Created a set of Vyatta rules to block all traffic from Pacific Rim nations. I usually do this as a matter of course with firewalls with customers. To get the addresses I combed through IANA's database.
The first set should be the first set of rules inbound on your outside interface.
set firewall name INBOUND rule 5 action drop
set firewall name INBOUND rule 5 source address 202.0.0.0/7
set firewall name INBOUND rule 5 log enable
set firewall name INBOUND rule 6 action drop
set firewall name INBOUND rule 6 source address 210.0.0.0/8
set firewall name INBOUND rule 6 log enable
set firewall name INBOUND rule 7 action drop
set firewall name INBOUND rule 7 source address 218.0.0.0/7
set firewall name INBOUND rule 7 log enable
set firewall name INBOUND rule 8 action drop
set firewall name INBOUND rule 8 source address 220.0.0.0/7
set firewall name INBOUND rule 8 log enable
set firewall name INBOUND rule 9 action drop
set firewall name INBOUND rule 9 source address 222.0.0.0/8
set firewall name INBOUND rule 9 log enable
set firewall name INBOUND rule 10 action drop
set firewall name INBOUND rule 10 source address 59.0.0.0/8
set firewall name INBOUND rule 10 log enable
set firewall name INBOUND rule 11 action drop
set firewall name INBOUND rule 11 source address 60.0.0.0/7
set firewall name INBOUND rule 11 log enable
set firewall name INBOUND rule 12 action drop
set firewall name INBOUND rule 12 source address 114.0.0.0/7
set firewall name INBOUND rule 12 log enable
set firewall name INBOUND rule 13 action drop
set firewall name INBOUND rule 13 source address 116.0.0.0/6
set firewall name INBOUND rule 13 log enable
set firewall name INBOUND rule 14 action drop
set firewall name INBOUND rule 14 source address 120.0.0.0/6
set firewall name INBOUND rule 14 log enable
set firewall name INBOUND rule 15 action drop
set firewall name INBOUND rule 15 source address 124.0.0.0/7
set firewall name INBOUND rule 15 log enable
set firewall name INBOUND rule 16 action drop
set firewall name INBOUND rule 16 source address 126.0.0.0/8
set firewall name INBOUND rule 16 log enable
This second set of rules should be set for inbound on your inside interface.
set firewall name OUTBOUND rule 5 action drop
set firewall name OUTBOUND rule 5 destination address 202.0.0.0/7
set firewall name OUTBOUND rule 5 log enable
set firewall name OUTBOUND rule 6 action drop
set firewall name OUTBOUND rule 6 destination address 210.0.0.0/8
set firewall name OUTBOUND rule 6 log enable
set firewall name OUTBOUND rule 7 action drop
set firewall name OUTBOUND rule 7 destination address 218.0.0.0/7
set firewall name OUTBOUND rule 7 log enable
set firewall name OUTBOUND rule 8 action drop
set firewall name OUTBOUND rule 8 destination address 220.0.0.0/7
set firewall name OUTBOUND rule 8 log enable
set firewall name OUTBOUND rule 9 action drop
set firewall name OUTBOUND rule 9 destination address 222.0.0.0/8
set firewall name OUTBOUND rule 9 log enable
set firewall name OUTBOUND rule 10 action drop
set firewall name OUTBOUND rule 10 destination address 59.0.0.0/8
set firewall name OUTBOUND rule 10 log enable
set firewall name OUTBOUND rule 11 action drop
set firewall name OUTBOUND rule 11 destination address 60.0.0.0/7
set firewall name OUTBOUND rule 11 log enable
set firewall name OUTBOUND rule 12 action drop
set firewall name OUTBOUND rule 12 destination address 114.0.0.0/7
set firewall name OUTBOUND rule 12 log enable
set firewall name OUTBOUND rule 13 action drop
set firewall name OUTBOUND rule 13 destination address 116.0.0.0/6
set firewall name OUTBOUND rule 13 log enable
set firewall name OUTBOUND rule 14 action drop
set firewall name OUTBOUND rule 14 destination address 120.0.0.0/6
set firewall name OUTBOUND rule 14 log enable
set firewall name OUTBOUND rule 15 action drop
set firewall name OUTBOUND rule 15 destination address 124.0.0.0/7
set firewall name OUTBOUND rule 15 log enable
set firewall name OUTBOUND rule 16 action drop
set firewall name OUTBOUND rule 16 destination address 126.0.0.0/8
set firewall name OUTBOUND rule 16 log enable
If you are using any local services on the firewall itself, consider applying the rules to the local section of the outside interface.
Wednesday, December 31, 2008
Vyatta with OpenSBC Install
Finally got pointed in the right direction with Vyatta and OpenSBC by Joegen (the main developer over at OpenSipStack.org). Here are my install notes for OpenSBC on Vyatta.
Install OpenSBC on Vyatta Firewall
Install Vyatta:
Boot from Vyatta LiveCD ISO. Press ENTER.
At login, username 'root', password 'vyatta'.
Enter 'install-system'
Configure as needed... I'll share mine when I get this all working...
Get items required for building OpenSBC (kitchen sink approach):
Login to Firewall as user 'vyatta'
cd /etc/apt
su
Password: (enter root password)
nano -w sources.list
Add line: "deb ftp://ftp.us.debian.org/debian/ lenny main contrib non-free"
Ctrl-X and Y to overwrite
apt-get update
apt-get install -y mc autoconf automake cvs flex expat libexpat1-dev libtool build-essential libxml2 libxml2-dev libtiff4 libtiff4-dev php5 php5-cli php5-mysql php5 php5-cli php5-mysql php5-gd mysql-server libmysqlclient15-dev php-pear php-db curl sox apache2 libssl-dev libncurses5-dev bison libaudiofile-dev subversion libnewt-dev libcurl3-dev libnet-ssleay-perl openssl ssl-cert libauthen-pam-perl libio-pty-perl libmd5-perl libpg-perl libdbd-pg-perl php5-pgsql sqlite3 libsqlite3-dev openssl ssl-cert libapache2-mod-php5 php5-cli php5-common phpMyAdmin php5-mcrypt mcrypt phppgadmin apache2 libmcrypt-dev
Get OpenSipStack and OpenSBC from CVS:
cd /usr/src
cvs -d:pserver:anonymous@opensipstack.cvs.sourceforge.net:/cvsroot/opensipstack login
cvs -z3 -d:pserver:anonymous@opensipstack.cvs.sourceforge.net:/cvsroot/opensipstack co -P opensipstack
cvs -z3 -d:pserver:anonymous@opensipstack.cvs.sourceforge.net:/cvsroot/opensipstack co -P opensbc
Compile / Make OpenSipStack and OpebSBC:
cd /usr/src/opensipstack
chmod +x ./configure
./configure
make bothnoshared
cd ../opensbc
chmod +x ./configure
./configure
make bothnoshared
make distrib
Starting OpenSBC
In the distrib folder under /usr/src/opensbc there should be a couple of scripts. Use ./startup.sh to start the services and ./shutdown.sh to stop them.
Access the OpenSBC management then at http://inside.ip.addr.offw:9999
Hope this helps others who have been struggling getting this going! I'm working on some Vyatta configuration files for making things all work together.
.
Install OpenSBC on Vyatta Firewall
Install Vyatta:
Boot from Vyatta LiveCD ISO. Press ENTER.
At login, username 'root', password 'vyatta'.
Enter 'install-system'
Configure as needed... I'll share mine when I get this all working...
Get items required for building OpenSBC (kitchen sink approach):
Login to Firewall as user 'vyatta'
cd /etc/apt
su
Password: (enter root password)
nano -w sources.list
Add line: "deb ftp://ftp.us.debian.org/debian/ lenny main contrib non-free"
Ctrl-X and Y to overwrite
apt-get update
apt-get install -y mc autoconf automake cvs flex expat libexpat1-dev libtool build-essential libxml2 libxml2-dev libtiff4 libtiff4-dev php5 php5-cli php5-mysql php5 php5-cli php5-mysql php5-gd mysql-server libmysqlclient15-dev php-pear php-db curl sox apache2 libssl-dev libncurses5-dev bison libaudiofile-dev subversion libnewt-dev libcurl3-dev libnet-ssleay-perl openssl ssl-cert libauthen-pam-perl libio-pty-perl libmd5-perl libpg-perl libdbd-pg-perl php5-pgsql sqlite3 libsqlite3-dev openssl ssl-cert libapache2-mod-php5 php5-cli php5-common phpMyAdmin php5-mcrypt mcrypt phppgadmin apache2 libmcrypt-dev
Get OpenSipStack and OpenSBC from CVS:
cd /usr/src
cvs -d:pserver:anonymous@opensipstack.cvs.sourceforge.net:/cvsroot/opensipstack login
cvs -z3 -d:pserver:anonymous@opensipstack.cvs.sourceforge.net:/cvsroot/opensipstack co -P opensipstack
cvs -z3 -d:pserver:anonymous@opensipstack.cvs.sourceforge.net:/cvsroot/opensipstack co -P opensbc
Compile / Make OpenSipStack and OpebSBC:
cd /usr/src/opensipstack
chmod +x ./configure
./configure
make bothnoshared
cd ../opensbc
chmod +x ./configure
./configure
make bothnoshared
make distrib
Starting OpenSBC
In the distrib folder under /usr/src/opensbc there should be a couple of scripts. Use ./startup.sh to start the services and ./shutdown.sh to stop them.
Access the OpenSBC management then at http://inside.ip.addr.offw:9999
Hope this helps others who have been struggling getting this going! I'm working on some Vyatta configuration files for making things all work together.
.
Sunday, December 28, 2008
Looking for an SBC solution? Vyatta + Freeswitch...
Started working on getting a proper SBC for the home network. I hacked on Vyatta with OpenSBC this morning with less than stellar compilation results. I may revisit that.
I did get a good start on Vyatta (beta of Ver 5... Debiab) with Freeswitch installed though. Here are my installation notes so far:
I did get a good start on Vyatta (beta of Ver 5... Debiab) with Freeswitch installed though. Here are my installation notes so far:
Vyatta VC5 Beta ISO download is at: http://www.vyatta.org/downloads
Vyatta (ver 5 beta) with FreeSwitch Installation
Install Vyatta
Boot from ISO. Press ENTER.
At login, username 'root', password 'vyatta'.
Enter 'install-system'
Configure as needed...
Get items required for building Freeswitch
Login to Firewall as user 'vyatta'
vyatta@FW1:~$ cd /etc/apt
vyatta@FW1:/etc/apt$ su
Password: (enter root password)
vyatta@FW1:/etc/apt$ nano -w sources.list
Add line: "deb ftp://ftp.us.debian.org/debian/ lenny main contrib non-free"
Ctrl-X and Y to overwrite
FW1:/etc/apt# apt-get update
FW1:/etc/apt# apt-get install -y mc autoconf automake libtool build-essential libxml2 libxml2-dev libtiff4 libtiff4-dev php5 php5-cli php5-mysql php5 php5-cli php5-mysql php5-gd mysql-server libmysqlclient15-dev php-pear php-db curl sox apache2 libssl-dev libncurses5-dev bison libaudiofile-dev subversion libnewt-dev libcurl3-dev libnet-ssleay-perl openssl ssl-cert libauthen-pam-perl libio-pty-perl libmd5-perl libpg-perl libdbd-pg-perl php5-pgsql sqlite3 libsqlite3-dev openssl ssl-cert libapache2-mod-php5 php5-cli php5-common phpMyAdmin php5-mcrypt mcrypt phppgadmin apache2 libmcrypt-dev
Get the Freeswitch Code
cd /usr/src/
svn checkout http://svn.freeswitch.org/svn/freeswitch/trunk freeswitch
Build Freeswitch...
cd freeswitch
./bootstrap.sh
./configure –prefix=/usr/local/freeswitch
make
make install
make sounds-install
make moh-install
make samples
Run Freeswitch...
cd /usr/local/freeswitch/bin
./freeswitch
Vyatta (ver 5 beta) with FreeSwitch Installation
Install Vyatta
Boot from ISO. Press ENTER.
At login, username 'root', password 'vyatta'.
Enter 'install-system'
Configure as needed...
Get items required for building Freeswitch
Login to Firewall as user 'vyatta'
vyatta@FW1:~$ cd /etc/apt
vyatta@FW1:/etc/apt$ su
Password: (enter root password)
vyatta@FW1:/etc/apt$ nano -w sources.list
Add line: "deb ftp://ftp.us.debian.org/debian/ lenny main contrib non-free"
Ctrl-X and Y to overwrite
FW1:/etc/apt# apt-get update
FW1:/etc/apt# apt-get install -y mc autoconf automake libtool build-essential libxml2 libxml2-dev libtiff4 libtiff4-dev php5 php5-cli php5-mysql php5 php5-cli php5-mysql php5-gd mysql-server libmysqlclient15-dev php-pear php-db curl sox apache2 libssl-dev libncurses5-dev bison libaudiofile-dev subversion libnewt-dev libcurl3-dev libnet-ssleay-perl openssl ssl-cert libauthen-pam-perl libio-pty-perl libmd5-perl libpg-perl libdbd-pg-perl php5-pgsql sqlite3 libsqlite3-dev openssl ssl-cert libapache2-mod-php5 php5-cli php5-common phpMyAdmin php5-mcrypt mcrypt phppgadmin apache2 libmcrypt-dev
Get the Freeswitch Code
cd /usr/src/
svn checkout http://svn.freeswitch.org/svn/freeswitch/trunk freeswitch
Build Freeswitch...
cd freeswitch
./bootstrap.sh
./configure –prefix=/usr/local/freeswitch
make
make install
make sounds-install
make moh-install
make samples
Run Freeswitch...
cd /usr/local/freeswitch/bin
./freeswitch
That's as far as I've taken it at this point...
Shout out to http://madhawa.com/?p=10 for shedding light on Debian (etch) install of Freeswitch.
.
Saturday, December 20, 2008
New Snom 820
Looks like Snom is finally getting their act together with their phones. They've always had the technology underneath (much better from an administrative perspective than Polycom) but their packaging left a LOT to be desired.
The new Snom 820 is set to change that. With sleek new looks, finally no paper templates, an available wireless version and Snom's great software under the hood, the 820 looks ready for prime time.
Take a closer look: http://www.snom.com/sv/products/snom-820/
Let's hope they follow it up quickly with an 860 or 870 for the attendant position.
.
The new Snom 820 is set to change that. With sleek new looks, finally no paper templates, an available wireless version and Snom's great software under the hood, the 820 looks ready for prime time.
Take a closer look: http://www.snom.com/sv/products/snom-820/
Let's hope they follow it up quickly with an 860 or 870 for the attendant position.
.
Friday, December 12, 2008
sipXecs updates..
Version 3.10.3 Stable has hit the streets. I've done a couple upgrades at this point and all is working great.
3.10.30 combined with Polycom 3.1.1 firmware and 4.1.2 bootrom brings Music On Hold to the Polycom phones finally! Woohoo!
Oh, and they fixed a few other bugs too...
4.0 development seems to be pressing ahead quite well. The developers have just upped the development version to 3.11.9. I have been installing 3.11.8 regularly in a virtual and things seem to be shaping up quite nicely.
.
3.10.30 combined with Polycom 3.1.1 firmware and 4.1.2 bootrom brings Music On Hold to the Polycom phones finally! Woohoo!
Oh, and they fixed a few other bugs too...
4.0 development seems to be pressing ahead quite well. The developers have just upped the development version to 3.11.9. I have been installing 3.11.8 regularly in a virtual and things seem to be shaping up quite nicely.
.
Subscribe to:
Posts (Atom)