We are using FreePBX Distro 10.13.66-16 with the responsive firewall turned off so we can use our own iptables rules. The iptables are saved and set to run on reboot with
service iptables save
chkconfig iptables on
However when we reboot the system or run fwconsole restart, our iptables config does NOT load. Instead we get the empty config listed below and have to start iptables manually with “service iptables start”. Why is our config not loading? It seems it’s loading the empty responsive firewall config instead.
[root@nABC ~]# iptables -L -v
Chain INPUT (policy ACCEPT 96 packets, 6440 bytes)
pkts bytes target prot opt in out source destination
0 0 fail2ban-FTP tcp – any any anywhere anywhere multiport dports ftp
0 0 fail2ban-apache-auth tcp – any any anywhere anywhere multiport dports http
96 6440 fail2ban-SIP all – any any anywhere anywhere
96 6440 fail2ban-SIP all – any any anywhere anywhere
0 0 fail2ban-BadBots tcp – any any anywhere anywhere multiport dports http,https
0 0 fail2ban-SSH tcp – any any anywhere anywhere multiport dports ssh
96 6440 fail2ban-recidive all – any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 88 packets, 8293 bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-BadBots (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all – any any anywhere anywhere
Chain fail2ban-FTP (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all – any any anywhere anywhere
Chain fail2ban-SIP (2 references)
pkts bytes target prot opt in out source destination
192 12880 RETURN all – any any anywhere anywhere
0 0 RETURN all – any any anywhere anywhere
Chain fail2ban-SSH (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all – any any anywhere anywhere
Chain fail2ban-apache-auth (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all – any any anywhere anywhere
Chain fail2ban-recidive (1 references)
pkts bytes target prot opt in out source destination
If I uninstall the responsive firewall the problem goes away so the issue is definitely caused by the responsive firewall. Unfortunately every time we run a Distro update, the firewall is re-installed so this is only a temporary solution. We need a real way to disable the module just like with other modules that are not used.
I have been noticing a very similar issue for the past month(s).
What I’ve found though is that my custom rules are indeed loaded at boot but then wiped away by fail2ban very shortly (seconds to minutes) later. If I then do an “service iptables start” that seems to overwrite what fail2ban has done and I’m back to normal. PITA if I happen to forget when I restart the machine.
The firewall is relatively new, so there are some growing pains associated. @xrobau has been pretty good about keep up with problem people are seeing, but one of the things I recall him saying was that the “chkconfig” iptables should be disabled and all of the “custom” stuff you’d want to do should be added back in through the integrated firewall module.
There has got to be a compromise position on this. I know that lots of us cut our teeth on hand-crafting our IPTables settings (well, not really, I cut my teeth on Hollerith Cards), but this managed method does seem to be the route that most firewall implementations are going.
If there are things that the integrated firewall can’t do, submit a ticket. Making the system work the way the early adopters want to use it, or at least making so that it doesn’t violate the rule of least astonishment, is a good way for us to move forward as a community.
There are many reasons why someone would chose not to use the responsive firewall and I don’t simply add “custom” stuff. I want to use my own iptables config and can’t do it via the responsive firewall GUI.
This is the only module that can not be properly disabled in “module admin” and even though it’s not enabled, it prevents my own iptables config to load on reboot leaving the system totally unprotected.
In my case I’m just at the opposite end of the spectrum of dcitelecom. I originally had two phones on remote sites, both with static IP addresses (now only one). I had problems getting the responsive firewall to work (this was early on in it’s life) properly, things always seemed to be hanging out in the open and frankly it was a case of “why am I wasting my time with this”… allow inbound traffic from two IP’s, deny everything else, done.
I’ve got nothing against the responsive concept but it was just an added level of complexity that I didn’t have time to deal with troubleshooting at the time.
Just so we’re talking about the same things: the responsive firewall is part of the integrated firewall. You can turn the responsive firewall on and off and still have the integrated firewall active. I had problems with the early versions of the integrated firewall, and I’ve never had the responsive firewall turned on.
I use the integrated firewall on all of my systems now - since I don’t have outside connectors, the responsive firewall isn’t really a starter for me.
Right - it’s just IPTables with the tables stored in another repository.
That’s the point I was trying to make. If there are things that you can’t do in the Integrated Firewall that you need to do, you can submit Issues tickets. I have a feeling that @xrobau and his cohorts will review them and make you whole again.
Ooh! I have cohorts now? @tm1000 you hear that? You’re my cohort! So behave.
As far as I know, there’s no outstanding feature requests for Firewall at the moment. The only thing that I’m 100% dead against is letting FreePBX become a router (eg, enabling masquerading in iptables). Everything else should be doable through the UI.
There are various reasons about this, and whilst I’m dead against it now, there’s nothing stopping you from trying to change my mind, so if someone DOES want to do that, I’m always willing to listen.
BTW I installed the integrated responsive firewall and I am a huge convert. This thing is amazing. There is a bit of a learning curve but by far not as steep as trying to learn iptables on your own. Great job.
Is there a limit to how many IPs I can blacklist?
We recently got hacked and traced all the IPs to the xxx territories so I’d like to block the whole area (we got no business there anyways).
Does the firewall use public blacklists by default i.e. block know hacker IPs?
Can we add a file of IPs to block or do they have to be added one by one?
Well, by default EVERYTHING is blocked. If you don’t need external clients (with unknown IP addresses) you can simply disable responsive firewall and leave it locked down.
