System Firewall question

dcitelecom · November 18, 2015, 5:02pm

We have a simple iptables firewall that drops everything except the IP of our (single) customer and our supplier. Should we switch to the new System Firewal or can we stick with the old one listed below in simplified form? Thanks for any feedback.
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
… miscellaneous code to allow local loopback, related, established traffic
-A INPUT -p udp -s x.x.x.x --dport 5060 -j ACCEPT -m comment --comment “CUSTOMER”
-A INPUT -p udp -s x.x.x.x --dport 5060 -j ACCEPT -m comment --comment “SUPPLIER”
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
… SSH, SSL ports etc

danielf · November 19, 2015, 12:04am

Hi,

I suggest to do some tests on a backup machine prior to change it on your production. You will need to learn the behavior of this module first. It is better than your static rules, but nevertheless do not test it on your production before getting to know it better.

Thank you,

Daniel Friedman
Trixton LTD.

xpiramental · November 19, 2015, 12:35pm

i feel like the firewall module is pretty solid now. If all you are doing is connecting to your supplier and you don’t have any remote extensions you are probably just the way you are. The firewall module is a really slick GUI firewall with a responsive element that will allow remote extensions attempt to apply a few times and if they do so correctly allow their traffic.

dcitelecom · November 19, 2015, 4:05pm

OK. Thanks. I switched it on. How come the “System Overview” on the Dashboard says “Firewall service not running” even though the responsive firewall is enabled and running?

Smokeyser · November 19, 2015, 5:35pm

I’d be careful with it if I was you. Your needs are so simple that you already had a firewall doing absolutely everything that you needed. If the old one was working 100%, the best that you can hope for from the firewall module is to keep it working while making it far more complicated. When you only need to allow one or two ips through, keep it simple and just allow those. You don’t need dynamic rules. That’s what I would do, anyways…

dcitelecom · November 19, 2015, 6:56pm

OK but I decided to try the System Firewall. I enabled it in the Gui and switched on Responsive firewall. On the Dashboard I see an error message for the firewall saying “Firewall Service not running”. Is this an error in the GUI or an error in the firewall?

dcitelecom · November 20, 2015, 1:59pm

OK something is off.
GUI says firewall is running. Dashboard says firewall service is NOT running.
[root@ny ~]# ps auxww | grep firewall
root 31466 0.0 0.0 4356 736 pts/0 S+ 13:54 0:00 grep firewall
[root@ny ~]#

el_es · November 20, 2015, 2:29pm

As far as I understand/remember it, the System Firewall ‘just’ manipulates your iptables rules;
And has 5 minutes grace period before it engages (there is one long thread on this forum where this is described)

lgaetz · November 20, 2015, 4:43pm

As you suspect, something is not right.

# ps aux | grep firewall
root      3244  0.2  0.5 326228 16220 ?        S    12:38   0:00 php /var/www/html/admin/modules/firewall/hooks/voipfirewalld
root      3918  0.0  0.0 103244   868 pts/2    S+   12:41   0:00 grep firewall

Ensure all modules are up to date, run fwconsole chown and reboot. Maybe @xrobau has an idea.

plindheimer · November 20, 2015, 5:05pm

The ‘Safe Mode’ has been changed. It’s an optional feature (viewed and settable from the main firewall screen) that can be turned on or off and if on, it requires two reboots in succession to trigger the 5 minute delay in the startup of the firewall.

el_es · November 20, 2015, 5:19pm

oh, sorry I stand corrected then

dcitelecom · November 20, 2015, 6:35pm

I have uninstalled the firewall, re-installed, installed the beta version, etc…
I ran fwconsole chown and rebooted. Anything I can think off and I still get the same error.

When I reboot my system the DASHBOARD says "Firewall starting up"
During startup:
ps auxww | grep firewall
root 1614 0.0 0.6 54856 11736 ? S 18:26 0:00 php /var/www/html/admin/modules/firewall/hooks/voipfirewalld
root 2076 0.0 0.0 4356 740 pts/0 S+ 18:28 0:00 grep firewall

Broadcast message from [email protected] (Fri Nov 20 18:30:48 2015):
Firewall service will start automatically in 30 seconds or less!
Firewall service now starting.

Once the firewall service is started the DASHBOARD says "Firewall service not running"
and ps auxww | grep firewall
root 2670 0.0 0.0 4356 736 pts/0 S+ 18:31 0:00 grep firewall
[root@ny ~]#

tm1000 · November 20, 2015, 10:54pm

What version of the distro are you running?

dcitelecom · November 21, 2015, 2:27am

FreePBX Distro 10.13.66-6
FreePBX 13.019

xrobau · November 29, 2015, 8:47pm

There’s a firewall log file in /tmp/firewall.log which will normally have any crashes in it.

dcitelecom · November 30, 2015, 1:43am

(IPs changed)
I see a php fatal error in the log (66.22.11.8 & 66.22.11.9 are in the system admin whitelist)
…
PHP Fatal error: Uncaught exception ‘Exception’ with message ‘Unknown host address 66.22.11.9/255.255.255.255’ in /var/www/html/admin/modules/firewall/drivers/Iptables.class.php:646
Stack trace:

0 phar:///var/www/html/admin/modules/firewall/hooks/voipfirewalld/firewall.php(378): FreePBX\modules\Firewall\Drivers\Iptables->updateTargets(Array)
1 phar:///var/www/html/admin/modules/firewall/hooks/voipfirewalld/firewall.php(149): updateFirewallRules(true)
2 /var/www/html/admin/modules/firewall/hooks/voipfirewalld(3): include(‘phar:///var/www…’)
3 {main}
thrown in /var/www/html/admin/modules/firewall/drivers/Iptables.class.php on line 646

xrobau · November 30, 2015, 2:12am

I’m pretty sure that’s fixed in the latest version. Check to make sure you’re running the latest beta?