How to block TCP SIP port 5060 from WAN

[clobber]

Hallo!

Sorry for the English.

I am trying to configure the Fritz 7390 (international) firewall to:

1) Block all TCP SIP port 5060 on the WAN. Sipgate uses UDP only and there is no reason for the port to be open.

2) Block all UDP SIP port 5060 except from Sipgate.

3) Log firewall activity


I have no idea how to do #2 and #3. Is it possible?

For #1, in the past, I would just edit the ar7.cfg file to deny tcp 5060 in the dsldpconf section as shown below. However, it does not appear to be working any more. I clearly have the lowinput set to block 5060, but it is not. I also notice there are now two dsldpconf sections. One for "internet" and the other for "voip." I don't really understand why there are these two configurations. Do I need to edit both?

dsldpconfig {
security = dpsec_firewall;
filter_teredo = yes;
filter_netbios = yes;
lowinput {
policy = "permit";
accesslist =
"deny ip any 242.0.0.0 255.0.0.0",
"Reject icmp any any",
"Deny tcp any any eq 5060",
"deny ip any host 255.255.255.255";
}
lowoutput {
policy = "permit";
}
highinput {
policy = "permit";
}
highoutput {
policy = "permit";
accesslist =
"reject ip any 242.0.0.0 255.0.0.0",
"deny ip any host 255.255.255.255",
"reject ip any 169.254.0.0 255.255.0.0";
}
}

 

[clobber]

Bump.

Anyone know the answer?

 

[clobber]

Bump again?