Snort blocking Vonage

My friend called me at home and got about three words out before the line went dead. I figured it was just bad cell phone reception but it happened again when he called back. It also happened if I tried calling anyone. I had just updated the Snort rules on my pfSense firewall so I thought that may be the issue, the firewall itself was having a problem or Vonage was just messing up.

I logged on to the webConfigurator for the firewall to check the system/firewall logs. All UDP traffic using the Vonage port range (10000 – 20000) was being blocked by Snort. Snort automatically blacklist any IP’s that trigger an alert. The IP’s are blacklisted for 1 hour and then automatically removed. I checked the list and the Vonage IP addresses were listed.

Using the ARIN WHOIS search, I looked up the addresses in order to find the CIDR block (e.g. 192.168.0.0/16). I added each CIDR block to Snort’s whitelist and deleted the IP’s from the blacklist. After that, the calls went through without being dropped.

Good thing I checked the logs before calling Vonage. The fix was probably quicker than what would have been the hold time for support.

Think big thoughts but relish small pleasures. – H. Jackson Brown, Jr.

24.Jan.07 Networking, Security, VoIP