FreePBX | Register | Issues | Wiki | Portal | Support

Dynamic ip's added to firewall


(Brandon Brown) #7

I am using the fwconsole command as @lgaetz suggested but when I run iptables -L immediately after adding it, the ip address I just added doesn’t appear.


(Dave Burgess) #8

When you try this, what does it tell you?


(Brandon Brown) #9

Shows me the IP addresses I just added. But I believe this may be pulling it from the database, I could be wrong though.


(Dave Burgess) #10

It’s pulling from the same source the Integrated Firewall is pulling it from.


(Brandon Brown) #11

I am doing these commands and don’t see it added to iptables. However if I go into the GUI and add 8.8.8.8 and then immediately run the iptables -L | grep google command it finds it in the list.
image

After adding through GUI
image


(Lorne Gaetz) #12

Shoot, there may be an open ticket on this. On mobile will link later if no one beats me to it.

edit: ticket is here https://issues.freepbx.org/browse/FREEPBX-18511


(Brandon Brown) #13

I might take a look tonight and see if I can tackle that open ticket


(Brandon Brown) #14

I opened a pull request that fixes the problem https://github.com/FreePBX/firewall/pull/2


(Brandon Brown) #15

@lgaetz I want to start running my modified version of the firewall module until my pull request gets merged and released. However I seem to be having difficulty getting it to run with a locally signed key, it just fails to start because the module signature is different and turning off signature checking didn’t help.

I am waiting for my gpg key to be added to the FreePBX trust web, but was looking for a work around until that is complete. The only way I can get the firewall to run with the modified code is to manually add the changes to the file while FreePBX is running but obviously this isn’t a good idea.

Do you have any suggestions or do I have to wait until it is released or my key is signed and added?


(Lorne Gaetz) #16

Unfortunately I do not, but perhaps @xrobau can provide a pointer as he is very familiar with both firewall and module signing.


(Rob Thomas) #17

Things that run as root have a second level of whitelisting. I saw your pull request and I’ll build you a package with your changes.


(Brandon Brown) #18

Awesome thank you!


(Rob Thomas) #19

I signed the module, and @BigB confirmed it worked - I’ll update phonebo.cx with the link, but here’s the updated module for those that are playing along at home.

https://cdn.phonebo.cx/modules/firewall/firewall-13.0.58.2.tar.gz

I do remember this ORIGINALLY being a design decision, as I was being (in retrospect) overly paranoid, but it seems unwarranted.


(Lorne Gaetz) #20

Quitting after test 1 with 100% success rate:

[root@vvs ~]# fwconsole firewall add trusted 1.2.3.4/32
Attempting to add '1.2.3.4/32' to Zone 'trusted' ... Success!

[root@vvs ~]# fwconsole firewall list trusted
All entries in zone 'trusted':
        1.2.3.4/32

[root@vvs ~]# iptables-save | grep 1.2.3.4
-A fpbxnets -s 1.2.3.4/32 -j zone-trusted

[root@vvs ~]# fwconsole firewall del trusted 1.2.3.4
Attempting to remove 1.2.3.4 from 'trusted' Zone ... Success!

[root@vvs ~]# fwconsole firewall list trusted
All entries in zone 'trusted':

[root@vvs ~]# iptables-save | grep 1.2.3.4
[root@vvs ~]#

(Lorne Gaetz) #21

Kudos to you @BigB:

Lots of well intended folks say they will take a look (myself included unfortunately), but the number that follow thru is achingly small. And the pull request coming within a few hours puts you in a class by yourself. :star:


(Brandon Brown) #22

I have created a cron job that is taking advantage of the fwconsole firewall method that @lgaetz mentioned above which made things so much easier once the bug was fixed in the module, thanks alot for pointing me in the right direction!

I would also like to thank @xrobau for answering some questions about module signing and getting me a signed copy of the firewall module with my changes so I could throw it on our production server and test it out.

Here is the script I made. https://gist.github.com/Yamaha32088/28321c070a2dcb79f630326a72e15dff
Please feel free to make any suggestions or comments, the script was made in a rush but it seems to work wonderful so far.

The script works by first requesting a copy of all the authorized IPs from a remote URL and parsing them into an array. I then compare that array to the IP’s that are already added to the desired zone and find the difference between the two. I can then delete the IP’s that are not in the remote list and add any new ones not previously added. One thing to note I found out and you should be aware of is that the fwconsole firewall script will overwrite the zone of an existing IP address. If for example you have the IP address 1.1.1.1 inside of the trusted zone and then execute fwconsole firewall add other 1.1.1.1 it will remove it from the “trusted” zone and add it to the “other” zone so be careful with that.


(Rob Thomas) #23

That DOES seem overly complex. I would probably have just added them all as dynamic DNS entries and put the hostname in. But as long as it works 8)

Or, you could just add them all to an A record of some DNS host, and add that. I did actually miss the start of this, so I would have suggested a better way, but it paid off because YAY I FINALLY HAVE SOMEONE ELSE AS A SUBMITTER TO FIREWALL! 8)


(Lorne Gaetz) #24

Please add a line about licensing to your script. If you don’t know/care about such things just put:
GNU GPL3+


(Rob Thomas) #25

This has been published to Firewall Edge (including the other pull request) in Firewall 13.0.60.2, so for anyone else looking at this from the future, that’s the minimum version you need!


(system) closed #26

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.