On 2021/04/02 07:58, Frank Wunderlich wrote:
Is there a way to filter deeper into protocol stack (SIP data ignoring start registration traffic)
There's this, on the SIP connection tracking helper:
https://home.regit.org/netfilter-en/secure-use-of-helpers/
If that's not enough, you could look at queuing packets to a userspace
program that uses libnetfilter_queue:
https://wiki.nftables.org/wiki-nftables/index.php/Queueing_to_userspace
https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/
For an existing app, Google found:
http://genesysguru.com/blog/blog/2013/12/11/sip-interceptor/
which may or may not have morphed into
https://docs.rhino.metaswitch.com/ocdoc/books/sis-documentation/2.6.1/sis-administration-guide/managing-the-sis/managing-interceptors/index.html
Not sure that's available at reasonable cost and/or current.
Getting beyond my depth, but some other things you could look into:
* Maybe your pbx software has some filtering ability built in? (Thinking
of something analogous to haproxy, but for SIP/RTP.)
Looking around:
FreePBX seems to have just a pre-configured iptables setup:
https://wiki.freepbx.org/display/FPG/Firewall
Asterisk / Sangoma recommends a session border controller (SBC):
https://www.sangoma.com/articles/voip-firewall/
* ... So may be worth looking into using an SBC:
https://en.wikipedia.org/wiki/Session_border_controller
Maybe someone with more recent VoIP setup experience will have
recommendations.
Best Wishes,
Frank M.
