in advance: absolute noob here, thanks for any help and your patience ^^.
I try to configure a server behind a sophos utm 9 that needs to be able to send and receive rtp on ports 30000 - 33000. The problem i have is that incoming traffic gets blocked by fwrule 60001. I understand that this is blocked traffic due to no request has been sent to the host from the server outbound.
What is your advice to configure this? I understand i could just DNAT the ports and done, but i dont know this would be right, and if there is a more restrictive way to make this work.
also, beside your recommendations, we have a signalling on a specific port, is it possible to make a rule a la "if i send a client on port x, then this client is allowed to send rtp and stun to port 30000-33000 of my server"?
the clients that connect do that via WebRTC in browser or WebRTC/IceLink from mobile phone, with custom signalling for browser and SIP via Icelink from mobile.
Thank you in advance,
Hallo Bim and welcome to the UTM Community!
Is this a VoIP server? Are the inbound packets sent from a small range of IPs belonging to your VoIP provider?
Cheers - Bob
thanks for your reply. It is a FreeSWITCH, and no, the clients can basically be any browser in the internet or via mobile app over mobile networks. Additionally, it is the Binding Requests (STUN) from TURN Servers that try to offer their services.
I would look on the websites of those products for their suggestions about configuring firewalls to work with them.
OK thanks, thats also in the work ^^
Can you tell me if there is a possibility to configure the follwoing (from my initial question):
Bim Tertulies said:also, beside your recommendations, we have a signalling on a specific port, is it possible to make a rule a la "if i send a client on port x, then this client is allowed to send rtp and stun to port 30000-33000 of my server"?
I'm not sure I "see" what you're proposing, Bim. You can make a DNAT that send a range of ports to your sever. You could also limit that DNAT to traffic coming from specific IPs.