You both are right that VoIP is a very broad term. So let me clarify. I am running Asterisk behind pfSense with multiple endpoints, such as ATAs and softphones, registering to this Asterisk server. Then I have some trunks with carriers and such. On the carrier side I am not too worried because I know their IPs and can create rules to allow traffic from them unhindered. However, on the other side are registered endpoints, for which there is not definitive IP. Users could plug it in their home, office, hotel, etc. Then there are some malicious users who try to brute force their way into the Asterisk server sending a flood of registration attempts. To allow legitimate use and to mitigate fraudulent registrations, one way would be to have a reasonable upper limit to connections per second. This way unusually large attempts can be blocked at the firewall level instead of letting Asterisk deal with it.
In this scenario if I set, say 5 max connections per second, then from one IP there can be 5 different states. In this case if a malicious user sends 6 registration attempts in one second then the first five would be allowed and the sixth would be dropped. On the flip side, if a legitimate user has two SIP endpoints coming from the same IP, then they can still establish two calls, one from each endpoint, as there would be four states: in and out for both endpoints. This still leaves a third connection or state for some breathing space. Did I understand this correctly? On Fri, Jun 18, 2010 at 3:33 PM, Chris Buechler <[email protected]> wrote: > On Fri, Jun 18, 2010 at 4:08 PM, Code Ghar <[email protected]> wrote: > > In the pfSense book, there's a section (6.6.9.3) titled "Maximum New > > Connections / Per Second". It says that "Any IP address exceeding that > > number of connections within the given time frame will be blocked for one > > hour." When using VoIP, which uses UDP, if one IP sends calls to your > VoIP > > switch with pfSense in the middle, there's one state established. Within > > that state if that same IP sends, say 5 messages in a second, are these > > messages considered 5 connections in one state or 1 connection in one > state? > > With the typical SIP, one connection is one state, regardless of how > many packets come over that state, it's one connection. If there are > 50 SIP phones NATed to one public IP connecting to you, that's going > to be 50 simultaneous SIP connections, plus RTP for calls. In cases > like an Internet outage at that location, you'll see a bunch of > connections opened quickly. > > That could more accurately read "Maximum new states / per second". > > As David noted, with a wide variety of things that "VoIP" can cover, > it's hard to say. Generally you have up to two connections/states per > SIP endpoint. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > >
