Firewall New Networks Found

freepbx
Tags: #<Tag:0x00007f702bf88278>

(Ed) #1

Since installing v15 I have not been able to resolve the following issue:

A network interface that is assigned to the 'Trusted' zone has been detected. This is a misconfiguration. To ensure your system is protected from attacks, please change the default zone of interface 'eth0'.

When I run the Firewall-Wizard I repeatedly get the same response:

Warning

Selecting ‘Yes’ will update your current configuration. Selecting ‘No’ will not change your current settings.

External Address: X.X.X.X
Known Networks:

  • 192.168.xxx.xxx/24
  • 10.8.0.0/24

These addresses are already defined and continues to show critical error:
image

Looking for any suggestions.


(Lorne Gaetz) #2

You need to correct the settings on the ‘Interfaces’ tab in Firewall.
wiki: https://wiki.freepbx.org/display/FPG/Firewall+Getting+Started+Guide
video: https://www.youtube.com/watch?v=CD_k5PrY7Xc


(Ed) #3

Oh Da!! that was truly a forest & trees thing. As soon as I saw it on the video … BTW very good job, well done!

Once I made the change, other VPN’d clients I am testing with could no longer connect. What I did to resolve this was to enable HTTP Provisioning on the internet. I am going to assume you would say the best practice is going to be not to do that and I should add the remote IP as trusted?

Since this system is sitting behind a FW, I am allowing specific IPs there since it is the edge of the network and would rather stop any untrusted IPs at the front gate.

What I am still struggling with is, I have multiple VPN’d devices coming in just fine and another remote that will not get a VPN IP and register. I duplicated the working TEMPLATE, modified the phone profile in the template and assigned it in EPM. The extensions have been assigned users and VPN enabled, but this one will not register.

I have confirmed the remote site is the same as the working devices with the exception it is an S500 and the working models are S300, S700, S705. I did just replace a local S500 with the S700 because it would not register using the same template I am using now for the S700.

Very strange.

Again thanks for providing the FIREWALL video link, would love to see a detailed VPN setup and trouble shooting version…


(Lorne Gaetz) #4

This is the perennial problem with VPN clients. You can’t access the VPN without first provisioning, and you can’t provision without access to the VPN. Best way around this is to do the first provision of the phone from a trusted host, which I do by white listing the IP. From that point onward, the phone will connect to the VPN and then provision itself securely via the VPN. If you can’t do that, then you can leave Apache provisioning services open to the Internet provided you have provisioning credentials enabled. It’s a pro feature of System Admin, Provisioning Protocols. That way anyone attempting to brute force Apache provisioning services will trigger a ban. Best to use https for provisioning in this case.

Strongly recommend against allowing untrusted access to any provisioning service without credentials. One of the most common exploits we see in Support is malicious users successfully guessing provisioning filenames which gives them SIP credentials they can leverage as an exploit.

Noted.


(Ed) #5

Thanks for the great input. The phones all go through the redirection service and yes they are all credentialed for provisioning. The phones all pull the configs just fine and I have added the remote site IP I am having issues with to the Sangoma FW and is already on my edge FW and I can see the traffic.

Even though I have done all this, the remote site will just not register.


(system) closed #6

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.