A client of ours is using a Cisco Call Manager which has been setup incorrectly to register not just for their main number but all extensions within their organisation. This leads to the source IP automatically being firewalled by SIP bruteforce protection structures on our VoIP infrastructure.
What we wanted to do:
- Allow SIP registration requests for a specific number/user
- Disallow all other SIP registration requests
Resulting RouterOS raw firewall rules - confirmed to be working as expected:
Code: Select all
/ip firewall raw
add action=accept chain=prerouting comment="SIP Registration - Allow 0112223333:" \
content="REGISTER\0D\0AContact: <sip:0112223333@" dst-port=5060 in-interface=ether5 protocol=udp src-address=198.19.32.18
add action=drop chain=prerouting comment="SIP Registration - Deny all others:" \
content=”REGISTER\0D\0AContact: <sip:” dst-port=5060 in-interface=ether5 protocol=udp src-address=198.19.32.18
NB: Never edit the rule via Winbox! The content rule contains hex values for carriage return (\0D or \r) and line feed (\0A or \n) characters which get interprets when opening and subsequently saving the rules.
This was constructed by reviewing a packet capture of the SIP registration attempts in Wireshark: