Built in Firewall Issue

FreePBX 14.0.5.25
System Firewall13.0.57.1

All registered clients got disconnected for around an hour over the weekend
From going around the logs, the only possible culprit seems to be the firewall
Here is what I see in the messages log

==========================================================
Mar  9 20:05:46 pbx1 php: /sbin/iptables -w5 -W10000 -D fpbxregistrations -s 10.50.1.78/32 -j fpbxknownreg
Mar  9 20:06:21 pbx1 php: /sbin/iptables -w5 -W10000 -D fpbxregistrations -s 10.50.1.66/32 -j fpbxknownreg
Mar  9 20:06:56 pbx1 php: /sbin/iptables -w5 -W10000 -D fpbxregistrations -s 10.50.1.25/32 -j fpbxknownreg
Mar  9 20:06:56 pbx1 php: /sbin/iptables -w5 -W10000 -D fpbxregistrations -s 10.50.1.60/32 -j fpbxknownreg
Mar  9 20:06:56 pbx1 php: /sbin/iptables -w5 -W10000 -D fpbxregistrations -s 10.50.1.57/32 -j fpbxknownreg
Mar  9 20:08:02 pbx1 php: /sbin/iptables -w5 -W10000 -D fpbxregistrations -s 10.50.1.31/32 -j fpbxknownreg
Mar  9 20:08:02 pbx1 php: /sbin/iptables -w5 -W10000 -D fpbxregistrations -s 10.50.1.64/32 -j fpbxknownreg
Mar  9 20:08:38 pbx1 php: /sbin/iptables -w5 -W10000 -D fpbxregistrations -s 10.50.1.22/32 -j fpbxknownreg
Mar  9 20:08:38 pbx1 php: /sbin/iptables -w5 -W10000 -D fpbxregistrations -s 10.50.1.77/32 -j fpbxknownreg
Mar  9 20:09:13 pbx1 php: /sbin/iptables -w5 -W10000 -D fpbxregistrations -s 10.50.1.30/32 -j fpbxknownreg
=================================================================

Mar  9 21:00:20 pbx1 php: /sbin/iptables -w5 -W10000 -A fpbxregistrations -s 10.50.219.115/32 -j fpbxknownreg
Mar  9 21:00:20 pbx1 php: /sbin/iptables -w5 -W10000 -A fpbxregistrations -s 10.50.1.25/32 -j fpbxknownreg
Mar  9 21:00:20 pbx1 php: /sbin/iptables -w5 -W10000 -A fpbxregistrations -s 10.50.1.40/32 -j fpbxknownreg
Mar  9 21:00:20 pbx1 php: /sbin/iptables -w5 -W10000 -A fpbxregistrations -s 10.50.1.55/32 -j fpbxknownreg
Mar  9 21:00:20 pbx1 php: /sbin/iptables -w5 -W10000 -A fpbxregistrations -s 10.50.1.48/32 -j fpbxknownreg
Mar  9 21:00:20 pbx1 php: /sbin/iptables -w5 -W10000 -A fpbxregistrations -s 10.50.1.78/32 -j fpbxknownreg
Mar  9 21:00:20 pbx1 php: /sbin/iptables -w5 -W10000 -A fpbxregistrations -s 10.50.1.73/32 -j fpbxknownreg
Mar  9 21:00:20 pbx1 php: /sbin/iptables -w5 -W10000 -A fpbxregistrations -s 10.50.1.59/32 -j fpbxknownreg
Mar  9 21:00:20 pbx1 php: /sbin/iptables -w5 -W10000 -A fpbxregistrations -s 10.50.1.75/32 -j fpbxknownreg
Mar  9 21:00:20 pbx1 php: /sbin/iptables -w5 -W10000 -A fpbxregistrations -s 10.50.1.74/32 -j fpbxknownreg
Mar  9 21:00:20 pbx1 php: /sbin/iptables -w5 -W10000 -A fpbxregistrations -s 10.50.1.35/32 -j fpbxknownreg
Mar  9 21:00:20 pbx1 php: /sbin/iptables -w5 -W10000 -A fpbxregistrations -s 10.50.1.60/32 -j fpbxknownreg
Mar  9 21:00:20 pbx1 php: /sbin/iptables -w5 -W10000 -A fpbxregistrations -s 10.50.1.77/32 -j fpbxknownreg
========================================

I don’t understand why the fpbknowreg would be all deleted from iptables just to be re-added an hour later.

Any insight would be appreciated.

What about the IDS?
Have you checked? because fail2ban adds rules in firewall.

I have just added our 10.0.0.0/8 network to the fail2ban exception list hoping this will solve our issue… Will be monitoring over next weekend… But still wanted some insight and see if other people had seen this behavior in the past.

The log lines you’ve provided show how the responsive firewall reacts when an extension unregisters or loses registration. They are a consequence of endpoint being unregistered, not the cause.

We have responsive firewall set to disabled.
We only have clients registering on the local network not over the Internet Interface.
Internet interface is only used for management and updates

This can be quite a pain. The IDS locks things out even though the firewall module has an ip/fqdn marked as trusted.

I wish the IDS would use the Firewall lists.

It would make sense that fail2ban exception list automatically includes IPs and Networks that are added as trusted zone.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.