I have downloaded & installed the latest version of FreePBX Distro. The system itself is working fine and I can make & receive SIP calls on the internal network. However, this system will be required to serve 2 remote extensions which have changing IP addresses.
I thought the FreePBX firewall would enable me to put my system into the DMZ and this would then allow the phones to register whilst preventing the hacking attempts Asterisk is known for. I’ve installed and enabled Firewall with the following settings:
Responsive Firewall - enabled, with ‘SIP Protocol’ enabled (I am using PJSIP) and Legacy chan_sip Protocol enabled, IAX is disabled.
Core Services SSH TCP Port: 22 Warning: Unable to read /etc/ssh/sshd_config - this port may be incorrect. This is expected when viewing through the Web Interface. The correct port, as configured, will be used in the firewall service. Web Management - TCP Port: 80 Web Management (Secure) - TCP Port: 443 UCP - TCP Port: 81 SIP Protocol - UDP Port: 5060 CHAN_SIP Protocol - UDP Port: 5061 / TCP Port: 9877 IAX Protocol - UDP Port: 4569 WebRTC - TCP Port: 8088 HTTP Provisioning - TCP Port: 84 REST Apps - TCP Port: 85 XMPP - TCP Port: 5222 FTP - TCP Port: 21 TFTP - UDP Port: 69 NFS - Service unavailable SMB/CIFS - UDP Ports: 137, 138 / TCP Ports: 139, 445 No Custom services defined.
Under the ‘Services’ tab, I have all services added to the ‘internal’ zone. SIP Protocol is also added to ‘Other’ zone. I do not have any custom services added.
‘Status’ page shows a full column of zeros (i.e. no clients have gone through the firewall).
On Zones, I have:
Interfaces: eth0 is added to ‘other’ zone. No other interfaces.
Networks: 192.168.0.106/32 (my admin PC), 192.168.0.0/24, 192.168.0.0/16, 172.16.0.0/12 & 10.0.0.0/8 are all added as trusted networks.
Blacklists: Completely empty.
The server is placed into the DMZ and I have disabled the router firewall for the purpose of testing.
With these settings, I was expecting that all traffic from the outside world would be blocked except valid SIP registrations. However, the remote phones just can’t register at all. I experimented by allowing web admin access to External and Other zones but was also unable to access web control remotely. In fact, the only way I could access web control and get the phones to register was by putting eth0 as a trusted network! Obviously this isn’t safe so I have since taken it off - but it showed that something wasn’t right.
The only other service I have had running is Logmein Hamachi, which I use to remotely administer the server. I have since uninstalled Hamachi to see if this was causing the problem but it has no effect.
Is there something obvious I’m missing here?