One Way Audio Issues and STUN

scottalanmiller

@jaredbusch said in One Way Audio Issues and STUN:

The problem with ALG is that, if I understand how it was originally designed, it is basically a MitM on SIP traffic.

That's my understanding of it, and how it is implemented. Had no idea there was a standard for that mess.

scotth

I've never turned on ALG. I caught this because I have a catchall proxy at the end of my policies for outgoing TCP/UDP/DNS that might have slipped through my other policies. It makes sure that everything is scanned and IPS hopefully catches what I may have missed.

scotth

I don't like the stock, out of the box -- Allow All to Any
Edit: Outgoing: Allow All to Any

scottalanmiller

@scotth said in One Way Audio Issues and STUN:

I've never turned on ALG.

On by default, have to manually turn it off.

scotth

@scottalanmiller said in One Way Audio Issues and STUN:

@scotth said in One Way Audio Issues and STUN:

I've never turned on ALG.

On by default, have to manually turn it off.

Not in the Watchguards that I use

scottalanmiller

@scotth said in One Way Audio Issues and STUN:

@scottalanmiller said in One Way Audio Issues and STUN:

@scotth said in One Way Audio Issues and STUN:

I've never turned on ALG.

On by default, have to manually turn it off.

Not in the Watchguards that I use

We're discussing Ubiquiti here. That's what the OP is using.

scotth

Apologies

scottalanmiller

@scotth said in One Way Audio Issues and STUN:

Apologies

Although nice that WG doesn't turn it on by default, most systems do. Such a bad idea.

scotth

@scottalanmiller said in One Way Audio Issues and STUN:

@scotth said in One Way Audio Issues and STUN:

Apologies

Although nice that WG doesn't turn it on by default, most systems do. Such a bad idea.

I'd have to dig, but I'm fairly sure that I saw a notification in one of the release notes for an update that it was to be left off unless you had a VOIP / SIP vendor who specifically required it.

krisleslie

@scotth very few if any tell you to turn it on. I could see maybe a scenario if the SIP provider provided you the equipment then sure if they want it turned on cool, since they may have certified it. But in general it I think the problem is whatever ALG is doing messes up with the firewall and I think basically the traffic is getting probed and flagged!

krisleslie

I want to go find the programmer who created ALG and throw him in a cage of lions!
#frustrated!