Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Defining restricted dynamic ports for outbound NAT?

    Scheduled Pinned Locked Moved NAT
    2 Posts 2 Posters 251 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dhoffman98
      last edited by

      I'm finding that Snort is reporting alerts on incoming connections on 5060 for devices that are not my PBX. I think what is happening is that when an internal machine is communicating through NAT, they get assigned a dynamic port number for that connection, and sometimes luckly happens to be assigned port 5060. Then when the remote site responds back to the firewall, it sends its traffic on 5060, and then Snort intercepts it because it's on the SIP port and the pre-proc tests it for SIP rules.

      I know I could disable the spp_sip preprocessor in Snort. I'd like to see if there is a better (or alternative) option.

      I COULD also just block all inbound traffic on 5060 (because I have my trunk vendor sending incoming connections on a custom port).

      Is there a way to do one of the following:

      1. Force outbound NAT from source port 5060 to rewrite the outbound port to a different number?
      2. Define a list of ports that can never be used by NAT?
      3. Force the Snort pre-proc to inspect incoming traffic on a different custom port instead of 5060?

      I think I like the idea of #2 best, and I know I could write a rule that blocks all outbound traffic from a specific port number, but not sure what that ends up doing to connections that are given the restricted port number, and then have it blocked.... I think that would cause that connection to fail and not be successful until it is tried again with a different dynamic port number.

      Does any of that make sense to any of you pfSense gurus? I hope I explained it clearly enough.

      Thanks in advance for any guidance.

      -David

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @dhoffman98
        last edited by

        @dhoffman98 said in Defining restricted dynamic ports for outbound NAT?:

        Then when the remote site responds back to the firewall, it sends its traffic on 5060, and then Snort intercepts it because it's on the SIP port and the pre-proc tests it for SIP rules

        Not sure if that is really the case, but yes, you can add an outbound NAT rule to translates the source port in case of 5060 to another one out of a given range. That is one of the things outbound NAT rules usually can do.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.