Firewall easy and secure howto

4allbusiness · January 20, 2013, 12:39pm

Hi Freepbx,

I am looking for a secure firewall to allow only one country ip range (instead of blocking one/more country) and easy to configure.
Any suggestions appreciated.

SkykingOH · January 20, 2013, 8:05pm

I have an off topic question. Isn’t your country native English speaking?

“Can you advice me” is both grammatically incorrect and communicates a demanding tone to the reader. For a native English speaker this sentence structure is annoying to the point of not wanting to answer.

It’s not a project, it’s a question.

“Can you offer an advise” is somewhat better but you are asking for a product recommendation.

“Any suggestions appreciated” shows some degree of contrition.

In this case you finish it off with “easy to configure” that is an impossible question to configure. For someone with basic network skills programming a router/firewall is a simple task. If I gave it to my 82 year old Mother it would never get accompolished. Adding this verbiage to your question is a waster of time any very annoying.

While we are talking about annoying, your company is supposed to be a provider of our product. Your web site and communications in these forums indicates your company does not have the resources to properly install and maintain VoIP systems. You come into our forum, promote your company with your logo and ask beginner questions. This question is actually off topic and just business advice.

Since you had to listed to my rant I will answer the question for you.

What you are asking for is an access-list. Some of the so called “business class” routers that are really nothing more than gussied up consumer models do support access list.

In reality they are all garbage, even Sonic Wall is junk. I used to be a huge Cisco (not crap Cisco small business, real “big boy” Cisco) however Cisco just got too hard to do business with and we no use Juniper. Edgemarc has great solutions for integrators such as yourself. Vyetta is an option also but you need to learn an IOS like language to configure.

On the free end. pfSense appliances can take care of this, however you are on your own on support.

A voice integrator needs to have a network engineer on staff that understands Layer 2 and 3 backwards and forwards.

Good luck

dicko · January 22, 2013, 7:36pm

I use CSF (Config Firewall Server) and set

CC_ALLOW_FILTER=nl

for example, in /etc/csf/csf.conf. The database is a ;little old though so might need some patching.

4allbusiness · January 22, 2013, 6:51pm

Isn’t your country native English speaking?
Answer: No, we are from the Netherlands. Excuse us.
It’s not a project, it’s a question.
Answer: Sorry I put it this way, but adding an easy firewall with country filter in a Distro is a project for us.

Are we promoting when we use our business name? If so, should I remove it? It was not our goal to be annoying for you.

We use pfsense firewall, but that is not for use in a Distro standalone. We want to use the normal iptables. This way we can connect any Distro safely to the internet without a separate Hardware Firewall. Ohterwise PfSense does a perfect job.

I think I can write an easy to implement script to secure the Distro to allow only one country ip-range to the pbx.
I just asked for some advice and tips?

Thanx for your time SkykongOH.

SkykingOH · January 22, 2013, 11:49pm

I would install APF, it is policy based and works with IP Tables. You can then obtain the IP homings for your County and do a deny all at the end of the allowed list.

This blog uses China as an example:

http://www.wizcrafts.net/chinese-iptables-blocklist.html

dicko · January 23, 2013, 3:04am

Either way will work, CSF has a webmin module that makes it simple to set up in a GUI environment and a nice “audit” for advised security for much of the normal “sloppiness” of a basic distro based OS.

If you use other iptables based filters like fail2ban or other IDS type software, you can “chain” them with the scripts:-

/etc/csf/csfpost.sh

and

/etc/csf/csfpre.sh

which will start and stop your dynamic iptable chains in a timely fashion. This to make sure that your firewall is properly and cogently structured, two or more methods run concurrently can often spoil your whole day and turn off what you thought you had on . Perhaps APF has a similar approach.

Depending on your locale, be careful as to deny and allow, denying everything but NL is VERY much more impactful on your machine than allowing only NL. China and the US have for example HUGE databases . . .

http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz

is relatively well updated usually only a few hours late.

grpse · February 9, 2013, 11:01am

hello my vps FreePBX has public ip

I'm configuring csf dive I want to access only Italy would like to understand how do I set it
Thanks Maisx

grpse · February 9, 2013, 11:05am

dicko · February 10, 2013, 6:48pm

Firewalls are designed basically the other way around, Your method (if I read it well) allows only access from Italian IP’s, you can connect anywhere you want from inside.

grpse · February 11, 2013, 4:25pm

I want to correct that you can only connect from italy
just that I do not work configuration used are accepted all over the world
TKS maisx

grpse · March 13, 2013, 7:26am

Hello dicko I need help to configure CSF as you wrote can give me some advice
Thank you very much

Maisx

grpse · March 13, 2013, 8:03pm

I am following this guide but I do not know what should I write in csfpre.sh and csfpost.sh
can someone kindly help me

TKS Maisx

dicko · March 13, 2013, 8:38pm

csf needs to manage the iptable chains, so if you use othger software that manipulates iptable like fil2ban then start and stop them as appropriate in these two files e.g. in csfpost.sh

#!/bin/sh
service fail2ban stop
.
.
.

grpse · March 13, 2013, 9:22pm

Ok thank you very much I do pretty well

csfpre.sh
#!/bin/sh
service fail2ban start

e
csfpost.sh
#!/bin/sh
service fail2ban stop

TKS Maisx

grpse · March 14, 2013, 12:37pm

I tried with this setup CSF but not blocking me is nothing like it was not even active someone can 'give me some advice
TKS 100000

Maisx

matthewearl · July 15, 2013, 4:09pm

Wow. What a reply. I just wanted to throw out that I do understand your frustration Sky, but man, take a look at what you posted with all of your misspellings and grammatical errors. Also, there will be even experienced people who will ask silly questions if it is not in their expertise. Firewalls have nothing to do with a PBX. All parts of a unix/linux box consists of areas of extremely separate levels of experience. Also, from reading some of your later posts, I see an elitist aura emanating from them. As you were giving our friend here advice, I am also giving you.

dicko · July 15, 2013, 9:38pm

The entire csf system is self documented in:-

/etc/csf/csf.conf

dicko · July 15, 2013, 10:04pm

Your pre and post files are also the wrong way round, you need to start fail2ban AFTER csf starts and the corollary on stopping