Here is a summary of what rules you will need to configure
in your firewall to make specific parts of the Marratech
client and Marratech Manager communication work.
The text is written using ipfw, a firewall based on BSD.
ipfw was chosen as its rules are easy to understand even
if you're not familiar with this particular brand. You should
easily be able to convert it to your firewalls configuration
parameters.
The rules specify how to safely give access to your Manager
from the Internet.
#
# In each section, rules are divided into sets. You will always need to configure
# one of each "set". Some sets (ie 2B) exist have different versions - this is
# to provide alternate rules which may or may not be better for certain type of users.
#
# For example, the Manager configuration has one set for data ports (2A) and two
# sets for data ports (2B). You will need to use the only set named 2A and one of the
# two sets named 2B (but not both).
#
# This text uses the default ports specified in the Manager. If you change the ports
# or port ranges, you will need to change the rules accordingly.
#
# All-caps words in rules should be replaced as follows:
#
# MANAGER: IP address of the server running the Marratech Manager software.
# CLIENTS: IP address range containing all client computers, or "any"
# ACTIVE: IP address of the active node node (typically remote/slave node)
# PASSIVE: IP address of the passive node (typically central node)
# LDAP: IP address of LDAP server
### 0 - SETUP ################################################################
#
# This configuration makes use of Dynamic states. You will need the following
# line first in your configuration to allow established states to work through
# your ipfw-based firewall.
add check-state
### 1 - CLIENT CONFIGURATION #################################################
#
# This part shows the best way to set up your firewall to allow internal
# clients to access a Manager somewhere on the Internet.
#
# A) Client Control (HTTP/HTTPS - normal/encrypted web traffic)
# NOTES: 8000 and 8001 is the default ports for HTTP and HTTPS.
# They are often changed to 80 and 443 which are the standard
# ports for such services. Use the line that fits your system.
add allow tcp from CLIENTS to MANAGER dst-port 8000,8001 setup keep-state
add allow tcp from CLIENTS to MANAGER dst-port 80,443 setup keep-state
# B) Client Data (RTP traffic, optionally encrypted)
add allow udp from CLIENTS to MANAGER dst-port 52000-52999 setup keep-state
### 2 - MANAGER CONFIGURATION ################################################
#
# These rules are essentially the same as for the client, but inbound. If you
# run into performance problems, you may want to run the data streams without
# states to reduce the load on your firewall.
#
# If the Manager uses private addresses, you need to set up 1:1 port mapping
# in the firewall and configure the external address in the Managers Detailed
# Network Settings.
# A) The Manager control ports are usually setup using inbound dynamic states.
add allow tcp from CLIENTS to MANAGER dst-port 8000,8001 setup keep-state
add allow tcp from CLIENTS to MANAGER dst-port 80,443 setup keep-state
# B) Client data can also be setup using inbound dynamic states.
add allow udp from CLIENTS to MANAGER dst-port 52000-52999 setup keep-state
# B) If you would prefer not to set up states for this at your server side,
# you need to allow inbound and outbound UDP traffic.
add allow udp from CLIENTS to MANAGER dst-port 52000-52999
add allow udp from MANAGER to CLIENTS src-port 52000-52999
### 3 - MANAGER CONFIGURATION - NODE SETUP ###################################
#
# Nodes communicate using one TCP (4160) and one UDP (9000) port. Both can
# be set up using the same Dynamic state rule. If the active node uses private
# addresses, you need to set up 1:1 port mapping in the firewall and specify the
# correct connect addresses in the node setup.
# A) Control ports can be setup using dynamic states
add allow tcp from ACTIVE to PASSIVE dst-port 4160 setup keep-state
# B) Data ports can be set up using dynamic states
add allow udp from ACTIVE to PASSIVE dst-port 9000 setup keep-state
# B) If you would prefer not to set up states for this at your server side,
# you need to allow inbound and outbound UDP traffic.
add allow udp from ACTIVE to PASSIVE src-port 9000 dst-port 9000
add allow udp from PASSIVE to ACTIVE src-port 9000 dst-port 9000
### 4 - MANAGER CONFIGURATION - SIP SETUP ####################################
#
# Marratech currently only uses UDP-based signaling in SIP. SIP ports should
# not be set up using Dynamic state rules, as this may cause certain important
# messages (like hang up) to get lost on the way.
#
# SIP can be set up even if the manager runs on an internal address, but you
# need to setup static 1:1 port mapping from an IP address in the firewall and
# you need to configure the External (NAT) IP for each SIP line.
#
# If you try using dynamic NAT, you will have the same issue as with a dynamic
# state firewall (see above)
#
# You can restrict "any" to specific IP addresses. Note, however, that many
# VOIP operators may have several IP addresses for their proxies and that you
# may need to change this if they switch IP addresses.
#
# A) Control ports
add allow udp from MANAGER to any src-port 5060
add allow udp from any to MANAGER dst-port 5060
# B) Data ports
add allow udp from MANAGER to any src-port 53000-53999
add allow udp from any to MANAGER dst-port 53000-53999
### 5 - MANAGER CONFIGURATION - H.323 SETUP ##################################
#
# Marratech currently uses an outbound TCP-stream for signaling. No inbound TCP
# stream needs to be set up. The data ports are not bidirectional, which means
# they cant be set up using dynamic state rules.
#
# Note that H.323 REQUIRES a public IP address if you wish to access other public
# IP addresses. Dynamic NAT or static port forwarding is NOT supported.
# A) Control ports (signaling)
add allow tcp from MANAGER to any src-port 5060-5160 dst-port 1720 setup keep-state
# B) Data ports
add allow udp from MANAGER to any src-port 53000-53999
add allow udp from any to MANAGER dst-port 53000-53999
### 6 - MANAGER CONFIGURATION - WEBSTART #####################################
#
# If you enable Java Webstart, Marratech Manager will try to download a template
# over HTTP from one of our servers. This means it must have unrestricted access
# to HTTP traffic. We recommend allowing the manager to access any web server, as
# the Webstart client is likely to be spread to more servers in the future.
#
# Note that the Manager does not support proxies at the time of writing
#
# You can circumvent the HTTP download by manually downloading the JNLP template
# to the server and accessing it as a local template. Place it in your html directory
# and specify the local path (not the URL) to the file. Note that you will have
# to download the template manually every time there is a change!
# A) HTTP port
add allow tcp from MANAGER to any dst-port 80 setup keep-state
### 7 - MANAGER CONFIGURATION - LDAP ########################################
#
# Marratech Manager can use LDAP in different modes. Select the setup below
# that best matches your LDAP server. LDAP communication uses a single TCP stream.
# A) unencrypted LDAP
add allow tcp from MANAGER to LDAP dst-port 389 setup keep-state
# A) Encrypted LDAP (LDAPS - uses SSL/TLS)
add allow tcp from MANAGER to LDAP dst-port 636 setup keep-state
