Disabling firewall, responsive firewall, and fail2ban

I’ve been troubleshooting missed call issues for years now with our install. I can’t remember everything I’ve tried, but it’s down to the point where I either have to disable the firewall, or keep manually adding users’ IPs to the trusted list.

I’m not asking for help with that specifically though - Asterisk ultimately keeps thinking people are offline, and I confidently believe at this point it is more related to the Bria mobile app (it normally works fine on my desktop). I’ve contacted Coutnerpath multiple times, and a lot seems to come down to how the iOS app can’t stay connected due to iOS restrictions, keeps reconnecting, then (I believe) FreePBX ends up blocking the IP.

But either way, here’s the real question. Our business is pending acquisition, and the buyer is absolutely fuming that when he calls our number, nobody ever picks up. Part is from staffing problems/phone coverage, and the other half is the problem with users staying connected. I understand his point of view, and his frustration is bad enough that we’re worried this could blow the deal.

If the acquisition goes through, we’re looking at no more drastic pay cuts, no more fear of closing the doors, and a promising future for each of us. It’s a huge deal, and desperately needed. We would be switching to another system per the buyer/company’s demand, likely Aircall.

How can I “loosen” up the firewall to stop this problem for the next month or two? Everyone has a strong password, and the server password is strong as well. We’re not a high target business, but given I’m using the distro, I believe I am unable to disable the root user. Or, realistically, how high is the risk if I disable the firewall completely for now?

I know this is not ideal, but it’s more a business decision than a tech decision. If he keeps calling and getting no answer, it could literally mean the 5 of us will be unemployed, in a lot of debt (specifically the owner), and out of a lot of money from the buyout.

TLDR: is it safe enough to disable the firewall for a month or two so ongoing issues with that+Bria don’t cost us an acquisition, our jobs, and the owner’s financial future/debt?

You should open the firewall only to the minimum extent necessary, e.g. you should not open the web server port, and you should be religious about applying security fixes, and use very strong passwords on any devices that can place chargeable calls.

You will come under intensive attack in minutes, not weeks.

You’re not wrong. Before I got the firewall setup properly several years ago (aka disabled), I couldn’t believe how many people were even trying to open SIP connections presumably to make free calls.

How do you administer FreePBX without the web server port open? Move it to another port, use a VPN, or something else? This is tough as I frequently have to go in lately to check CDR reports. So I appreciate you bringing that up as well!

Why don’t you just forward calls out to your mobile phones or a landline for the time-being rather than relying on an app that might be causing the issue? Disabling the firewall could cause you much bigger problems. Set to a ring group or miscellaneous destination on the inbound route while you get to the bottom of it.

I was actually thinking of this, but totally forgot. Thanks for the reminder and idea.

I know I said I didn’t want to troubleshoot further, but I did realize I’ve noticed this:

One user and I seem to have fewer problems showing as online when our IP is manually added to the firewall. Unfortunately, one user’s IP changes regularly, making him harder to sort out. Are there any changes I can make to the responsive firewall ensure he is added? I wonder if his phone is repeatedly trying to connect and getting him blocked, or what. He is not showing up as blocked by the intrusion detection.

Edit: the other user who was staying connected after manually adding her IP just got disconnected as well after about 20 minutes. Ugh!

Edit 2: with the firewall temporarily off, it appears everyone is staying connected. With just fail2ban off, everyone gets kicked as well. This is even with firewall exclusions for the effected IPs (mine is static as well). The time it takes for disconnects seems to have no rhyme or reason either - could be 20 seconds, could be an hour

We use the Samgona Talk app. When we moved from apps like the one you mentioned it stopped all those kinds of issues you are experiencing.

The documentation for setup is really good. If you get stuck feel free to send me a DM.

Glad to know we’re not alone.

Appreciate your offer…we’re moving to another platform totally in the near future per request of the buyer. But did you have any better success with any other clients besides Sangoma?

Try whitelisting the first half of the IP address, like this: 123.456.0.0/16 and see how you get on. You will need the /16. I find it much more useful than Responsive Firewall for dynamic IP addresses as Fail2Ban notifications drive me crazy, but just be aware you are now potentially exposing the PBX to anyone on the same mobile network.

Oh that’s a good idea! Thanks, I’ll give that a shot right now.

We only have a few IPs to worry about, so I’d say it’s worth the risk given the situation.

Edit: damn, still the same problem. Just checked and everyone was simultaneously disconnected about 30 min later.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.