Firewall Module : Blocked Attackers

aratel · February 9, 2021, 5:35pm

Hey there,
I used the 14 Distro. I have some trouble with the Firewall. Sometimes my softphone try to get BLF status and send 20 SUSCRIBES messages.

When my public IP change (LTE network), my app can send the SUSCRIBES before the REGISTER option has been sent. Then the Firewall consider it as an attacker and block the IP

It is not the responsive firewall wich does this, it is the Firewall in Blocked Hosts section.
I need to go there and erase the blocked IP.

The firewall does it job well BUT, before the SIP stack of my mobile app will be updated, I want to manage how the firewall consider an IP as an attacker. Where can I do this ?

Here is the capture :

lgaetz · February 9, 2021, 5:41pm

Yes it is responsive. The blocked hosts section shows IPs that have been blocked by Responsive. This is actually a known issue:

https://issues.freepbx.org/browse/FREEPBX-22196

aratel · February 9, 2021, 5:45pm

How can I get around of this problem ?

Lorne thank you.

aratel · February 10, 2021, 3:47pm

lorne, I have seen your comment on the issues tracker

https://issues.freepbx.org/browse/FREEPBX-22196

Is there a way to bypass by adding customs rules in /etc/firewall-4.rules ?

Thanks. It is very annoying for my business.

lgaetz · February 10, 2021, 3:58pm

The only thing I can say is, if responsive is not working for you then don’t use responsive. We have some basic ideas but it will take time to test, code and QA.

aratel · February 10, 2021, 4:42pm

lorne, if I put this lines in the customs rules in /etc/firewall-4.rules and modify parameters, does this will apply ? or will it be the default settings hardcoded ?

-A fpbxratelimit -m recent --rcheck --seconds 90 --hitcount 1 --name WHITELIST --mask 255.255.255.255 --rsource -j ACCEPT
-A fpbxratelimit -m recent --rcheck --seconds 86400 --hitcount 1 --name ATTACKER --mask 255.255.255.255 --rsource -j fpbxattacker
-A fpbxratelimit -m recent --rcheck --seconds 86400 --hitcount 200 --name REPEAT --mask 255.255.255.255 --rsource -j fpbxattacker
-A fpbxratelimit -m recent --rcheck --seconds 300 --hitcount 100 --name REPEAT --mask 255.255.255.255 --rsource -j fpbxattacker
-A fpbxratelimit -m recent --rcheck --seconds 60 --hitcount 50 --name REPEAT --mask 255.255.255.255 --rsource -j fpbxshortblock
-A fpbxrfw -m recent --rcheck --seconds 90 --hitcount 1 --name WHITELIST --mask 255.255.255.255 --rsource -j ACCEPT
-A fpbxrfw -m recent --rcheck --seconds 10 --hitcount 50 --name REPEAT --mask 255.255.255.255 --rsource -j fpbxattacker
-A fpbxrfw -m recent --rcheck --seconds 86400 --hitcount 1 --name ATTACKER --mask 255.255.255.255 --rsource -j fpbxattacker
-A fpbxrfw -m recent --rcheck --seconds 60 --hitcount 10 --name SIGNALLING --mask 255.255.255.255 --rsource -j fpbxshortblock
-A fpbxrfw -m recent --rcheck --seconds 86400 --hitcount 100 --name REPEAT --mask 255.255.255.255 --rsource -j fpbxattacker

aratel · February 10, 2021, 4:53pm

And if I disable the RF, sip registration will not be filtering ? Is that not very dangerous to do this ?

system · June 3, 2021, 11:06pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.