We looking to add some SIP related functionality to VyOS,
it will not be full featured SoftSwitch, rather it will be some basic useful functionality
- sip bot brute-force protection for PBX/SoftSwitch
- NAT helper
It will be great to hear from community some feedback, not all using VoIP but most probably many of us
Well, I'm interested, can share some firewall-related code and will test this functionality, when ready.
I have (almost) the following code in my self-made iptables script:
$ipset create siphackers hash:net $ipset create oursipservers hash:ip $ipset create sipwhitelist hash:ip $iptables -N FWKillSipHackers $iptables -F FWKillSipHackers $iptables -A FWKillSipHackers -m set --match-set sipwhitelist src -j ACCEPT $iptables -A FWKillSipHackers -m set --match-set siphackers src -j DROP $iptables -A FWKillSipHackers -p udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -m recent --set --name SIP --rsource $iptables -A FWKillSipHackers -p udp --dport 5060 -m recent --update --seconds 10 --hitcount 2 --name SIP -j SET --add-set siphackers src $iptables -A FWKillSipHackers -m state --state ESTABLISHED,RELATED -j ACCEPT $iptables -A FWKillSipHackers -p udp --dport 5060 -m recent --set --name SIP $iptables -A FWKillSipHackers -j RETURN $iptables -I FORWARD -m set --match-set oursipservers dst -j FWKillSipHackers
It bans everybody, who is not listed in whitelist AND sends more than 2 registration attempts in 10 seconds forever.
NB: it requires iptables module recent, so iptables extensions should be available.
In SIP terms I don't know if that is really needed. Typically when most people purchase a SIP trunk for any business they should really place an SBC inside the network to receive the SIP trunk and terminate the SIP trunk then and there and resend it internally. By using SSL certs in the device/VM this works the same as a reverse proxy for SIP and allows for the most secure SIP scenarios I've seen yet and they don't need any firewall or NAT configuration (usually).
An example of a good but free (one each) to test with with EasySBC. They offer ESXi OVF deployment as well which helps for testing.
You are correct.
We looked into 2 scenarios
The first one is assisted media proxy(you put your router as outbound proxy)
The second one is dumb PBX (simple extensions, rewrite tools, in/out sip trunk)
Of course there are lot of PBXs out there, but when you bootstrap office, great to have something simple