Unexpected firewall impact - Fanvil X6U

[chris021]

After much trial and error, I have found that the Fanvil X6U cannot make outbound calls (receives fine) if the nftables firewall is running.

pbx/resources/etc/nftables.conf

I have tracked down the exact line that the Fanvil takes exception to:
ip frag-off & 0x1fff != 0 counter drop

With this line commented out the Fanvil works correctly. I will continue to explore this issue by taking a packet capture from the Fanvil while its making a call to see what is happening.

[AdrianFretwell]

Hi Chris,
This rule blocks fragmented packets. The rule is designed to mitigate DDOS by UDP fragmentation floods. The IP stack has to buffer fragments until all have arrived, which can quickly overrun the buffer in an attack situation. There are, however, many more different types of attack, so it will be safe for you to remove this rule.

It may be better to fix the fragmentation problem at the phone. The probable reason why inbound works and outbound does not is because following the initial INVITE message FreeSWITCH will respond with a "407 Proxy Authentication Required". The phone now re-sends the INVITE but with a Proxy-Authorization header, this additional header can be enough to exceed your MTU and cause packet fragmentation.

You may find that removing unused or unneeded codecs from the phone solves the problem. In the UK, I tend to only enable G729, G722 and PCMA.

[AdrianFretwell]

No further activity.