This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos 110 UTM 9.6 VoIP/SIP Traffic to sipgate.de always "Default DROP UDP ... ", why? But no rule defined in Firewall for SIP.

Si Tso over 5 years ago

Hi all,

I have a really weird problem ...

My Settings:

SOPHOS 110/120/100, rev. 5
- Network Protection -> VoIP
  - SIP Server Networks: sipgate.de
  - SIP Clients Networks: Fritzbox 7170
- Network Protection -> H.323
  - H323 Gatekeeper: sipgate.de
  - H323 Client: Fritzbox 7170

Phones settings

All phones are connected to the fritzbox and they all can call each other

My Network

IPphone1 (192.168.0.130) --> Fritzbox 7170 (192.168.0.10) --> Sophos UTM Internal Network LAN (192.168.0.3) --> Sophos External Network WAN (192.168.0.2) --> Cable Modem (192.168.0.1)
IPphone2 (192.168.0.131) --> Fritzbox 7170 (192.168.0.10) --> Sophos UTM Internal Network LAN (192.168.0.3) --> Sophos External Network WAN (192.168.0.2) --> Cable Modem (192.168.0.1)
IPphone3 (192.168.0.122) --> Fritzbox 7170 (192.168.0.10) --> Sophos UTM Internal Network LAN (192.168.0.3) --> Sophos External Network WAN (192.168.0.2) --> Cable Modem (192.168.0.1)

Phones can call each other, but outbound and inbound calls do not work.

When I look into live window from the firewall, I get the following:

00:09:02 Default DROP UDP 192.168.0.132 : 1030 → 185.134.197.4 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:02 Default DROP UDP 192.168.0.10 : 5060 → 217.10.68.152 : 10000 len=56 ttl=63 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:04 Default DROP UDP 192.168.0.131 : 40033 → 90.187.19.113 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:04 Default DROP UDP 192.168.0.132 : 1030 → 5.103.139.163 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:05 Default DROP UDP 192.168.0.10 : 5060 → 217.10.68.152 : 10000 len=56 ttl=63 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:08 Default DROP UDP 192.168.0.131 : 57318 → 185.134.197.4 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:08 Default DROP UDP 192.168.0.132 : 1030 → 46.227.200.24 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:09 Default DROP UDP 192.168.0.131 : 47787 → 46.227.200.24 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:09 Default DROP UDP 192.168.0.132 : 1030 → 185.134.197.4 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:09 Default DROP UDP 192.168.0.10 : 5060 → 217.10.68.152 : 10000 len=56 ttl=63 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:10 Default DROP UDP 192.168.0.131 : 36717 → 5.103.139.163 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:10 Default DROP UDP 192.168.0.132 : 1030 → 5.103.139.163 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:11 Default DROP UDP 192.168.0.131 : 49787 → 176.9.9.197 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:11 Default DROP UDP 192.168.0.132 : 1030 → 46.227.200.24 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:12 Default DROP UDP 192.168.0.131 : 41692 → 178.63.9.110 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:12 Default DROP UDP 192.168.0.132 : 1030 → 185.134.197.4 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:13 Default DROP UDP 192.168.0.131 : 53473 → 90.187.7.5 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4

The documentation of the fierwall says, that if I correctly fill the fields under:

"Network protection -> VoIP ->SIP"

and

"Network protection -> VoIP -> H3.23"

there is no need for extra rules in the firewall.

Nevertheless, I tried it with separate firewall rules:

Fritzbox <-- Any --> Sipgate

But no different result.

What I am I missing or doing wrong?

Any herlp highly appreciated!

:-)

This thread was automatically locked due to age.

0 Si Tso over 5 years ago
Hi Folks,

happy new year! :-)

I am still stuck with this issue. Ports 5060 are still in default drop

A little excerpt from my firewall log, by using:

iptable --list

Could anybody have a look and help me, why the sip stuff is not working?!

The rule sipgate -> fritzbox and fritzbox -> sipgate do not work.

Result is:

$ iptables --list

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere !base-address.mcast.net/4 CONFIRMED match
CONFIRMED all -- anywhere anywhere ctstate RELATED
HA_IN all -- anywhere anywhere
LOCKOUT all -- anywhere anywhere
PSD_MATCH all -- anywhere anywhere
SANITY_CHECKS all -- anywhere anywhere
AUTO_INPUT all -- anywhere anywhere
USR_INPUT all -- anywhere anywhere
LOGDROP all -- anywhere anywhere LOGMARK match 60001

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere !base-address.mcast.net/4 CONFIRMED match
RELATED_FWD all -- anywhere anywhere ctstate RELATED
PSD_MATCH all -- anywhere anywhere
AUTO_FORWARD all -- anywhere anywhere
USR_FORWARD all -- anywhere anywhere
LOGDROP all -- anywhere anywhere LOGMARK match 60002

Chain OUTPUT (policy DROP)
target prot opt source destination
LOGDROP tcp -- !loopback/8 anywhere tcp spts:1024:65535 dpt:webadmin LOGMARK match 60005
LOGDROP tcp -- !loopback/8 anywhere tcp spts:tcpmux:65535 dpt:https LOGMARK match 60005
LOGDROP tcp -- anywhere db_host.local tcp dpt:4472 owner UID match loginuser
LOCAL_RESTAPI tcp -- anywhere anywhere tcp dpt:exlm-agent
LOCAL_RESTAPI tcp -- anywhere anywhere tcp dpt:dashpas-port
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere !base-address.mcast.net/4 CONFIRMED match
CONFIRMED all -- anywhere anywhere ctstate RELATED
CONFIRMED all -- anywhere anywhere -m condition --condition "OUTPUT_ACCEPT_ALL" owner UID match root owner GID match root
HA_OUT all -- anywhere anywhere
SANITY_CHECKS all -- anywhere anywhere
AUTO_OUTPUT all -- anywhere anywhere
USR_OUTPUT all -- anywhere anywhere
LOGDROP all -- anywhere anywhere LOGMARK match 60003

Chain AUTO_FORWARD (1 references)
target prot opt source destination
LOGACCEPT tcp -- sipgate.de fritzbox policy match dir out pol none tcp spts:tcpmux:65535 dpt:sip LOGMARK match 3000000001 ctorigdst 192.168.1.0/24
LOGACCEPT udp -- sipgate.de fritzbox policy match dir out pol none udp spts:tcpmux:65535 dpt:sip LOGMARK match 3000000001 ctorigdst 192.168.1.0/24
CONFIRMED icmp -- anywhere anywhere
CONFIRMED tcp -- fritzbox sipgate.de policy match dir out pol none tcp spts:tcpmux:65535 dpt:sip
CONFIRMED udp -- fritzbox sipgate.de policy match dir out pol none udp spts:tcpmux:65535 dpt:sip
CONFIRMED tcp -- fritzbox sipgate.de policy match dir out pol none tcp spts:tcpmux:65535 dpts:h323gatestat:h323hostcall
CONFIRMED udp -- fritzbox sipgate.de policy match dir out pol none udp spts:tcpmux:65535 dpts:h323gatestat:h323hostcall

Chain AUTO_INPUT (1 references)
target prot opt source destination
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 dpt:ssh
LOGDROP tcp -- anywhere anywhere tcp spts:tcpmux:65535 dpt:ssh LOGMARK match 60004
LOGACCEPT tcp -- 192.168.0.0/24 anywhere tcp spts:1024:65535 dpt:webadmin LOGMARK match 60006
LOGDROP tcp -- anywhere anywhere tcp spts:1024:65535 dpt:webadmin LOGMARK match 60005
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 dpt:https
CONFIRMED udp -- anywhere anywhere udp spts:bootps:bootpc dpt:bootps
CONFIRMED tcp -- anywhere anywhere match-set 2EyHlbvaXfpWyUi5y6i3jQ src tcp spts:domain:65535 dpt:domain
CONFIRMED udp -- anywhere anywhere match-set 2EyHlbvaXfpWyUi5y6i3jQ src udp spts:domain:65535 dpt:domain
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:domain:65535 dpt:domain
CONFIRMED udp -- 192.168.0.0/24 anywhere udp spts:domain:65535 dpt:domain
CONFIRMED icmp -- anywhere anywhere
CONFIRMED udp -- 192.168.0.0/24 anywhere udp spts:ntp:65535 dpt:ntp
LOGDROP tcp -- anywhere anywhere tcp spts:tcpmux:65535 multiport dports smtp,smtps,submission
CONFIRMED udp -- 192.168.0.0/24 anywhere udp spts:1024:65535 dpt:snmp
CONFIRMED all -- anywhere anywhere mark match 0x40000/0x40000

Chain AUTO_OUTPUT (1 references)
target prot opt source destination
REJECT tcp -- anywhere ec2-23-20-91-175.compute-1.amazonaws.com tcp dpt:https reject-with icmp-port-unreachable
CONFIRMED udp -- anywhere anywhere udp spt:bootps dpts:bootps:bootpc
CONFIRMED icmp -- anywhere anywhere icmptype 8 code 0
CONFIRMED tcp -- anywhere anywhere tcp spts:domain:65535 dpt:domain
CONFIRMED udp -- anywhere anywhere udp spts:domain:65535 dpt:domain
CONFIRMED udp -- anywhere anywhere udp spt:domain dpts:domain:65535
CONFIRMED udp -- anywhere anywhere udp spts:1024:65535 multiport dports 33000:34000,44444:55555
CONFIRMED udp -- anywhere anywhere match-set rdLSiyrZbR7zRa1shBcsmQ dst udp spts:ntp:65535 dpt:ntp
CONFIRMED tcp -- anywhere anywhere tcp spts:tcpmux:65535 multiport dports smtp,smtps,submission
CONFIRMED tcp -- anywhere anywhere tcp spts:tcpmux:65535 dpt:http
CONFIRMED tcp -- anywhere anywhere tcp spts:tcpmux:65535 dpt:https
CONFIRMED tcp -- anywhere mail.schnetter.com tcp spts:tcpmux:65535 dpt:smtp
CONFIRMED tcp -- anywhere a104-111-246-175.deploy.static.akamaitechnologies.com tcp spts:tcpmux:65535 dpt:https owner UID match dehydrated owner GID match dehydrated

Chain GEOIP_OUT (0 references)
target prot opt source destination

Chain GEOIP_REJECT (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain HA_IN (1 references)
target prot opt source destination
CONFIRMED all -- anywhere anywhere

Chain HA_OUT (1 references)
target prot opt source destination
CONFIRMED all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ! cluster id 1 master

Chain INVALID_PKT (0 references)
target prot opt source destination
NFLOG all -- anywhere anywhere LOGMARK match 60007 nflog-prefix "INVALID_PKT: "
DROP all -- anywhere anywhere

Chain LOCAL_RESTAPI (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere owner UID match root
ACCEPT all -- anywhere anywhere owner UID match loginuser
DROP all -- anywhere anywhere

Chain LOCKOUT (1 references)
target prot opt source destination
RETURN all -- 192.168.0.0/24 anywhere
LOGDROP all -- anywhere anywhere recent: CHECK seconds: 600 name: LOCKOUT side: source mask: 255.255.255.255 LOGMARK match 60023

Chain LOGACCEPT (3 references)
target prot opt source destination
NFLOG all -- anywhere anywhere nflog-prefix "ACCEPT: "
CONFIRMED all -- anywhere anywhere

Chain LOGDROP (10 references)
target prot opt source destination
NFLOG all -- anywhere anywhere nflog-prefix "DROP: "
DROP all -- anywhere anywhere

Chain LOGREJECT (2 references)
target prot opt source destination
NFLOG all -- anywhere anywhere nflog-prefix "REJECT: "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain MULTIPATH_DROP (0 references)
target prot opt source destination

Chain PSD_ACTION (0 references)
target prot opt source destination

Chain PSD_MATCH (2 references)
target prot opt source destination

Chain RELATED_FWD (1 references)
target prot opt source destination
NFLOG all -- anywhere anywhere helper match "sip" LOGMARK match 60018 nflog-prefix "SIP Call RTP: "
CONFIRMED all -- anywhere anywhere

Chain SANITY_CHECKS (2 references)
target prot opt source destination

Chain STRICT_TCP_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain STRICT_TCP_STATE (0 references)
target prot opt source destination

Chain USR_FORWARD (1 references)
target prot opt source destination
REJECT tcp -- anywhere google-public-dns-a.google.com tcp spts:tcpmux:65535 dpt:domain reject-with icmp-port-unreachable
REJECT udp -- anywhere google-public-dns-a.google.com udp spts:tcpmux:65535 dpt:domain reject-with icmp-port-unreachable
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 dpt:domain
CONFIRMED udp -- 192.168.0.0/24 anywhere udp spts:tcpmux:65535 dpt:domain
CONFIRMED tcp -- 192.168.0.0/24 192.168.1.0/24 tcp spts:tcpmux:65535 multiport dports nntp,nntps
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 multiport dports 8090,8005,http-alt,pcsync-https,8447,ssh,11022,5900
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 multiport dports smtps,imaps,imap,pop3,smtp,pop3s
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 multiport dports http-alt,http,ndl-aas,https
LOGREJECT all -- 192.168.1.0/24 192.168.0.0/24 LOGMARK match 10
LOGREJECT all -- 192.168.0.0/24 192.168.1.0/24 LOGMARK match 11

Chain USR_INPUT (1 references)
target prot opt source destination

Chain USR_OUTPUT (1 references)
target prot opt source destination
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 5 years ago

Hallo and welcome to the UTM Community!

Please show a picture of your Interface definitions and one of 'Allowed Networks' in 'Network Services >> NTP'.

Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly. Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file. Please post two lines corresponding to the first two in your opening post above.

Do you learn anything from doing #1 in Rulz?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Si Tso over 5 years ago in reply to BAlfson

H

i Bob,

I will have a look at the "Rulz" [1] and will reply later.

=)

[1]
Do you learn anything from doing #1 in Rulz?
Cancel
Vote Up 0 Vote Down

Cancel