User`s manual
Table Of Contents
- Mediant 2000 & TP-1610 & TP-260/UNI SIP User’s Manual Version 5.0
- Table of Contents
- List of Figures
- List of Tables
- Notices
- 1. Overview
- 2. Physical Description
- 3. Installation
- 4. Getting Started
- 5. Web Management
- Computer Requirements
- Protection and Security Mechanisms
- Accessing the Embedded Web Server
- Getting Acquainted with the Web Interface
- Protocol Management
- Advanced Configuration
- Status & Diagnostic
- Software Update Menu
- Maintenance
- Logging Off the Embedded Web Server
- 6. Gateway's ini File Configuration
- Secured ini File
- Modifying an ini File
- The ini File Content
- The ini File Structure
- The ini File Example
- Networking Parameters
- System Parameters
- Web and Telnet Parameters
- Security Parameters
- RADIUS Parameters
- SNMP Parameters
- SIP Configuration Parameters
- Voice Mail Parameters
- ISDN and CAS Interworking-Related Parameters
- Number Manipulation and Routing Parameters
- E1/T1 Configuration Parameters
- Channel Parameters
- Configuration Files Parameters
- 7. Using BootP / DHCP
- 8. Telephony Capabilities
- Working with Supplementary Services
- Configuring the DTMF Transport Types
- Fax & Modem Transport Modes
- Event Notification using X-Detect Header
- ThroughPacket™
- Dynamic Jitter Buffer Operation
- Configuring the Gateway’s Alternative Routing (based on Conn
- Call Detail Report
- Supported RADIUS Attributes
- Trunk to Trunk Routing Example
- Proxy or Registrar Registration Example
- SIP Call Flow Example
- SIP Authentication Example
- 9. Networking Capabilities
- 10. Advanced PSTN Configuration
- 11. Advanced System Capabilities
- 12. Special Applications
- 13. Security
- 14. Diagnostics
- 15. SNMP-Based Management
- SNMP Standards and Objects
- Carrier Grade Alarm System
- Cold Start Trap
- Third-Party Performance Monitoring Measurements
- TrunkPack-VoP Series Supported MIBs
- Traps
- SNMP Interface Details
- SNMP Manager Backward Compatibility
- Dual Module Interface
- SNMP NAT Traversal
- SNMP Administrative State Control
- AudioCodes’ Element Management System
- 16. Configuration Files
- Appendix A. Selected Technical Specifications
- Appendix B. Supplied SIP Software Kit
- Appendix C. SIP Compliance Tables
- Appendix D. The BootP/TFTP Configuration Utility
- Appendix E. RTP/RTCP Payload Types and Port Allocation
- Appendix F. RTP Control Protocol Extended Reports (RTCP-XR)
- Appendix G. Accessory Programs and Tools
- Appendix H. Release Reason Mapping
- Appendix I. SNMP Traps
- Appendix J. Installation and Configuration of Apache HTTP Server
- Appendix K. Regulatory Information
Mediant 2000 & TP-1610 & TP-260
SIP User's Manual 298 Document #: LTRT-68805
13.5 Internal Firewall
The gateway accommodates an internal access list facility, allowing the security
administrator to define network traffic filtering rules. The access list provides the following
features:
Block traffic from known malicious sources
Only allow traffic from known friendly sources, and block all others
Mix allowed and blocked network sources
Limit traffic to a predefined rate (blocking the excess)
Limit traffic to specific protocols, and specific port ranges on the device
The access list consists of a table with up to 50 ordered lines. For each packet received on
the network interface, the table is scanned from the top until a matching rule is found (or
the table end is reached). This rule can either block the packet or allow it; however it is
important to note that subsequent rules aren’t scanned. If the table end is reached without
a match, the packet is accepted.
Each rule is composed of the following fields (described in Table
6-1 on page 130):
IP address (or DNS name) of source network
IP network mask
Destination UDP/TCP ports (on this device)
Protocol type
Maximum packet size, byte rate per second, and allowed data burst
Action upon match (allow or block)
Figure
13-15 shows an example of an access list definition via ini file:
Figure 13-15: Example of an Access List Definition via ini File
[ ACCESSLIST ]
FORMAT AccessList_Index = AccessList_Source_IP, AccessList_Net_Mask,
AccessList_Start_Port, AccessList_End_Port, AccessList_Protocol,
AccessList_Packet_Size, AccessList_Byte_Rate, AccessList_Byte_Burst,
AccessList_Allow_Type;
AccessList 10 = mgmt.customer.com, 255.255.255.255, 0, 80, tcp, 0, 0, 0, allow ;
AccessList 15 = 192.0.0.0, 255.0.0.0, 0, 65535, any, 0, 40000, 50000, block ;
AccessList 20 = 10.31.4.0, 255.255.255.0, 4000, 9000, any, 0, 0, 0, block ;
AccessList 22 = 10.4.0.0, 255.255.0.0, 4000, 9000, any, 0, 0, 0, block ;
[ \ACCESSLIST ]
Explanation of the example access list:
Rule #10: traffic from the host ‘mgmt.customer.com’ destined to TCP ports 0 to 80, is
always allowed.
Rule #15: traffic from the 192.xxx.yyy.zzz subnet, is limited to a rate of 40 Kbytes per
second (with an allowed burst of 50 Kbytes). Note that the rate is specified in bytes,
not bits, per second; a rate of 40000 bytes per second, nominally corresponds to 320
kbps.
Rule #20: traffic from the subnet 10.31.4.xxx destined to ports 4000 to 9000 is always
blocked, regardless of protocol.
Rule #22: traffic from the subnet 10.4.xxx.yyy destined to ports 4000 to 9000 is always
blocked, regardless of protocol.
All other traffic is allowed.
More complex rules may be defined, relying on the ‘single-match’ process described
above.