Allow List Packet Processing

The Allow List will allow a packet to pass to the Unified Application using the following:

Unlike Deny All, the Allow List is passive until we write a rule. An empty list will restrict nothing. When we want to restrict a port we must list all valid sources. You can use a port in more than one row to designate more than one valid source.

Preparing to Write or Modify ACL Rules

Before modifying the ACL, particularly if you are modifying the rules for the web administration, make sure to take a backup of the system. In the very worst case you can default the system, and restore the old database, or load it from USB using the System Attendant.

Ensure you have serial port access, or telnet access to port 5003, and have set a remote password to access the command line to disable ACL, should you enter erroneous rules and lock yourself out. It is somewhat harder to do this with Allow Lists than Deny All.

Refer to Knowledge Base Article “Removing ACL Setting When locked out of the System”, to turn ACL off using the serial port or port 5003.

Allow List Rules

You must specify a protocol and port when writing Allow List rules. The rules will tend to have a direction of “Destination”, as we are filtering traffic based on the port it is trying to connect.

An example set of rules are:

The above ruleset demonstrates some basic techniques.

1. Rule 1 protects port 1720, the H.323 and inter-site networking port. In this rule set, only the IP address 129.192.201.100 may connect to TCP port 1720.  The subnet mask i 255.255.255.255 specifies a single IP address, rather than a subnet.
2. Rule 2 protects the TCP SIP port. If you are writing ACL rules to control access to SIP services, do not forget that the UCP listens for connections on 3 ports, not just udp port 5060.

   The ports are specified in SIP Common Attributes (210), options 3, 4 and 5.

   Normally the SIP carrier uses UDP port 5060, so the TCP and the TLS (SIPS) port, do not need to be, and are not exposed externally.

3. The UDP port 5060 version of rule 2. Rules (2) and  (3) allow IP addresses 150.150.xx to access SIP.
4. TCP port 443 is the default port for the Web Administration portal, 443 is the default https port. This rule allows 150.150.x.x to access the web administration and user portal.
5. This row also allows IP addresses 192.168.x.x to access TCP port 443, in addition to those specified in rule (4).
6. This row allows IP addresses  192.168.x.x to access SIP TCP port 5060, in addition to the IP addresses allowed in rule (2).
7. This row allows IP addresses 192.168.x.x to access SIP USP port 5060, in addition to the IP addresses allowed in rule (3).

Shutting Down an Unused a Service

Some network environment require services to shutdown all unused services on a server.  You cannot stop services on the Unified Product Sometimes you wish to “turn off” a service. For example tcp port 7878, although protected by TLS and username/password authentication, allows calls to be initiated. The port is used by Clickcall and UCS.

If these products are not in use, you might want to “shutdown the service”. We can mimick this using allow lists on ACL. Consider the following rule.

We can see this applies to TCP port 7878, used by UCS and Clickcall. The Source IP Address of 127.0.0.1 / 255.255.255.255 is the loopback IP address. The loopback IP address is only used on a device, it means the device itself, because of this, you should never see 127.0.0.1 on any network. This rule allows on applications running on the UCP itself to talk to port 7878. No network device may communicate with the service listening on TCP port 7878.

Applying the ACL or Changes

The ACL rules can be saved and can be applied. Saving the ACL rules, saves the rules but does not immediately apply the rules. Use Apply after save to make the rules as listed the rules being enforced.