This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos 110 UTM 9.6 VoIP/SIP Traffic to sipgate.de always "Default DROP UDP ... ", why? But no rule defined in Firewall for SIP.

Si Tso over 5 years ago

Hi all,

I have a really weird problem ...

My Settings:

SOPHOS 110/120/100, rev. 5
- Network Protection -> VoIP
  - SIP Server Networks: sipgate.de
  - SIP Clients Networks: Fritzbox 7170
- Network Protection -> H.323
  - H323 Gatekeeper: sipgate.de
  - H323 Client: Fritzbox 7170

Phones settings

All phones are connected to the fritzbox and they all can call each other

My Network

IPphone1 (192.168.0.130) --> Fritzbox 7170 (192.168.0.10) --> Sophos UTM Internal Network LAN (192.168.0.3) --> Sophos External Network WAN (192.168.0.2) --> Cable Modem (192.168.0.1)
IPphone2 (192.168.0.131) --> Fritzbox 7170 (192.168.0.10) --> Sophos UTM Internal Network LAN (192.168.0.3) --> Sophos External Network WAN (192.168.0.2) --> Cable Modem (192.168.0.1)
IPphone3 (192.168.0.122) --> Fritzbox 7170 (192.168.0.10) --> Sophos UTM Internal Network LAN (192.168.0.3) --> Sophos External Network WAN (192.168.0.2) --> Cable Modem (192.168.0.1)

Phones can call each other, but outbound and inbound calls do not work.

When I look into live window from the firewall, I get the following:

00:09:02 Default DROP UDP 192.168.0.132 : 1030 → 185.134.197.4 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:02 Default DROP UDP 192.168.0.10 : 5060 → 217.10.68.152 : 10000 len=56 ttl=63 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:04 Default DROP UDP 192.168.0.131 : 40033 → 90.187.19.113 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:04 Default DROP UDP 192.168.0.132 : 1030 → 5.103.139.163 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:05 Default DROP UDP 192.168.0.10 : 5060 → 217.10.68.152 : 10000 len=56 ttl=63 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:08 Default DROP UDP 192.168.0.131 : 57318 → 185.134.197.4 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:08 Default DROP UDP 192.168.0.132 : 1030 → 46.227.200.24 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:09 Default DROP UDP 192.168.0.131 : 47787 → 46.227.200.24 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:09 Default DROP UDP 192.168.0.132 : 1030 → 185.134.197.4 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:09 Default DROP UDP 192.168.0.10 : 5060 → 217.10.68.152 : 10000 len=56 ttl=63 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:10 Default DROP UDP 192.168.0.131 : 36717 → 5.103.139.163 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:10 Default DROP UDP 192.168.0.132 : 1030 → 5.103.139.163 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:11 Default DROP UDP 192.168.0.131 : 49787 → 176.9.9.197 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:11 Default DROP UDP 192.168.0.132 : 1030 → 46.227.200.24 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:12 Default DROP UDP 192.168.0.131 : 41692 → 178.63.9.110 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:12 Default DROP UDP 192.168.0.132 : 1030 → 185.134.197.4 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4
00:09:13 Default DROP UDP 192.168.0.131 : 53473 → 90.187.7.5 : 123 len=76 ttl=62 tos=0x00 srcmac=00:15:0c:b9:2e:da dstmac=00:1a:8c:14:8c:c4

The documentation of the fierwall says, that if I correctly fill the fields under:

"Network protection -> VoIP ->SIP"

and

"Network protection -> VoIP -> H3.23"

there is no need for extra rules in the firewall.

Nevertheless, I tried it with separate firewall rules:

Fritzbox <-- Any --> Sipgate

But no different result.

What I am I missing or doing wrong?

Any herlp highly appreciated!

:-)

This thread was automatically locked due to age.

Parents

0 Si Tso over 5 years ago
Hi Folks,

happy new year! :-)

I am still stuck with this issue. Ports 5060 are still in default drop

A little excerpt from my firewall log, by using:

iptable --list

Could anybody have a look and help me, why the sip stuff is not working?!

The rule sipgate -> fritzbox and fritzbox -> sipgate do not work.

Result is:

$ iptables --list

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere !base-address.mcast.net/4 CONFIRMED match
CONFIRMED all -- anywhere anywhere ctstate RELATED
HA_IN all -- anywhere anywhere
LOCKOUT all -- anywhere anywhere
PSD_MATCH all -- anywhere anywhere
SANITY_CHECKS all -- anywhere anywhere
AUTO_INPUT all -- anywhere anywhere
USR_INPUT all -- anywhere anywhere
LOGDROP all -- anywhere anywhere LOGMARK match 60001

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere !base-address.mcast.net/4 CONFIRMED match
RELATED_FWD all -- anywhere anywhere ctstate RELATED
PSD_MATCH all -- anywhere anywhere
AUTO_FORWARD all -- anywhere anywhere
USR_FORWARD all -- anywhere anywhere
LOGDROP all -- anywhere anywhere LOGMARK match 60002

Chain OUTPUT (policy DROP)
target prot opt source destination
LOGDROP tcp -- !loopback/8 anywhere tcp spts:1024:65535 dpt:webadmin LOGMARK match 60005
LOGDROP tcp -- !loopback/8 anywhere tcp spts:tcpmux:65535 dpt:https LOGMARK match 60005
LOGDROP tcp -- anywhere db_host.local tcp dpt:4472 owner UID match loginuser
LOCAL_RESTAPI tcp -- anywhere anywhere tcp dpt:exlm-agent
LOCAL_RESTAPI tcp -- anywhere anywhere tcp dpt:dashpas-port
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere !base-address.mcast.net/4 CONFIRMED match
CONFIRMED all -- anywhere anywhere ctstate RELATED
CONFIRMED all -- anywhere anywhere -m condition --condition "OUTPUT_ACCEPT_ALL" owner UID match root owner GID match root
HA_OUT all -- anywhere anywhere
SANITY_CHECKS all -- anywhere anywhere
AUTO_OUTPUT all -- anywhere anywhere
USR_OUTPUT all -- anywhere anywhere
LOGDROP all -- anywhere anywhere LOGMARK match 60003

Chain AUTO_FORWARD (1 references)
target prot opt source destination
LOGACCEPT tcp -- sipgate.de fritzbox policy match dir out pol none tcp spts:tcpmux:65535 dpt:sip LOGMARK match 3000000001 ctorigdst 192.168.1.0/24
LOGACCEPT udp -- sipgate.de fritzbox policy match dir out pol none udp spts:tcpmux:65535 dpt:sip LOGMARK match 3000000001 ctorigdst 192.168.1.0/24
CONFIRMED icmp -- anywhere anywhere
CONFIRMED tcp -- fritzbox sipgate.de policy match dir out pol none tcp spts:tcpmux:65535 dpt:sip
CONFIRMED udp -- fritzbox sipgate.de policy match dir out pol none udp spts:tcpmux:65535 dpt:sip
CONFIRMED tcp -- fritzbox sipgate.de policy match dir out pol none tcp spts:tcpmux:65535 dpts:h323gatestat:h323hostcall
CONFIRMED udp -- fritzbox sipgate.de policy match dir out pol none udp spts:tcpmux:65535 dpts:h323gatestat:h323hostcall

Chain AUTO_INPUT (1 references)
target prot opt source destination
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 dpt:ssh
LOGDROP tcp -- anywhere anywhere tcp spts:tcpmux:65535 dpt:ssh LOGMARK match 60004
LOGACCEPT tcp -- 192.168.0.0/24 anywhere tcp spts:1024:65535 dpt:webadmin LOGMARK match 60006
LOGDROP tcp -- anywhere anywhere tcp spts:1024:65535 dpt:webadmin LOGMARK match 60005
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 dpt:https
CONFIRMED udp -- anywhere anywhere udp spts:bootps:bootpc dpt:bootps
CONFIRMED tcp -- anywhere anywhere match-set 2EyHlbvaXfpWyUi5y6i3jQ src tcp spts:domain:65535 dpt:domain
CONFIRMED udp -- anywhere anywhere match-set 2EyHlbvaXfpWyUi5y6i3jQ src udp spts:domain:65535 dpt:domain
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:domain:65535 dpt:domain
CONFIRMED udp -- 192.168.0.0/24 anywhere udp spts:domain:65535 dpt:domain
CONFIRMED icmp -- anywhere anywhere
CONFIRMED udp -- 192.168.0.0/24 anywhere udp spts:ntp:65535 dpt:ntp
LOGDROP tcp -- anywhere anywhere tcp spts:tcpmux:65535 multiport dports smtp,smtps,submission
CONFIRMED udp -- 192.168.0.0/24 anywhere udp spts:1024:65535 dpt:snmp
CONFIRMED all -- anywhere anywhere mark match 0x40000/0x40000

Chain AUTO_OUTPUT (1 references)
target prot opt source destination
REJECT tcp -- anywhere ec2-23-20-91-175.compute-1.amazonaws.com tcp dpt:https reject-with icmp-port-unreachable
CONFIRMED udp -- anywhere anywhere udp spt:bootps dpts:bootps:bootpc
CONFIRMED icmp -- anywhere anywhere icmptype 8 code 0
CONFIRMED tcp -- anywhere anywhere tcp spts:domain:65535 dpt:domain
CONFIRMED udp -- anywhere anywhere udp spts:domain:65535 dpt:domain
CONFIRMED udp -- anywhere anywhere udp spt:domain dpts:domain:65535
CONFIRMED udp -- anywhere anywhere udp spts:1024:65535 multiport dports 33000:34000,44444:55555
CONFIRMED udp -- anywhere anywhere match-set rdLSiyrZbR7zRa1shBcsmQ dst udp spts:ntp:65535 dpt:ntp
CONFIRMED tcp -- anywhere anywhere tcp spts:tcpmux:65535 multiport dports smtp,smtps,submission
CONFIRMED tcp -- anywhere anywhere tcp spts:tcpmux:65535 dpt:http
CONFIRMED tcp -- anywhere anywhere tcp spts:tcpmux:65535 dpt:https
CONFIRMED tcp -- anywhere mail.schnetter.com tcp spts:tcpmux:65535 dpt:smtp
CONFIRMED tcp -- anywhere a104-111-246-175.deploy.static.akamaitechnologies.com tcp spts:tcpmux:65535 dpt:https owner UID match dehydrated owner GID match dehydrated

Chain GEOIP_OUT (0 references)
target prot opt source destination

Chain GEOIP_REJECT (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain HA_IN (1 references)
target prot opt source destination
CONFIRMED all -- anywhere anywhere

Chain HA_OUT (1 references)
target prot opt source destination
CONFIRMED all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ! cluster id 1 master

Chain INVALID_PKT (0 references)
target prot opt source destination
NFLOG all -- anywhere anywhere LOGMARK match 60007 nflog-prefix "INVALID_PKT: "
DROP all -- anywhere anywhere

Chain LOCAL_RESTAPI (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere owner UID match root
ACCEPT all -- anywhere anywhere owner UID match loginuser
DROP all -- anywhere anywhere

Chain LOCKOUT (1 references)
target prot opt source destination
RETURN all -- 192.168.0.0/24 anywhere
LOGDROP all -- anywhere anywhere recent: CHECK seconds: 600 name: LOCKOUT side: source mask: 255.255.255.255 LOGMARK match 60023

Chain LOGACCEPT (3 references)
target prot opt source destination
NFLOG all -- anywhere anywhere nflog-prefix "ACCEPT: "
CONFIRMED all -- anywhere anywhere

Chain LOGDROP (10 references)
target prot opt source destination
NFLOG all -- anywhere anywhere nflog-prefix "DROP: "
DROP all -- anywhere anywhere

Chain LOGREJECT (2 references)
target prot opt source destination
NFLOG all -- anywhere anywhere nflog-prefix "REJECT: "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain MULTIPATH_DROP (0 references)
target prot opt source destination

Chain PSD_ACTION (0 references)
target prot opt source destination

Chain PSD_MATCH (2 references)
target prot opt source destination

Chain RELATED_FWD (1 references)
target prot opt source destination
NFLOG all -- anywhere anywhere helper match "sip" LOGMARK match 60018 nflog-prefix "SIP Call RTP: "
CONFIRMED all -- anywhere anywhere

Chain SANITY_CHECKS (2 references)
target prot opt source destination

Chain STRICT_TCP_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain STRICT_TCP_STATE (0 references)
target prot opt source destination

Chain USR_FORWARD (1 references)
target prot opt source destination
REJECT tcp -- anywhere google-public-dns-a.google.com tcp spts:tcpmux:65535 dpt:domain reject-with icmp-port-unreachable
REJECT udp -- anywhere google-public-dns-a.google.com udp spts:tcpmux:65535 dpt:domain reject-with icmp-port-unreachable
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 dpt:domain
CONFIRMED udp -- 192.168.0.0/24 anywhere udp spts:tcpmux:65535 dpt:domain
CONFIRMED tcp -- 192.168.0.0/24 192.168.1.0/24 tcp spts:tcpmux:65535 multiport dports nntp,nntps
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 multiport dports 8090,8005,http-alt,pcsync-https,8447,ssh,11022,5900
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 multiport dports smtps,imaps,imap,pop3,smtp,pop3s
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 multiport dports http-alt,http,ndl-aas,https
LOGREJECT all -- 192.168.1.0/24 192.168.0.0/24 LOGMARK match 10
LOGREJECT all -- 192.168.0.0/24 192.168.1.0/24 LOGMARK match 11

Chain USR_INPUT (1 references)
target prot opt source destination

Chain USR_OUTPUT (1 references)
target prot opt source destination
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Si Tso over 5 years ago
Hi Folks,

happy new year! :-)

I am still stuck with this issue. Ports 5060 are still in default drop

A little excerpt from my firewall log, by using:

iptable --list

Could anybody have a look and help me, why the sip stuff is not working?!

The rule sipgate -> fritzbox and fritzbox -> sipgate do not work.

Result is:

$ iptables --list

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere !base-address.mcast.net/4 CONFIRMED match
CONFIRMED all -- anywhere anywhere ctstate RELATED
HA_IN all -- anywhere anywhere
LOCKOUT all -- anywhere anywhere
PSD_MATCH all -- anywhere anywhere
SANITY_CHECKS all -- anywhere anywhere
AUTO_INPUT all -- anywhere anywhere
USR_INPUT all -- anywhere anywhere
LOGDROP all -- anywhere anywhere LOGMARK match 60001

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere !base-address.mcast.net/4 CONFIRMED match
RELATED_FWD all -- anywhere anywhere ctstate RELATED
PSD_MATCH all -- anywhere anywhere
AUTO_FORWARD all -- anywhere anywhere
USR_FORWARD all -- anywhere anywhere
LOGDROP all -- anywhere anywhere LOGMARK match 60002

Chain OUTPUT (policy DROP)
target prot opt source destination
LOGDROP tcp -- !loopback/8 anywhere tcp spts:1024:65535 dpt:webadmin LOGMARK match 60005
LOGDROP tcp -- !loopback/8 anywhere tcp spts:tcpmux:65535 dpt:https LOGMARK match 60005
LOGDROP tcp -- anywhere db_host.local tcp dpt:4472 owner UID match loginuser
LOCAL_RESTAPI tcp -- anywhere anywhere tcp dpt:exlm-agent
LOCAL_RESTAPI tcp -- anywhere anywhere tcp dpt:dashpas-port
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere !base-address.mcast.net/4 CONFIRMED match
CONFIRMED all -- anywhere anywhere ctstate RELATED
CONFIRMED all -- anywhere anywhere -m condition --condition "OUTPUT_ACCEPT_ALL" owner UID match root owner GID match root
HA_OUT all -- anywhere anywhere
SANITY_CHECKS all -- anywhere anywhere
AUTO_OUTPUT all -- anywhere anywhere
USR_OUTPUT all -- anywhere anywhere
LOGDROP all -- anywhere anywhere LOGMARK match 60003

Chain AUTO_FORWARD (1 references)
target prot opt source destination
LOGACCEPT tcp -- sipgate.de fritzbox policy match dir out pol none tcp spts:tcpmux:65535 dpt:sip LOGMARK match 3000000001 ctorigdst 192.168.1.0/24
LOGACCEPT udp -- sipgate.de fritzbox policy match dir out pol none udp spts:tcpmux:65535 dpt:sip LOGMARK match 3000000001 ctorigdst 192.168.1.0/24
CONFIRMED icmp -- anywhere anywhere
CONFIRMED tcp -- fritzbox sipgate.de policy match dir out pol none tcp spts:tcpmux:65535 dpt:sip
CONFIRMED udp -- fritzbox sipgate.de policy match dir out pol none udp spts:tcpmux:65535 dpt:sip
CONFIRMED tcp -- fritzbox sipgate.de policy match dir out pol none tcp spts:tcpmux:65535 dpts:h323gatestat:h323hostcall
CONFIRMED udp -- fritzbox sipgate.de policy match dir out pol none udp spts:tcpmux:65535 dpts:h323gatestat:h323hostcall

Chain AUTO_INPUT (1 references)
target prot opt source destination
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 dpt:ssh
LOGDROP tcp -- anywhere anywhere tcp spts:tcpmux:65535 dpt:ssh LOGMARK match 60004
LOGACCEPT tcp -- 192.168.0.0/24 anywhere tcp spts:1024:65535 dpt:webadmin LOGMARK match 60006
LOGDROP tcp -- anywhere anywhere tcp spts:1024:65535 dpt:webadmin LOGMARK match 60005
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 dpt:https
CONFIRMED udp -- anywhere anywhere udp spts:bootps:bootpc dpt:bootps
CONFIRMED tcp -- anywhere anywhere match-set 2EyHlbvaXfpWyUi5y6i3jQ src tcp spts:domain:65535 dpt:domain
CONFIRMED udp -- anywhere anywhere match-set 2EyHlbvaXfpWyUi5y6i3jQ src udp spts:domain:65535 dpt:domain
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:domain:65535 dpt:domain
CONFIRMED udp -- 192.168.0.0/24 anywhere udp spts:domain:65535 dpt:domain
CONFIRMED icmp -- anywhere anywhere
CONFIRMED udp -- 192.168.0.0/24 anywhere udp spts:ntp:65535 dpt:ntp
LOGDROP tcp -- anywhere anywhere tcp spts:tcpmux:65535 multiport dports smtp,smtps,submission
CONFIRMED udp -- 192.168.0.0/24 anywhere udp spts:1024:65535 dpt:snmp
CONFIRMED all -- anywhere anywhere mark match 0x40000/0x40000

Chain AUTO_OUTPUT (1 references)
target prot opt source destination
REJECT tcp -- anywhere ec2-23-20-91-175.compute-1.amazonaws.com tcp dpt:https reject-with icmp-port-unreachable
CONFIRMED udp -- anywhere anywhere udp spt:bootps dpts:bootps:bootpc
CONFIRMED icmp -- anywhere anywhere icmptype 8 code 0
CONFIRMED tcp -- anywhere anywhere tcp spts:domain:65535 dpt:domain
CONFIRMED udp -- anywhere anywhere udp spts:domain:65535 dpt:domain
CONFIRMED udp -- anywhere anywhere udp spt:domain dpts:domain:65535
CONFIRMED udp -- anywhere anywhere udp spts:1024:65535 multiport dports 33000:34000,44444:55555
CONFIRMED udp -- anywhere anywhere match-set rdLSiyrZbR7zRa1shBcsmQ dst udp spts:ntp:65535 dpt:ntp
CONFIRMED tcp -- anywhere anywhere tcp spts:tcpmux:65535 multiport dports smtp,smtps,submission
CONFIRMED tcp -- anywhere anywhere tcp spts:tcpmux:65535 dpt:http
CONFIRMED tcp -- anywhere anywhere tcp spts:tcpmux:65535 dpt:https
CONFIRMED tcp -- anywhere mail.schnetter.com tcp spts:tcpmux:65535 dpt:smtp
CONFIRMED tcp -- anywhere a104-111-246-175.deploy.static.akamaitechnologies.com tcp spts:tcpmux:65535 dpt:https owner UID match dehydrated owner GID match dehydrated

Chain GEOIP_OUT (0 references)
target prot opt source destination

Chain GEOIP_REJECT (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain HA_IN (1 references)
target prot opt source destination
CONFIRMED all -- anywhere anywhere

Chain HA_OUT (1 references)
target prot opt source destination
CONFIRMED all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ! cluster id 1 master

Chain INVALID_PKT (0 references)
target prot opt source destination
NFLOG all -- anywhere anywhere LOGMARK match 60007 nflog-prefix "INVALID_PKT: "
DROP all -- anywhere anywhere

Chain LOCAL_RESTAPI (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere owner UID match root
ACCEPT all -- anywhere anywhere owner UID match loginuser
DROP all -- anywhere anywhere

Chain LOCKOUT (1 references)
target prot opt source destination
RETURN all -- 192.168.0.0/24 anywhere
LOGDROP all -- anywhere anywhere recent: CHECK seconds: 600 name: LOCKOUT side: source mask: 255.255.255.255 LOGMARK match 60023

Chain LOGACCEPT (3 references)
target prot opt source destination
NFLOG all -- anywhere anywhere nflog-prefix "ACCEPT: "
CONFIRMED all -- anywhere anywhere

Chain LOGDROP (10 references)
target prot opt source destination
NFLOG all -- anywhere anywhere nflog-prefix "DROP: "
DROP all -- anywhere anywhere

Chain LOGREJECT (2 references)
target prot opt source destination
NFLOG all -- anywhere anywhere nflog-prefix "REJECT: "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain MULTIPATH_DROP (0 references)
target prot opt source destination

Chain PSD_ACTION (0 references)
target prot opt source destination

Chain PSD_MATCH (2 references)
target prot opt source destination

Chain RELATED_FWD (1 references)
target prot opt source destination
NFLOG all -- anywhere anywhere helper match "sip" LOGMARK match 60018 nflog-prefix "SIP Call RTP: "
CONFIRMED all -- anywhere anywhere

Chain SANITY_CHECKS (2 references)
target prot opt source destination

Chain STRICT_TCP_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain STRICT_TCP_STATE (0 references)
target prot opt source destination

Chain USR_FORWARD (1 references)
target prot opt source destination
REJECT tcp -- anywhere google-public-dns-a.google.com tcp spts:tcpmux:65535 dpt:domain reject-with icmp-port-unreachable
REJECT udp -- anywhere google-public-dns-a.google.com udp spts:tcpmux:65535 dpt:domain reject-with icmp-port-unreachable
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 dpt:domain
CONFIRMED udp -- 192.168.0.0/24 anywhere udp spts:tcpmux:65535 dpt:domain
CONFIRMED tcp -- 192.168.0.0/24 192.168.1.0/24 tcp spts:tcpmux:65535 multiport dports nntp,nntps
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 multiport dports 8090,8005,http-alt,pcsync-https,8447,ssh,11022,5900
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 multiport dports smtps,imaps,imap,pop3,smtp,pop3s
CONFIRMED tcp -- 192.168.0.0/24 anywhere tcp spts:tcpmux:65535 multiport dports http-alt,http,ndl-aas,https
LOGREJECT all -- 192.168.1.0/24 192.168.0.0/24 LOGMARK match 10
LOGREJECT all -- 192.168.0.0/24 192.168.1.0/24 LOGMARK match 11

Chain USR_INPUT (1 references)
target prot opt source destination

Chain USR_OUTPUT (1 references)
target prot opt source destination
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data