I own both a R7800 Netgear nighthawk X4S, running DD-WRT v3.0-r47000 std (06/28/21)and an edgerouter-x running edgeOS 2.0.9
I am grateful getting information knowing how to do it on any device . Any information , on iptables rules or any firewall rules on how to make a voip device/client connect only to a SIP server …and nothing else…. would be appreciated.
Joined: 08 May 2018 Posts: 14835 Location: Texas, USA
Posted: Tue Jul 06, 2021 19:41 Post subject:
As I mentioned in your other post, this forum is not for Ubiquiti firmware. I edited your OP to reflect the correct information. I presume you are not wanting the device to phone home and do any automatic firmware upgrades or risk possibility of being hacked, is that the premise of this post? Did you bother checking the vendor's website and forums?
As I mentioned in your other post, this forum is not for Ubiquiti firmware. I edited your OP to reflect the correct information.
I’ll include the rev number in future posts, if it helps.
kernel-panic69 wrote:
I presume you are not wanting the device to phone home and do any automatic firmware upgrades or risk possibility of being hacked, is that the premise of this post?
That is the premise. I just want an iptables rule that will block the device from connecting to ANY address except for my ISP’s SIP server.
As for firmware upgrade , I am sophisticated enough to put a ” # “ in front of iptables rule to stop it, upgrade , then delete “#” off said rule, to re-engage it. Why am I doing this …. the word “security” is very fluid with grandstream .
I don’t want to get into the detail but yes I have posted , and I really did not like what I saw. To summarize my issues:
1. Cannot download latest firmware , check sha256/md5/ pgp signature then upload to Device …. Like the device won’t let me upload *anything*….something I take easily for granted with dd-wrt, on grandstream forums people complain about this .
2. They changed the address of the location of firmware for auto update … sort of forgivable .
3. Auto updates don’t even use https , you have to use http , again people complain .
4. Finally got an update and sort of verified through some light shenanigans ( I put direct download path to my browser then checked the file) .
You would think this is over …… but it’s not !
5.After I upgrade and do what a responsible person does ie shut off telnet/ssh/upnp as attack vectors I notice that device is auto connecting to some weird amazon AWS ip on port 3478 automatically , my isp has nothing to do with any STUN server .
6. After much digging I figured out that the engineers were just too idiotic to shut off so they made it connect to a dummy stun server
7. The engineering ticket said something to the effect of did you shut off stun server ….. I never touched that portion of the voip firmware couldn’t find out how to stop it. So figured screw this , find an iptables rule that will fix this once and for all.
Kernel-Panic69 , you seem like a smart guy, can you suggest an iptables rule that i can stick into DD-WRT commands?