Firewall custom rules > help pls


(somianduso) #1

Hello i’m trying to add custome rules to firewall but i cannot find any guide that can help… i 've so right now:

  • Firewall - Advaced > ENABLED CUSTOME RULES

  • Added rules to file:
    (correct name file fo error) nano /etc/firewall-4.rules

“hashtag” icmp ping
-A INPUT -p icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp --icmp-type 5 -j ACCEPT
-A INPUT -p icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp --source XX.XX.XX.X8/32 -j ACCEPT
-A INPUT -p icmp --source XX.XX.XX.XX8/29 -j ACCEPT
-A INPUT -p icmp -j DROP

“hashtag” SSH - port 22 tcp
-A INPUT -p tcp --dport 22 --source XX.XX.XX.X8/32 -j ACCEPT
-A INPUT -p tcp --dport 22 --source XX.XX.XX.XX8/29 -j ACCEPT
-A INPUT -p tcp --dport 22 -j DROP

“hashtag” HTTPS - port 443 tcp
-A INPUT -p tcp --dport 443 --source XX.XX.XX.X8/32 -j ACCEPT
-A INPUT -p tcp --dport 443 --source XX.XX.XX.XX8/29 -j ACCEPT
-A INPUT -p tcp --dport 443 -j DROP

“hashtag” HTTP - port 80 tcp
-A INPUT -p tcp --dport 80 --source XX.XX.XX.X8/32 -j ACCEPT
-A INPUT -p tcp --dport 80 --source XX.XX.XX.XX8/29 -j ACCEPT
-A INPUT -p tcp --dport 80 -j DROP

“hashtag” FTP - port 21 tcp
-A INPUT -p tcp --dport 21 --source XX.XX.XX.X8/32 -j ACCEPT
-A INPUT -p tcp --dport 21 --source XX.XX.XX.XX8/29 -j ACCEPT
-A INPUT -p tcp --dport 21 -j DROP

“hashtag” TFTP - port 69 udp
-A INPUT -p udp --dport 69 --source XX.XX.XX.X8/32 -j ACCEPT
-A INPUT -p udp --dport 69 --source XX.XX.XX.XX8/29 -j ACCEPT
-A INPUT -p udp --dport 69 -j DROP

“hashtag” XMPP - port 5222 tcp
-A INPUT -p tcp --dport 5222 --source XX.XX.XX.X8/32 -j ACCEPT
-A INPUT -p tcp --dport 5222 --source XX.XX.XX.XX8/29 -j ACCEPT
-A INPUT -p tcp --dport 5222 -j DROP

“hashtag” REST Apps (HTTP) - port 82 tcp
-A INPUT -p tcp --dport 82 --source XX.XX.XX.X8/32 -j ACCEPT
-A INPUT -p tcp --dport 82 --source XX.XX.XX.XX8/29 -j ACCEPT
-A INPUT -p tcp --dport 82 -j DROP

“hashtag” OpenVPN Server - port 1194 udp
-A INPUT -p udp --dport 1194 --source XX.XX.XX.X8/32 -j ACCEPT
-A INPUT -p udp --dport 1194 --source XX.XX.XX.XX8/29 -j ACCEPT
-A INPUT -p udp --dport 1194 -j DROP

“hashtag” HTTP Provisioning - port 84 tcp
-A INPUT -p tcp --dport 84 --source XX.XX.XX.X8/32 -j ACCEPT
-A INPUT -p tcp --dport 84 --source XX.XX.XX.XX8/29 -j ACCEPT
-A INPUT -p tcp --dport 84 -j DROP

“hashtag” WebRTC - port 8088, 8089 tcp
-A INPUT -p tcp --dport 8088 --source XX.XX.XX.X8/32 -j ACCEPT
-A INPUT -p tcp --dport 8088 --source XX.XX.XX.XX8/29 -j ACCEPT
-A INPUT -p tcp --dport 8088 -j DROP
-A INPUT -p tcp --dport 8089 --source XX.XX.XX.X8/32 -j ACCEPT
-A INPUT -p tcp --dport 8089 --source XX.XX.XX.XX8/29 -j ACCEPT
-A INPUT -p tcp --dport 8089 -j DROP

I restarted the VM but rules doesn’t works

I read in the gui this:
"The files /etc/firewall-4.rules and /etc/firewall-6.rules (for IPv4 and IPv6 rules) must be owned by the ‘root’ user and not writable by any other user. "
But i don’t know how to do it and i don’t know if the problem could be this.

Can someone pls tell me what i miss? or what is it wrong?

Thanks in advance


(Matt Brooks) #2

Out of curiosity, did you read this guide? What’s not clear about what needs to be done?

https://wiki.freepbx.org/display/FPG/Firewall+Custom+Rules


(Lorne Gaetz) #3

Working example here: Let's Encrypt Certificate renewals failing


(somianduso) #4

what’s not clear is excatly what i wrote. That guide say nothing more than activate “CUSTOM RULES” and “root permission”, the first is exactly what i’ve done, the second one i don’t know how to do it and generaly because there isn’t any guide that follow during this setup i’m asking help


(Matt Brooks) #5

You’ll want to run the following to set permissions correctly:

chown root:root /etc/firewall-4.rules
chown root:root /etc/firewall-6.rules
chmod 644 /etc/firewall-4.rules
chmod 644 /etc/firewall-6.rules

I’ll update our guide to be more clear.

Side Note: /root/iptables.rules is the wrong file to edit according to the guide.


(somianduso) #6

I’m sorry about the name of the file… that were an error … i wrote everything in /etc/firewall-4.rules


#7

What exactly “doesn’t work”?

The rules are not added to iptables or the the rules are not working the way you wish?

I don’t use the distro firewall, but looking at my test box, rules appended to INPUT will not be executed.

Look at the rules and determine an appropriate insertion point. If using the distro firewall most of the above would be better addressed using the GUI tools and not trying to reinvent the wheel.

If not using the distro firewall, then manage rules like any other RHEL/CentOS7 based box with /etc/sysconfig/iptables.


(somianduso) #8

I’m trying to use distro firewall but looks like my rules doen’t works… i’m not an expert of centos firewallling so i’m trying to follow ditro guide.

Actualy i’ve done every step said in the guide, rebooted, but my pbx still answer ping from any source so i think that rules are not applied…

Maybe that is there something in rules? Can you help about wrote correct sintax?


(Lorne Gaetz) #9

Taking a step back here. The custom rules feature is for adding iptables rules that can’t be configured with the Firewall GUI. What specific configuration are you trying to do with the custom rules?


#10

Syntax isn’t the problem. Basic understanding of iptables is beyond the scope of the forum IMO.

iptables -vnL should give you your answers. If you can’t understand why the rules aren’t working after looking at the output, then you are probably better off sticking with the GUI.

The only items in your rules that should be custom rules is the ICMP stuff. Every thing else should be defined in the GUI.


(somianduso) #11

as you can see in my rules, i’m trying to block some ports for everybody expect per some IP:

IP1/32 and IP2/29
Can use:
-icmp
-22
-443
-80
-21
-69
-5222
-82
-1194
-84
-8088
-8089

Every others ip must be rejected


(Lorne Gaetz) #12

The firewall module assumes you plan to use the pbx to actually make calls. Those firewall rules fall so far outside normal usage, you are probably better disabling the firewall module and managing iptables manually.


(somianduso) #13

But if the guide is right and what Freepbx staff say is right, using custom rules i should be able to add “custom rules” in the file /etc/firewall-4.rules but is doen’t works…


(somianduso) #14

Anyway this is the ouput of the command iptables -vnL, as you can see rules are there but the IP still answer pings from everywhere

[root@pbxprova ~]# iptables -vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
324K 337M fail2ban-SIP all – * * 0.0.0.0/0 0.0.0.0/0
323K 338M fpbxfirewall all – * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 5
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp – * * XX.XX.XX.X8 0.0.0.0/0
0 0 ACCEPT icmp – * * XX.XX.XX.XX8/29 0.0.0.0/0
0 0 DROP icmp – * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp – * * XX.XX.XX.X8 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp – * * XX.XX.XX.XX8/29 0.0.0.0/0 tcp dpt:22
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp – * * XX.XX.XX.X8 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp – * * XX.XX.XX.XX8/29 0.0.0.0/0 tcp dpt:443
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp – * * XX.XX.XX.X8 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp – * * XX.XX.XX.XX8/29 0.0.0.0/0 tcp dpt:80
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp – * * XX.XX.XX.X8 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp – * * XX.XX.XX.XX8/29 0.0.0.0/0 tcp dpt:21
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT udp – * * XX.XX.XX.X8 0.0.0.0/0 udp dpt:69
0 0 ACCEPT udp – * * XX.XX.XX.XX8/29 0.0.0.0/0 udp dpt:69
0 0 DROP udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:69
0 0 ACCEPT tcp – * * XX.XX.XX.X8 0.0.0.0/0 tcp dpt:5222
0 0 ACCEPT tcp – * * XX.XX.XX.XX8/29 0.0.0.0/0 tcp dpt:5222
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222
0 0 ACCEPT tcp – * * XX.XX.XX.X8 0.0.0.0/0 tcp dpt:82
0 0 ACCEPT tcp – * * XX.XX.XX.XX8/29 0.0.0.0/0 tcp dpt:82
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:82
0 0 ACCEPT udp – * * XX.XX.XX.X8 0.0.0.0/0 udp dpt:1194
0 0 ACCEPT udp – * * XX.XX.XX.XX8/29 0.0.0.0/0 udp dpt:1194
0 0 DROP udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
0 0 ACCEPT tcp – * * XX.XX.XX.X8 0.0.0.0/0 tcp dpt:84
0 0 ACCEPT tcp – * * XX.XX.XX.XX8/29 0.0.0.0/0 tcp dpt:84
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:84
0 0 ACCEPT tcp – * * XX.XX.XX.X8 0.0.0.0/0 tcp dpt:8088
0 0 ACCEPT tcp – * * XX.XX.XX.XX8/29 0.0.0.0/0 tcp dpt:8088
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8088
0 0 ACCEPT tcp – * * XX.XX.XX.X8 0.0.0.0/0 tcp dpt:8089
0 0 ACCEPT tcp – * * XX.XX.XX.XX8/29 0.0.0.0/0 tcp dpt:8089
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8089

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 226K packets, 293M bytes)
pkts bytes target prot opt in out source destination

Chain fail2ban-SIP (1 references)
pkts bytes target prot opt in out source destination
239 170K REJECT all – * * 74.63.240.6 0.0.0.0/0 reject-with icmp-port-unreachable
3544 2648K REJECT all – * * 185.53.88.61 0.0.0.0/0 reject-with icmp-port-unreachable
320K 334M RETURN all – * * 0.0.0.0/0 0.0.0.0/0

Chain fpbx-rtp (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpts:10000:20000
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpts:4000:4999

Chain fpbxattacker (6 references)
pkts bytes target prot opt in out source destination
0 0 all – * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: ATTACKER side: source mask: 255.255.255.255
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain fpbxblacklist (1 references)
pkts bytes target prot opt in out source destination

Chain fpbxfirewall (1 references)
pkts bytes target prot opt in out source destination
105K 324M ACCEPT all – lo * 0.0.0.0/0 0.0.0.0/0
2745 1073K ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
142K 7968K ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – * * 0.0.0.0/0 255.255.255.255
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
73507 4950K fpbx-rtp all – * * 0.0.0.0/0 0.0.0.0/0
73507 4950K fpbxblacklist all – * * 0.0.0.0/0 0.0.0.0/0
73507 4950K fpbxsignalling all – * * 0.0.0.0/0 0.0.0.0/0
73507 4950K fpbxsmarthosts all – * * 0.0.0.0/0 0.0.0.0/0
72862 4648K fpbxregistrations all – * * 0.0.0.0/0 0.0.0.0/0
72815 4638K fpbxnets all – * * 0.0.0.0/0 0.0.0.0/0
72628 4613K fpbxhosts all – * * 0.0.0.0/0 0.0.0.0/0
72628 4613K fpbxinterfaces all – * * 0.0.0.0/0 0.0.0.0/0
72628 4613K fpbxreject all – * * 0.0.0.0/0 0.0.0.0/0
39 28595 fpbxrfw all – * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2/0x2
3975 493K ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
68608 4091K fpbxlogdrop all – * * 0.0.0.0/0 0.0.0.0/0

Chain fpbxhosts (1 references)
pkts bytes target prot opt in out source destination
0 0 zone-trusted all – * * 83.211.227.21 0.0.0.0/0
0 0 zone-trusted all – * * 127.0.0.1 0.0.0.0/0

Chain fpbxinterfaces (1 references)
pkts bytes target prot opt in out source destination
72618 4610K zone-external all – eth0 * 0.0.0.0/0 0.0.0.0/0

Chain fpbxknownreg (1 references)
pkts bytes target prot opt in out source destination
0 0 all – * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: REPEAT side: source mask: 255.255.255.255
0 0 all – * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: ATTACKER side: source mask: 255.255.255.255
107 36345 MARK all – * * 0.0.0.0/0 0.0.0.0/0 MARK or 0x4
47 9840 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 mark match 0x1/0x1
60 26505 fpbxsvc-ucp all – * * 0.0.0.0/0 0.0.0.0/0
60 26505 fpbxsvc-zulu all – * * 0.0.0.0/0 0.0.0.0/0
60 26505 fpbxsvc-restapps all – * * 0.0.0.0/0 0.0.0.0/0
60 26505 fpbxsvc-restapps_ssl all – * * 0.0.0.0/0 0.0.0.0/0
60 26505 fpbxsvc-provis all – * * 0.0.0.0/0 0.0.0.0/0
60 26505 fpbxsvc-provis_ssl all – * * 0.0.0.0/0 0.0.0.0/0

Chain fpbxlogdrop (1 references)
pkts bytes target prot opt in out source destination
68604 4089K DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain fpbxnets (1 references)
pkts bytes target prot opt in out source destination
22 15796 zone-trusted all – * * XX.XX.XX.X8 0.0.0.0/0
165 9532 zone-trusted all – * * XX.XX.XX.XX8/29 0.0.0.0/0

Chain fpbxratelimit (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 mark match 0x4/0x4
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 90 hit_count: 1 name: WHITELIST side: source mask: 255.255.255.255
0 0 all – * * 0.0.0.0/0 0.0.0.0/0 state NEW recent: SET name: REPEAT side: source mask: 255.255.255.255
0 0 all – * * 0.0.0.0/0 0.0.0.0/0 state NEW recent: SET name: DISCOVERED side: source mask: 255.255.255.255
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
0 0 fpbxattacker all – * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 hit_count: 1 name: ATTACKER side: source mask: 255.255.255.255
0 0 fpbxattacker all – * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 hit_count: 200 name: REPEAT side: source mask: 255.255.255.255
0 0 fpbxattacker all – * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 300 hit_count: 100 name: REPEAT side: source mask: 255.255.255.255
0 0 fpbxshortblock all – * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 60 hit_count: 50 name: REPEAT side: source mask: 255.255.255.255
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0

Chain fpbxregistrations (1 references)
pkts bytes target prot opt in out source destination
0 0 fpbxknownreg all – * * 83.211.227.21 0.0.0.0/0

Chain fpbxreject (1 references)
pkts bytes target prot opt in out source destination
72619 4610K rejsvc-nfs all – * * 0.0.0.0/0 0.0.0.0/0
72619 4610K rejsvc-smb all – * * 0.0.0.0/0 0.0.0.0/0
72481 4580K rejsvc-zulu all – * * 0.0.0.0/0 0.0.0.0/0
72481 4580K rejsvc-isymphony all – * * 0.0.0.0/0 0.0.0.0/0
72481 4580K rejsvc-provis all – * * 0.0.0.0/0 0.0.0.0/0
72481 4580K rejsvc-provis_ssl all – * * 0.0.0.0/0 0.0.0.0/0
72481 4580K rejsvc-vpn all – * * 0.0.0.0/0 0.0.0.0/0
72481 4580K rejsvc-restapps all – * * 0.0.0.0/0 0.0.0.0/0
72481 4580K rejsvc-restapps_ssl all – * * 0.0.0.0/0 0.0.0.0/0
72481 4580K rejsvc-xmpp all – * * 0.0.0.0/0 0.0.0.0/0
72480 4580K rejsvc-ftp all – * * 0.0.0.0/0 0.0.0.0/0
72477 4580K rejsvc-tftp all – * * 0.0.0.0/0 0.0.0.0/0
72440 4573K rejsvc-pjsip all – * * 0.0.0.0/0 0.0.0.0/0
72440 4573K rejsvc-iax all – * * 0.0.0.0/0 0.0.0.0/0
72440 4573K rejsvc-webrtc all – * * 0.0.0.0/0 0.0.0.0/0

Chain fpbxrfw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 90 hit_count: 1 name: WHITELIST side: source mask: 255.255.255.255
39 28595 all – * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: REPEAT side: source mask: 255.255.255.255
39 28595 all – * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: DISCOVERED side: source mask: 255.255.255.255
0 0 fpbxattacker all – * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 10 hit_count: 50 name: REPEAT side: source mask: 255.255.255.255
0 0 fpbxattacker all – * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 hit_count: 1 name: ATTACKER side: source mask: 255.255.255.255
0 0 fpbxshortblock all – * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 60 hit_count: 10 name: SIGNALLING side: source mask: 255.255.255.255
39 28595 all – * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: SIGNALLING side: source mask: 255.255.255.255
0 0 fpbxattacker all – * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 hit_count: 100 name: REPEAT side: source mask: 255.255.255.255
39 28595 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0

Chain fpbxshortblock (2 references)
pkts bytes target prot opt in out source destination
0 0 all – * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: CLAMPED side: source mask: 255.255.255.255
0 0 REJECT all – * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain fpbxsignalling (1 references)
pkts bytes target prot opt in out source destination
0 0 MARK udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5160 MARK set 0x1
619 290K MARK udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:35060 MARK set 0x3

Chain fpbxsmarthosts (1 references)
pkts bytes target prot opt in out source destination
645 302K ACCEPT all – * * 83.211.227.21 0.0.0.0/0 mark match 0x1/0x1

Chain fpbxsvc-chansip (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:35060

Chain fpbxsvc-ftp (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21

Chain fpbxsvc-http (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

Chain fpbxsvc-https (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443

Chain fpbxsvc-iax (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4569

Chain fpbxsvc-isymphony (0 references)
pkts bytes target prot opt in out source destination

Chain fpbxsvc-letsencrypt (0 references)
pkts bytes target prot opt in out source destination

Chain fpbxsvc-nfs (0 references)
pkts bytes target prot opt in out source destination

Chain fpbxsvc-pjsip (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5160

Chain fpbxsvc-provis (1 references)
pkts bytes target prot opt in out source destination

Chain fpbxsvc-provis_ssl (1 references)
pkts bytes target prot opt in out source destination

Chain fpbxsvc-restapps (1 references)
pkts bytes target prot opt in out source destination

Chain fpbxsvc-restapps_ssl (1 references)
pkts bytes target prot opt in out source destination

Chain fpbxsvc-smb (0 references)
pkts bytes target prot opt in out source destination

Chain fpbxsvc-ssh (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

Chain fpbxsvc-tftp (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:69

Chain fpbxsvc-ucp (1 references)
pkts bytes target prot opt in out source destination

Chain fpbxsvc-vpn (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194

Chain fpbxsvc-webrtc (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8088
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8089

Chain fpbxsvc-xmpp (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222

Chain fpbxsvc-zulu (1 references)
pkts bytes target prot opt in out source destination

Chain rejsvc-ftp (1 references)
pkts bytes target prot opt in out source destination
3 120 REJECT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 reject-with icmp-port-unreachable

Chain rejsvc-iax (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4569 reject-with icmp-port-unreachable

Chain rejsvc-isymphony (1 references)
pkts bytes target prot opt in out source destination

Chain rejsvc-nfs (1 references)
pkts bytes target prot opt in out source destination

Chain rejsvc-pjsip (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5160 reject-with icmp-port-unreachable

Chain rejsvc-provis (1 references)
pkts bytes target prot opt in out source destination

Chain rejsvc-provis_ssl (1 references)
pkts bytes target prot opt in out source destination

Chain rejsvc-restapps (1 references)
pkts bytes target prot opt in out source destination

Chain rejsvc-restapps_ssl (1 references)
pkts bytes target prot opt in out source destination

Chain rejsvc-smb (1 references)
pkts bytes target prot opt in out source destination

Chain rejsvc-tftp (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:69 reject-with icmp-port-unreachable

Chain rejsvc-vpn (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 reject-with icmp-port-unreachable

Chain rejsvc-webrtc (1 references)
pkts bytes target prot opt in out source destination
1 40 REJECT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8088 reject-with icmp-port-unreachable
1 40 REJECT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8089 reject-with icmp-port-unreachable

Chain rejsvc-xmpp (1 references)
pkts bytes target prot opt in out source destination
1 40 REJECT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222 reject-with icmp-port-unreachable

Chain rejsvc-zulu (1 references)
pkts bytes target prot opt in out source destination

Chain zone-external (1 references)
pkts bytes target prot opt in out source destination
72618 4610K MARK all – * * 0.0.0.0/0 0.0.0.0/0 MARK or 0x10

Chain zone-internal (0 references)
pkts bytes target prot opt in out source destination
0 0 MARK all – * * 0.0.0.0/0 0.0.0.0/0 MARK or 0x4
0 0 fpbxsvc-ssh all – * * 0.0.0.0/0 0.0.0.0/0
0 0 fpbxsvc-http all – * * 0.0.0.0/0 0.0.0.0/0
0 0 fpbxsvc-https all – * * 0.0.0.0/0 0.0.0.0/0
0 0 fpbxsvc-chansip all – * * 0.0.0.0/0 0.0.0.0/0

Chain zone-other (0 references)
pkts bytes target prot opt in out source destination
0 0 MARK all – * * 0.0.0.0/0 0.0.0.0/0 MARK or 0x8

Chain zone-trusted (4 references)
pkts bytes target prot opt in out source destination
187 25328 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0


#15

As you can see, your custom rules are added exactly as documented, but the rules are useless in the context of the distro firewall framework.

Follow the traffic flow through the ruleset and it’s easy to see - the fpbxfirewall chain processes all traffic before your rules have a chance to.

Custom rules give you the ability to modify the system generated rules, but you have to understand what you are doing in the context of the the system generated rules.

If you are going to manage the firewall manually, you need to understand how iptables works. I don’t think this forum is the appropriate place. There are dozens/hundreds/probably thousands of iptables tutorials out there.

Again, if you intend to use the distro firewall, the only rules you posted that need to be custom are the ICMP lines, the GUI can manage everything else. Otherwise disable the distro firewall and manage everything yourself - at your own risk.


(somianduso) #16

About ICMP lines, is there a way to let it works with distro firewall?


(system) closed #17

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.