Firewall easy and secure howto

Hi Freepbx,

I am looking for a secure firewall to allow only one country ip range (instead of blocking one/more country) and easy to configure.
Any suggestions appreciated.

I have an off topic question. Isn’t your country native English speaking?

“Can you advice me” is both grammatically incorrect and communicates a demanding tone to the reader. For a native English speaker this sentence structure is annoying to the point of not wanting to answer.

It’s not a project, it’s a question.

“Can you offer an advise” is somewhat better but you are asking for a product recommendation.

“Any suggestions appreciated” shows some degree of contrition.

In this case you finish it off with “easy to configure” that is an impossible question to configure. For someone with basic network skills programming a router/firewall is a simple task. If I gave it to my 82 year old Mother it would never get accompolished. Adding this verbiage to your question is a waster of time any very annoying.

While we are talking about annoying, your company is supposed to be a provider of our product. Your web site and communications in these forums indicates your company does not have the resources to properly install and maintain VoIP systems. You come into our forum, promote your company with your logo and ask beginner questions. This question is actually off topic and just business advice.

Since you had to listed to my rant I will answer the question for you.

What you are asking for is an access-list. Some of the so called “business class” routers that are really nothing more than gussied up consumer models do support access list.

In reality they are all garbage, even Sonic Wall is junk. I used to be a huge Cisco (not crap Cisco small business, real “big boy” Cisco) however Cisco just got too hard to do business with and we no use Juniper. Edgemarc has great solutions for integrators such as yourself. Vyetta is an option also but you need to learn an IOS like language to configure.

On the free end. pfSense appliances can take care of this, however you are on your own on support.

A voice integrator needs to have a network engineer on staff that understands Layer 2 and 3 backwards and forwards.

Good luck

I use CSF (Config Firewall Server) and set


for example, in /etc/csf/csf.conf. The database is a ;little old though so might need some patching.

  • Isn’t your country native English speaking?
    Answer: No, we are from the Netherlands. Excuse us.

  • It’s not a project, it’s a question.
    Answer: Sorry I put it this way, but adding an easy firewall with country filter in a Distro is a project for us.

Are we promoting when we use our business name? If so, should I remove it? It was not our goal to be annoying for you.

We use pfsense firewall, but that is not for use in a Distro standalone. We want to use the normal iptables. This way we can connect any Distro safely to the internet without a separate Hardware Firewall. Ohterwise PfSense does a perfect job.

I think I can write an easy to implement script to secure the Distro to allow only one country ip-range to the pbx.
I just asked for some advice and tips?

Thanx for your time SkykongOH.

I would install APF, it is policy based and works with IP Tables. You can then obtain the IP homings for your County and do a deny all at the end of the allowed list.

This blog uses China as an example:

Either way will work, CSF has a webmin module that makes it simple to set up in a GUI environment and a nice “audit” for advised security for much of the normal “sloppiness” of a basic distro based OS.

If you use other iptables based filters like fail2ban or other IDS type software, you can “chain” them with the scripts:-




which will start and stop your dynamic iptable chains in a timely fashion. This to make sure that your firewall is properly and cogently structured, two or more methods run concurrently can often spoil your whole day and turn off what you thought you had on :wink: . Perhaps APF has a similar approach.

Depending on your locale, be careful as to deny and allow, denying everything but NL is VERY much more impactful on your machine than allowing only NL. China and the US have for example HUGE databases . . .

is relatively well updated usually only a few hours late.

hello my vps FreePBX has public ip

I'm configuring csf dive I want to access only Italy would like to understand how do I set it
Thanks   Maisx 

Firewalls are designed basically the other way around, Your method (if I read it well) allows only access from Italian IP’s, you can connect anywhere you want from inside.

I want to correct that you can only connect from italy
just that I do not work configuration used are accepted all over the world
TKS maisx

Hello dicko I need help to configure CSF as you wrote can give me some advice
Thank you very much


I am following this guide but I do not know what should I write in and
can someone kindly help me 

TKS Maisx 


csf needs to manage the iptable chains, so if you use othger software that manipulates iptable like fil2ban then start and stop them as appropriate in these two files e.g. in

service fail2ban stop

Ok thank you very much I do pretty well
service fail2ban start

service fail2ban stop

TKS Maisx

I tried with this setup CSF but not blocking me is nothing like it was not even active someone can 'give me some advice
TKS 100000


Wow. What a reply. I just wanted to throw out that I do understand your frustration Sky, but man, take a look at what you posted with all of your misspellings and grammatical errors. Also, there will be even experienced people who will ask silly questions if it is not in their expertise. Firewalls have nothing to do with a PBX. All parts of a unix/linux box consists of areas of extremely separate levels of experience. Also, from reading some of your later posts, I see an elitist aura emanating from them. As you were giving our friend here advice, I am also giving you.

The entire csf system is self documented in:-


Your pre and post files are also the wrong way round, you need to start fail2ban AFTER csf starts and the corollary on stopping