This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos 110 UTM 9.6 VoIP/SIP Traffic to sipgate.de always "Default DROP UDP ... ", why? But no rule defined in Firewall for SIP.

Hi all,

I have a really weird problem ... 

My Settings:

  • SOPHOS 110/120/100, rev. 5
    • Network Protection -> VoIP
      • SIP Server Networks:    sipgate.de
      • SIP Clients Networks:    Fritzbox 7170 
    • Network Protection -> H.323
      • H323 Gatekeeper:    sipgate.de
      • H323 Client:    Fritzbox 7170

Phones settings

All phones are connected to the fritzbox and they all can call each other

My Network

  • IPphone1 (192.168.0.130) --> Fritzbox 7170 (192.168.0.10) --> Sophos UTM Internal Network LAN (192.168.0.3) --> Sophos External Network WAN (192.168.0.2) --> Cable Modem (192.168.0.1)
  • IPphone2 (192.168.0.131) --> Fritzbox 7170 (192.168.0.10) --> Sophos UTM Internal Network LAN  (192.168.0.3) --> Sophos External Network WAN (192.168.0.2) -->  Cable Modem (192.168.0.1) 
  • IPphone3 (192.168.0.122) --> Fritzbox 7170 (192.168.0.10) --> Sophos UTM  Internal Network LAN (192.168.0.3) --> Sophos External Network WAN (192.168.0.2) --> Cable Modem (192.168.0.1)

Phones can call each other, but outbound and inbound calls do not work.

When I look into live window from the  firewall, I get the following:

00:09:02 Default DROP UDP 192.168.0.132 : 1030  → 185.134.197.4 : 123   len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:02 Default DROP UDP 192.168.0.10  : 5060  → 217.10.68.152 : 10000 len=56 ttl=63 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:04 Default DROP UDP 192.168.0.131 : 40033 → 90.187.19.113 : 123   len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:04 Default DROP UDP 192.168.0.132 : 1030  → 5.103.139.163 : 123   len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:05 Default DROP UDP 192.168.0.10  : 5060  → 217.10.68.152 : 10000 len=56 ttl=63 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:08 Default DROP UDP 192.168.0.131 : 57318 → 185.134.197.4 : 123   len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:08 Default DROP UDP 192.168.0.132 : 1030  → 46.227.200.24 : 123   len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:09 Default DROP UDP 192.168.0.131 : 47787 → 46.227.200.24 : 123   len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:09 Default DROP UDP 192.168.0.132 : 1030  → 185.134.197.4 : 123   len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:09 Default DROP UDP 192.168.0.10  : 5060  → 217.10.68.152 : 10000 len=56 ttl=63 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:10 Default DROP UDP 192.168.0.131 : 36717 → 5.103.139.163 : 123   len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:10 Default DROP UDP 192.168.0.132 : 1030  → 5.103.139.163 : 123   len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:11 Default DROP UDP 192.168.0.131 : 49787 → 176.9.9.197   : 123   len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:11 Default DROP UDP 192.168.0.132 : 1030  → 46.227.200.24 : 123   len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:12 Default DROP UDP 192.168.0.131 : 41692 → 178.63.9.110  : 123   len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:12 Default DROP UDP 192.168.0.132 : 1030  → 185.134.197.4 : 123   len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:13 Default DROP UDP 192.168.0.131 : 53473 → 90.187.7.5    : 123   len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4

The documentation of the fierwall says, that if I correctly fill the fields under:

  • "Network protection -> VoIP ->SIP"

and

  • "Network protection -> VoIP -> H3.23"

there is no need for extra rules in the firewall.

Nevertheless, I tried it with separate firewall rules:

  • Fritzbox <-- Any --> Sipgate

But no different result.

What I am I missing or doing wrong?

Any herlp highly appreciated!

:-)



This thread was automatically locked due to age.
  • Hi Folks,

    happy new year! :-)

    I am still stuck with this issue. Ports 5060 are still in default drop

    A little excerpt from my firewall log, by using:

    iptable --list

    Could anybody have a look and help me, why the sip stuff is not working?! 

    The rule sipgate -> fritzbox and fritzbox -> sipgate do not work.

    Result is:

    $ iptables --list

    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere !base-address.mcast.net/4 CONFIRMED match
    CONFIRMED all -- anywhere anywhere ctstate RELATED
    HA_IN all -- anywhere anywhere
    LOCKOUT all -- anywhere anywhere
    PSD_MATCH all -- anywhere anywhere
    SANITY_CHECKS all -- anywhere anywhere
    AUTO_INPUT all -- anywhere anywhere
    USR_INPUT all -- anywhere anywhere
    LOGDROP all -- anywhere anywhere LOGMARK match 60001

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere !base-address.mcast.net/4 CONFIRMED match
    RELATED_FWD all -- anywhere anywhere ctstate RELATED
    PSD_MATCH all -- anywhere anywhere
    AUTO_FORWARD all -- anywhere anywhere
    USR_FORWARD all -- anywhere anywhere
    LOGDROP all -- anywhere anywhere LOGMARK match 60002

    Chain OUTPUT (policy DROP)
    target prot opt source destination
    LOGDROP tcp -- !loopback/8 anywhere tcp spts:1024:65535 dpt:webadmin LOGMARK match 60005
    LOGDROP tcp -- !loopback/8 anywhere tcp spts:tcpmux:65535 dpt:https LOGMARK match 60005
    LOGDROP tcp -- anywhere db_host.local tcp dpt:4472 owner UID match loginuser
    LOCAL_RESTAPI tcp -- anywhere anywhere tcp dpt:exlm-agent
    LOCAL_RESTAPI tcp -- anywhere anywhere tcp dpt:dashpas-port
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere !base-address.mcast.net/4 CONFIRMED match
    CONFIRMED all -- anywhere anywhere ctstate RELATED
    CONFIRMED all -- anywhere anywhere -m condition --condition "OUTPUT_ACCEPT_ALL" owner UID match root owner GID match root
    HA_OUT all -- anywhere anywhere
    SANITY_CHECKS all -- anywhere anywhere
    AUTO_OUTPUT all -- anywhere anywhere
    USR_OUTPUT all -- anywhere anywhere
    LOGDROP all -- anywhere anywhere LOGMARK match 60003

    Chain AUTO_FORWARD (1 references)
    target prot opt source destination
    LOGACCEPT tcp -- sipgate.de fritzbox policy match dir out pol none tcp spts:tcpmux:65535 dpt:sip LOGMARK match 3000000001 ctorigdst 192.168.1.0/24
    LOGACCEPT udp -- sipgate.de fritzbox policy match dir out pol none udp spts:tcpmux:65535 dpt:sip LOGMARK match 3000000001 ctorigdst 192.168.1.0/24
    CONFIRMED icmp -- anywhere anywhere
    CONFIRMED tcp -- fritzbox sipgate.de policy match dir out pol none tcp spts:tcpmux:65535 dpt:sip
    CONFIRMED udp -- fritzbox sipgate.de policy match dir out pol none udp spts:tcpmux:65535 dpt:sip
    CONFIRMED tcp -- fritzbox sipgate.de policy match dir out pol none tcp spts:tcpmux:65535 dpts:h323gatestat:h323hostcall
    CONFIRMED udp -- fritzbox sipgate.de policy match dir out pol none udp spts:tcpmux:65535 dpts:h323gatestat:h323hostcall

    Chain AUTO_INPUT (1 references)
    target prot opt source destination
    CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 dpt:ssh
    LOGDROP tcp -- anywhere anywhere tcp spts:tcpmux:65535 dpt:ssh LOGMARK match 60004
    LOGACCEPT tcp -- 192.168.0.0/24 anywhere tcp spts:1024:65535 dpt:webadmin LOGMARK match 60006
    LOGDROP tcp -- anywhere anywhere tcp spts:1024:65535 dpt:webadmin LOGMARK match 60005
    CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 dpt:https
    CONFIRMED udp -- anywhere anywhere udp spts:bootps:bootpc dpt:bootps
    CONFIRMED tcp -- anywhere anywhere match-set 2EyHlbvaXfpWyUi5y6i3jQ src tcp spts:domain:65535 dpt:domain
    CONFIRMED udp -- anywhere anywhere match-set 2EyHlbvaXfpWyUi5y6i3jQ src udp spts:domain:65535 dpt:domain
    CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:domain:65535 dpt:domain
    CONFIRMED udp -- 192.168.0.0/24 anywhere udp spts:domain:65535 dpt:domain
    CONFIRMED icmp -- anywhere anywhere
    CONFIRMED udp -- 192.168.0.0/24 anywhere udp spts:ntp:65535 dpt:ntp
    LOGDROP tcp -- anywhere anywhere tcp spts:tcpmux:65535 multiport dports smtp,smtps,submission
    CONFIRMED udp -- 192.168.0.0/24 anywhere udp spts:1024:65535 dpt:snmp
    CONFIRMED all -- anywhere anywhere mark match 0x40000/0x40000

    Chain AUTO_OUTPUT (1 references)
    target prot opt source destination
    REJECT tcp -- anywhere ec2-23-20-91-175.compute-1.amazonaws.com tcp dpt:https reject-with icmp-port-unreachable
    CONFIRMED udp -- anywhere anywhere udp spt:bootps dpts:bootps:bootpc
    CONFIRMED icmp -- anywhere anywhere icmptype 8 code 0
    CONFIRMED tcp -- anywhere anywhere tcp spts:domain:65535 dpt:domain
    CONFIRMED udp -- anywhere anywhere udp spts:domain:65535 dpt:domain
    CONFIRMED udp -- anywhere anywhere udp spt:domain dpts:domain:65535
    CONFIRMED udp -- anywhere anywhere udp spts:1024:65535 multiport dports 33000:34000,44444:55555
    CONFIRMED udp -- anywhere anywhere match-set rdLSiyrZbR7zRa1shBcsmQ dst udp spts:ntp:65535 dpt:ntp
    CONFIRMED tcp -- anywhere anywhere tcp spts:tcpmux:65535 multiport dports smtp,smtps,submission
    CONFIRMED tcp -- anywhere anywhere tcp spts:tcpmux:65535 dpt:http
    CONFIRMED tcp -- anywhere anywhere tcp spts:tcpmux:65535 dpt:https
    CONFIRMED tcp -- anywhere mail.schnetter.com tcp spts:tcpmux:65535 dpt:smtp
    CONFIRMED tcp -- anywhere a104-111-246-175.deploy.static.akamaitechnologies.com tcp spts:tcpmux:65535 dpt:https owner UID match dehydrated owner GID match dehydrated

    Chain GEOIP_OUT (0 references)
    target prot opt source destination

    Chain GEOIP_REJECT (0 references)
    target prot opt source destination
    REJECT tcp -- anywhere anywhere reject-with tcp-reset
    REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

    Chain HA_IN (1 references)
    target prot opt source destination
    CONFIRMED all -- anywhere anywhere

    Chain HA_OUT (1 references)
    target prot opt source destination
    CONFIRMED all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere ! cluster id 1 master

    Chain INVALID_PKT (0 references)
    target prot opt source destination
    NFLOG all -- anywhere anywhere LOGMARK match 60007 nflog-prefix "INVALID_PKT: "
    DROP all -- anywhere anywhere

    Chain LOCAL_RESTAPI (2 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere owner UID match root
    ACCEPT all -- anywhere anywhere owner UID match loginuser
    DROP all -- anywhere anywhere

    Chain LOCKOUT (1 references)
    target prot opt source destination
    RETURN all -- 192.168.0.0/24 anywhere
    LOGDROP all -- anywhere anywhere recent: CHECK seconds: 600 name: LOCKOUT side: source mask: 255.255.255.255 LOGMARK match 60023

    Chain LOGACCEPT (3 references)
    target prot opt source destination
    NFLOG all -- anywhere anywhere nflog-prefix "ACCEPT: "
    CONFIRMED all -- anywhere anywhere

    Chain LOGDROP (10 references)
    target prot opt source destination
    NFLOG all -- anywhere anywhere nflog-prefix "DROP: "
    DROP all -- anywhere anywhere

    Chain LOGREJECT (2 references)
    target prot opt source destination
    NFLOG all -- anywhere anywhere nflog-prefix "REJECT: "
    REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

    Chain MULTIPATH_DROP (0 references)
    target prot opt source destination

    Chain PSD_ACTION (0 references)
    target prot opt source destination

    Chain PSD_MATCH (2 references)
    target prot opt source destination

    Chain RELATED_FWD (1 references)
    target prot opt source destination
    NFLOG all -- anywhere anywhere helper match "sip" LOGMARK match 60018 nflog-prefix "SIP Call RTP: "
    CONFIRMED all -- anywhere anywhere

    Chain SANITY_CHECKS (2 references)
    target prot opt source destination

    Chain STRICT_TCP_DROP (0 references)
    target prot opt source destination
    DROP all -- anywhere anywhere

    Chain STRICT_TCP_STATE (0 references)
    target prot opt source destination

    Chain USR_FORWARD (1 references)
    target prot opt source destination
    REJECT tcp -- anywhere google-public-dns-a.google.com tcp spts:tcpmux:65535 dpt:domain reject-with icmp-port-unreachable
    REJECT udp -- anywhere google-public-dns-a.google.com udp spts:tcpmux:65535 dpt:domain reject-with icmp-port-unreachable
    CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 dpt:domain
    CONFIRMED udp -- 192.168.0.0/24 anywhere udp spts:tcpmux:65535 dpt:domain
    CONFIRMED tcp -- 192.168.0.0/24 192.168.1.0/24 tcp spts:tcpmux:65535 multiport dports nntp,nntps
    CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 multiport dports 8090,8005,http-alt,pcsync-https,8447,ssh,11022,5900
    CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 multiport dports smtps,imaps,imap,pop3,smtp,pop3s
    CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 multiport dports http-alt,http,ndl-aas,https
    LOGREJECT all -- 192.168.1.0/24 192.168.0.0/24 LOGMARK match 10
    LOGREJECT all -- 192.168.0.0/24 192.168.1.0/24 LOGMARK match 11

    Chain USR_INPUT (1 references)
    target prot opt source destination

    Chain USR_OUTPUT (1 references)
    target prot opt source destination

     

  • Hallo and welcome to the UTM Community!

    Please show a picture of your Interface definitions and one of 'Allowed Networks' in 'Network Services >> NTP'.

    Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post two lines corresponding to the first two in your opening post above.

    Do you learn anything from doing #1 in Rulz?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • H

    i Bob,
     
    I will have a look at the "Rulz" [1] and will reply later.
    =)
     
    [1]
    Do you learn anything from doing #1 in Rulz?