just because you have allowed ports 10000 to 20000 does not mean you have 10000 open ports. I just did a UDP scan on my PAP2 from an internal IP and found only 2 ports open - 5061 and 23486 (which seems unusual and has piqued my curiosity enough to investigate further).
The probable reason for the wide range is because the Vonage servers are telling your ata what to use in the same way that an ftp server tells the client which port to open a session on. ALthough your adapter is only using 2 ports at a time (1 for each call), the server needs to be unique across 10000 calls.
Ok, so I am going to step into it big time. You guys seem nice enough, so don't flame me too bad.
On my network I am NATed on my LAN. I have a few ports that I redirect to machines on the LAN from my router. From what I have observed, all requests are simply denied by the router on the WAN interface if they are not forwarded.
My Vonage box simply worked when I plugged it into the network.
Is there a compelling reason for me to firewall ports that refuse connections?
Am I not paranoid enough about NAT transversal?
paul248 Vonage Forum Evangelist
Joined: Nov 25, 2004 Posts: 646
Location: Mountain View, CA
I'm not quite sure what you're asking, but I think the reason Vonage works from behind a router is that it continually sends out UDP packets on a certain port, to a certain address. When a UDP packet comes back from that address on that port, the router assumes it's part of the same "connection", and it gets routed back to the Vonage device.
However, some routers don't handle that perfectly, and screw up the "connection", which is why manual port forwarding can be helpful in some situations.
About the firewalling... routers don't just forward arbitrary packets to arbitrary computers. In order for the NAT traversal to work, it has to be initiated by something on your LAN. So, it's probably not much of a security risk, unless you've got a trojan on your computer or something.
Well to answer the general question. No I do not think you are being paranoid about NAT traversal. NAT is a classic example of security by obsfucation and thus is not perfect.
The problem as I see it has to do with the use of higher ports than advertised. So.... The choices are to allow udp carte blanche inbound to the ip of the TA... or use NAT/PAT to allow your traffic inbound dependent on what port the TA request traffic on.
All this is fine on a simple home network and I suppose, depending on the architecture, only puts the TA at risk for exploitation. (an attacker would have to "guess" the open ports, or scan accordingly and then do whatever the nefarious exploit du jour is.)
I got interested in this because my device doing NAT and firewalling, (Freebsd box) is behind a router with ACLs where I had allowed the range of ports that Vonage say to use with a static NAT translation to the inside ip I noticed that most calls would work and but some, including calls to my companyfor conference calls did not.
For testing purposes I opened up all udp and logged traffic inbound. Sure enough when I made calls to the previously non functional numbers they worked but I saw inbound traffic on the > 20000 ports....
In conclusion it would appear that unless one wishes to rely on NAT/PAT as a security model you have to allow all udp inbound to the device, which leaves it open to potential exploit. The good news is that Vonage is cheap and that probably the worst thing that can happen is that the TA gets interfered with.
I was worried that there was some new type of vulnerability in NAT that would allow an attacker to easily transverse the router on ports that are not forwarded.
I see posts all the time by folks that are firewalling their NATed connections.
What I was wondering is why would you firewall a NAT'ed network?
I don't see any reason to firewall with this type of configuration if you keep your boxen up to date and you want to allow users unrestricted access to the Internet.
Last edited by fatboyntn on Tue Jun 07, 2005 4:23 pm; edited 1 time in total
Partially, you'd want to firewall a NAT'd network as good solid security practice. True, if your router drops all inbound packets that aren't a response to a previous outbound packet, you're probably as safe as you can be. However, I firmly believe in having every machine on my network individually secure. Thus if I replace my firewall someday and the new default behavior is to let everything in, and I forget to check... I'm still mostly safe. Also, if someone DOES find a vulnerability in my particular router, they still have to get into each machine from there.
I was only commenting on the wide port range because it doesn't seem like the client needs to open up that wide. A single port should be enough to announce an incoming call to a Vonage adapter (perhaps one per line). That packet could include the port that the client should respond to, so that the server can dynamically shuffle ports as needed, but the client end can always be on the same one. For data transmission... are we routing packets in parallel on multiple ports? I can't imagine needing more than a few, since audio data is by nature serial and too many would cause delays in reassembling the audio frames. Again, for the client end, why more than a handful?
I have read that post, and many others, and have never seen a good reason why all those ports need to be open.
If the Vonage router just maintained a single socket connection to the Vonage server, like skype does, all incoming calls could have the port negotiated (or even occur on the single socket already opened).
Firewall configs would consist of a single port number for UDP and TCP (control connection) traffic.
I have implemented such systems (vidspeak.com) and know what I'm talking about. Its just laziness on the part of the developers, or no access to the firmware of the routers they sell.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
All times are GMT - 5 Hours
Vonage Service Plans
Vonage VoIP Members
Members New Raniinody New Today 0 Yesterday 3 Total 64297 Who Is On Site Visitors 78 Members 1 Total 79
1Unlimited calling and other services for all residential plans are based on normal residential, personal, non-commercial use. A combination of factors is used to determine abnormal use, including but not limited to: the number of unique numbers called, calls forwarded, minutes used and other factors. Subject to our Reasonable Use Policy and Terms of Service.
2Shipping and activation fees waived with 1-year agreement. An Early Termination Fee (with periodic pro-rated reductions) applies if service is terminated before the end of the first 12 months. Additional restrictions may apply. See Terms of Service for details.
HIGH SPEED INTERNET REQUIRED. †VALID FOR NEW LINES ONLY. RATES EXCLUDE INTERNET SERVICE, SURCHARGES, FEES AND TAXES. DEVICE MAY BE REFURBISHED. If you subscribe to plans with monthly minutes allotments (for example, U.S. & Canada 300), all call minutes placed from both from your home and registered ExtensionsTM phones will count toward your monthly minutes allotment. ExtensionsTM calls made from mobiles use airtime and may incur surcharges, depending on your mobile plan. Alarms, TTY and other systems may not be compatible. Vonage 911 service operates differently than traditional 911. See www.vonage.com/911 for details.
Thinking of signing up for Vonage but have questions? Business and Residential customers can call Toll Free 24 hours a day at: 1-888-692-8074 No Vonage Promotional Codes or Coupon Codes are required at www.vonage.com.
The Vonage Forum provides the Vonage sign up Best Offer Promotion Deal as a means to offset
our cost. If you are considering signing up for Vonage and have found our Vonage
News, Customer Reviews, Forums & all other parts of this site useful, please
use our Vonage FREE Month sign up offer Deal Coupon.
Vonage VoIP Phone Service is redefining communications by offering consumers & small business VoIP Internet phones, an affordable alternative to traditional phone service.
The Vonage VoIP Forum Generated This Page In: 0.40 Seconds and 307 Pages In The Last 60 Seconds The Vonage VoIP Forum
Members
New 
New Today 0
Yesterday 3
Total 64297
Who Is On Site
Visitors 78
Members 1
Total 79
0.00