BLOCKING VOIP ?

joecoolzxc · March 20, 2006, 10:19pm

how can we set rules to block VOIP connections? Since voip traffic does catch under MT p2p filters.

besides blocking ports

jp1 · March 21, 2006, 3:08am

Blocking the sip and asterix ports should do the trick, as they control the call. The actual voice in a sip call is random port numbered rtp udp, but it’s useless without the sip control channel. As far as skype voip, I’m not sure.

wildbill442 · March 21, 2006, 4:37am

I can’t think of a reasonable explaination to block such a protocol.

dot-bot · March 21, 2006, 3:27pm

Blocking certain services has always been a problem for many here on the forums.

You can block some ports but you can never catch them all. Users will find another program that makes another type of connection that your routers aren’t prepared to “catch”.

So unless you want to block a particular service that aways runs on particular ports… you simply can not block it.

If Mikrotikls must continue to market their product as able to block stuff, they need to change the way the blocking works. Maybe “definitions” for certain services need to be introduced. Like definitions for Skype etc where MT will recognise the Skype traffik and block it. It would be hard to create theese definitons but maybe they can be created by enthusiast/anybody out there and be submitted to a definitions database…

But then, these definitions will probably fail to catch encrypted/scrambled traffic. Programs will always find a way to hide their connections IMO.

bakula · April 5, 2006, 6:14pm

http://www.secdev.org/conf/skype_BHEU06.pdf

page78:

iptables -I FORWARD -p udp -m length --length 39 -m u32
–u32 ’27&0x8f=7’ --u32 ’31=0x01020304 ’ -j QUEUE
How to add this firewall rule to Mikrotik?

wildbill442 · April 5, 2006, 10:45pm

You can create your own custom “definitions” by mangeling the traffic. This creates a label, or definition for the connection/packets and then you can apply rules to the traffic in the firewall.

When firewalling, unless you’re an ISP, usually you block all incoming traffic and only open the ports that you need for services in use on your network. This decreases the amount of rules you need to create, and creates a more secured network.

user20 · May 15, 2006, 2:58pm

So… tried to decipher the above post about recognizing skype. We dont want to block it, we want to prioritize, has anyone figured out how to mange skype and SIP traffic yet?