Firewall blocks all traffic regardless of zone

abcym15 · November 1, 2015, 12:32pm

Hi there,
I have downloaded & installed the latest version of FreePBX Distro. The system itself is working fine and I can make & receive SIP calls on the internal network. However, this system will be required to serve 2 remote extensions which have changing IP addresses.

I thought the FreePBX firewall would enable me to put my system into the DMZ and this would then allow the phones to register whilst preventing the hacking attempts Asterisk is known for. I’ve installed and enabled Firewall with the following settings:

Responsive Firewall - enabled, with ‘SIP Protocol’ enabled (I am using PJSIP) and Legacy chan_sip Protocol enabled, IAX is disabled.

Port/Service Maps:

Core Services
SSH TCP Port: 22
Warning: Unable to read /etc/ssh/sshd_config - this port may be incorrect. This is expected when viewing through the Web Interface. The correct port, as configured, will be used in the firewall service.

Web Management - TCP Port: 80
Web Management (Secure) - TCP Port: 443
UCP - TCP Port: 81
SIP Protocol - UDP Port: 5060 
CHAN_SIP Protocol - UDP Port: 5061 / TCP Port: 9877
IAX Protocol - UDP Port: 4569 
WebRTC - TCP Port: 8088
HTTP Provisioning - TCP Port: 84
REST Apps - TCP Port: 85
XMPP - TCP Port: 5222
FTP - TCP Port: 21
TFTP - UDP Port: 69 
NFS - Service unavailable
SMB/CIFS - UDP Ports: 137, 138 / TCP Ports: 139, 445
No Custom services defined.

Under the ‘Services’ tab, I have all services added to the ‘internal’ zone. SIP Protocol is also added to ‘Other’ zone. I do not have any custom services added.

‘Status’ page shows a full column of zeros (i.e. no clients have gone through the firewall).

On Zones, I have:
Interfaces: eth0 is added to ‘other’ zone. No other interfaces.
Networks: 192.168.0.106/32 (my admin PC), 192.168.0.0/24, 192.168.0.0/16, 172.16.0.0/12 & 10.0.0.0/8 are all added as trusted networks.
Blacklists: Completely empty.

The server is placed into the DMZ and I have disabled the router firewall for the purpose of testing.

With these settings, I was expecting that all traffic from the outside world would be blocked except valid SIP registrations. However, the remote phones just can’t register at all. I experimented by allowing web admin access to External and Other zones but was also unable to access web control remotely. In fact, the only way I could access web control and get the phones to register was by putting eth0 as a trusted network! Obviously this isn’t safe so I have since taken it off - but it showed that something wasn’t right.

The only other service I have had running is Logmein Hamachi, which I use to remotely administer the server. I have since uninstalled Hamachi to see if this was causing the problem but it has no effect.

Is there something obvious I’m missing here?

Thank you

AC

chuckjuhl · November 1, 2015, 7:23pm

Same issue here. When I place eth0 in “External” zone where it is supposed to be, remote access is blocked. Can’t even get into the GUI. The FreePBX server is on a static public IP, no NAT. I have placed both the IP address and the dynamic DNS URL (no-ip.org) in the “trusted” zone without effect. The only way to get back to the GUI and enable calling is to go into the CLI and shut down the ipv4tables service. Then I can get into the GUI remotely and turn off the firewall, then restart the IPV4tables service so that at least fail2ban is working.

ljr0 · July 14, 2016, 7:43pm

Has this been answered. I have to restart my FreePBX server to get back in, but I can’t get the firewall to keep it’s settings. I removed and reinstalled the firewall module and was able to get it to take the settings, but the connection to freepbx.com voip servers were blocked, then on reboot everything went back.

I just don’t feel comfortable leaving my public address out there where people can hack at my machine without a firewall in place.

TS_CatchTheFire · July 14, 2016, 8:53pm

I’m no expert by any means but under the firewall services setting it says that “Services that are assigned to zones are accessible to connections matching the zones.” Could that mean that you need to select “External” for your sip protocol.

Also, I know you said that the IP’s connecting from outside your network are dynamic but for troubleshooting purposes perhaps you could add whatever it happens to be at the moment to Networks under Zones and see if it is accepted. Then see how it responds under Trusted, Internal, Other and External selections. If it works do you think it may be OK to add the entire subnet where your dynamic IP’s would fall as External under Networks?

Again I really don’t know much about this but I’m really curious to know how it works out for you.