage: http://www.gnugk.org/

[SIP]     [Open H.323]     [Gnu Gatekeeper]     [Asterisk PBX]     [ISDN Cause Codes]     [Singles Community]     [Yosemite News]

Add to Google Powered by Linux