I am trying to limit access to a FreePBX server so that only North American ip addresses can reach it. I would like to accomplish this with a whitelist and blacklist ipset and then I would add something like:
-A INPUT -m set --match-set whitelist src -j ACCEPT
-A INPUT -m set --match-set blacklist src -j DROP
to the Firewall Advanced Custom Rules.
I noticed that FreePBX already uses ipset for the Let’s Encrypt rules.
Ideally I could piggy back off of this to add my own aditional ip sets.
by definition, every whitelist is an implicit deny-else, and every blacklist is an accept-else, is it not?
I guess I could just blacklist every single IP outside of North America using the blacklist bulk handler.
Edit: Never mind, the blacklist bulk handler is for blacklisting numbers, not ip addresses.
as a better question - are you pointing The Internet raw at your FreePBX server?
why not do your blacklist at a firewall level, upstream of the PBX?
The server has a dedicated WAN connection. Usually I rely on FreePBX’s responsive firewall and it hasn’t failed me yet. This particular client doesn’t like seeing the failed register messages in the logs. I’ve explained to him that he doesn’t need to be scared since the responsive firewall will block those IPs after a while.
I was curious to see if there was a way to implement ipsets. Clearly there is since the Let’s Encrypt rules seem to be applied this way.
(Disclaimer) I would not suggest permitting global access to your server.
You can create ipsets allowing only US addresses, and only allow those addresses in. If your Freepbx server is running nftables, here is a link to a video describing the process for SSH. You can just change the port number to make it apply to freepbx.