Score:0

How to limit incoming UDP SIP INVITE packets with firewalld?

ru flag

My System Info:

CentOS Linux release 7.9.2009 (Core)
firewall-cmd v0.6.3
iptables v1.4.21
Kernel 3.10.0-1160.25.1.el7.x86_64

It is running Asterisk v18.4.0 PBX with PJSIP. My carier send too much SIP INVITE packets per second, say 20 calls per second from their VOS3000 softswitch. Most of them get congested (SIP 503) in my outgoing endpoint (e.g. only 2 of the 20 calls get ringing status).

It causes very high CPU usage as I am using PHP AGI (FastAGI) for each incoming call as well as when the call hang-up.

Now, I want to limit SIP INVITE packets using firewalld. Say, I want max 3 INVITE per second; I run

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p udp --dport 5060 -m string --algo bm --string "INVITE sip:" -m hashlimit --hashlimit-above 3/sec --hashlimit-mode dstport --hashlimit-name sip -j REJECT --reject-with icmp-port-unreachable
firewall-cmd --reload

Above commands succeed but it does not work. I send 20 calls per second using SIPp from an external host and I see more than 900 calls per minute hit my Asterisk PBX.

Also running tcpdump -i any -nn icmp in the server does not show any ICMP unreachable message for port 5060.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.