An easy single line firewall rule can be made to restrict inbound traffic from the Internet to port 5060 (or any other service) using an inverted selection for the source & dropping all other traffic. In other words, the logic would be "where traffic is sent to port 5060 and the source does NOT come from our trusted host/subnet then its dropped". This is achieved by inverting our host or subnet definition to make it a "does not equal' logical operator. 


1. Create a new WAN>>LAN firewall rule. Usually under filter set 2.


2. Define your trusted host or subnet then click the 'Invert Selection' box

3. Define the service type as TCP/UDP 5060. Note the source port is 1-65535, only the destination is set to 5060.

4. Set the filter action to 'Block Immediately' and select to Syslog. 

Note that the source IP feild as the ! symbol at the beginning of the address. This is programmer speak for 'does not equal'.



Click OK to save your firewall rule & you are almost finished. 


5. Check your work by enabling Syslog Services. For this particular test you only need to enable the firewall log & the syslog server can have a place holder address of 127.0.0.1.

6. Generate some traffic on port 5060 from a non-trusted host and check the log. Note that allowed traffic from your trusted host wont appear in the log as it doesn't match any rules (remember that it only engages when the traffic != the trusted source).

NOTE: If you aren't sure how to generate SIP traffic try either SipVicious (svmap) or there are some online checkers also available (Google is your friend here).