Our new VoIP provider has provided a list of “required firewall rules”. There is a group of outgoing rules that are as such:
Allow all outgoing traffic to a selection of IPs, on TCP ports 80 and 443, and UDP ports 3478-3479.
First of all, wouldn’t outgoing traffic naturally be allowed? I suppose the IPS could potentially block this if the traffic happens to match an activated rule. Maybe these “required rules” are to mitigate any potential issues with IPFire blocking the outgoing traffic..
When I create such a rule, would SOURCE be Firewall:ALL or Standard Networks:ANY?
I have created host and service groups to account for the IPs, ports and protocols, so I’m pretty confident on the DESTINATION.
I’m assuming I would not need to activate NAT for such a rule?
if you are using the default settings of Allowed for Forward and Outgoing on the Firewall Options WUI page then yes, all that traffic would be allowed as all traffic going out is allowed.
For production systems, I would strongly advise against using ‘ALL’ or ‘ANY’ rules, except in special cases.
As Adolf mentioned, in the initial setup, outbound connections are generally permitted.
This is fine for a quick start or for testing purposes, but for production systems I generally recommend not leaving this setting enabled, instead set the ‘Default firewall behaviour’ to BLOCKED in the ‘Firewall Options’ and create a rule for each desired connection.
Otherwise, you have absolutely no control over which client establishes which connection to where. And that control is, after all, the whole point of a firewall.
Your first outbound rule should then look like this:
‘Source/Source address (IP/MAC address or IP network):’ ENTER-THE-IP-ADDRESS-OF-THE-TELEPHONE-SYSTEM-HERE.
‘Destination/Destination address (IP/MAC address or IP network):’ ENTER-THE-IP-ADDRESS-OF-THE-TELEPHONE-PROVIDER-HERE.
‘Protocol:’ TCP, ‘Destination port:’ 80,443
And your second rule should look like this:
‘Source/Source address (IP/MAC address or IP network):’ ENTER-THE-IP-ADDRESS-OF-THE-TELEPHONE-SYSTEM-HERE.
‘Destination/Destination address (IP/MAC address or IP network):’ ENTER-THE-IP-ADDRESS-OF-THE-TELEPHONE-PROVIDER-HERE.
‘Protocol:’ UDP, ‘Destination port:’ 3478,3479
If you do not have a telephone system/PBX but have several telephones, create a ‘Host’ for each telephone under the ‘Firewall Groups/Hosts’ menu item, add these hosts to a new ‘Network/Host Group’, and enter this Host Group under ‘Source/Groups’ in your firewall rules.
If your IP telephony provider operates several servers or an entire network, create a ‘Network’ or a ‘Network/Host Group’ under the ‘Firewall Groups/Networks’ menu item and enter it under ‘Destination/Networks:’ or under ‘Destination/Groups:’