One Way Audio Issues and STUN

krisleslie

@scottalanmiller WOW can I become one of the IETF that proposes things to break things! I'm sure I can do a good job lol

scottalanmiller

@krisleslie said in One Way Audio Issues and STUN:

@scottalanmiller WOW can I become one of the IETF that proposes things to break things! I'm sure I can do a good job lol

Not aware of ALG as any standard. Just an industry option for "break SIP".

JaredBusch

@scottalanmiller said in One Way Audio Issues and STUN:

@krisleslie said in One Way Audio Issues and STUN:

@scottalanmiller WOW can I become one of the IETF that proposes things to break things! I'm sure I can do a good job lol

Not aware of ALG as any standard. Just an industry option for "break SIP".

ALG was part of the SIP Examples RFC (I have read this before but had to google it up again).

https://tools.ietf.org/html/rfc3665

The problem with ALG is that, if I understand how it was originally designed, it is basically a MitM on SIP traffic.

scottalanmiller

@jaredbusch said in One Way Audio Issues and STUN:

The problem with ALG is that, if I understand how it was originally designed, it is basically a MitM on SIP traffic.

That's my understanding of it, and how it is implemented. Had no idea there was a standard for that mess.

scotth

I've never turned on ALG. I caught this because I have a catchall proxy at the end of my policies for outgoing TCP/UDP/DNS that might have slipped through my other policies. It makes sure that everything is scanned and IPS hopefully catches what I may have missed.

scotth

I don't like the stock, out of the box -- Allow All to Any
Edit: Outgoing: Allow All to Any

scottalanmiller

@scotth said in One Way Audio Issues and STUN:

I've never turned on ALG.

On by default, have to manually turn it off.

scotth

@scottalanmiller said in One Way Audio Issues and STUN:

@scotth said in One Way Audio Issues and STUN:

I've never turned on ALG.

On by default, have to manually turn it off.

Not in the Watchguards that I use

scottalanmiller

@scotth said in One Way Audio Issues and STUN:

@scottalanmiller said in One Way Audio Issues and STUN:

@scotth said in One Way Audio Issues and STUN:

I've never turned on ALG.

On by default, have to manually turn it off.

Not in the Watchguards that I use

We're discussing Ubiquiti here. That's what the OP is using.

scotth

Apologies

scottalanmiller

@scotth said in One Way Audio Issues and STUN:

Apologies

Although nice that WG doesn't turn it on by default, most systems do. Such a bad idea.

scotth

@scottalanmiller said in One Way Audio Issues and STUN:

@scotth said in One Way Audio Issues and STUN:

Apologies

Although nice that WG doesn't turn it on by default, most systems do. Such a bad idea.

I'd have to dig, but I'm fairly sure that I saw a notification in one of the release notes for an update that it was to be left off unless you had a VOIP / SIP vendor who specifically required it.

krisleslie

@scotth very few if any tell you to turn it on. I could see maybe a scenario if the SIP provider provided you the equipment then sure if they want it turned on cool, since they may have certified it. But in general it I think the problem is whatever ALG is doing messes up with the firewall and I think basically the traffic is getting probed and flagged!

krisleslie

I want to go find the programmer who created ALG and throw him in a cage of lions!
#frustrated!