Firewall default config and why are my incoming VoIP calls not blocked?

Hi all,
I am discovering Turris OS (5.1.10 as of today) on a MOX as a router on my recently installed home fibre broadband. I haven’t modified Firewall configuration or added any NAT rules yet, but I have activated/accepted data collection and HaaS via Foris/ReForis.

I have subscribed to VoIP service from my ISP. They provide instructions for firewalls but to my surprise, actually my VoIP phone is not blocked… This is confusing as I was expecting incoming calls to be rejected by firewall (UDP port 5060 for SIP).

The default rules, as seen by uci/Luci are relatively straightforward:


But I have the impression that sentinel modifies IPtables directly and does bypass uci. Does that mean I need to go through the IPtables configuration to find out why my VoIP is not blocked?
Any other good way to investigate?

Testing my public IP via services like shieldsUP! shows open ports (telnet, HTTP, FTP, SMTP) but I suppose these are the honeypots. Well I hope…
Also, any reason why Turris firewall does generally REJECT instead of DROP?


My guess is that your VoIP phone is connecting to their server, establishing a connection which is recognized by the firewall as legitimate traffic. Similar to web traffic. But that’s just a guess.

1 Like

Yes thank you for the suggestion. I am now looking at ways to monitor traffic from the IP phone. Maybe it does keep a connection with the VoIP servers in which case the firewall just sees a connection initiated from within my network.
Now looking into tools to monitor network traffic between this phone and the router…

I believe it’s normal for VoIP/SIP to work even if you have no public address (even for incoming calls). I used it that way long ago.