Firewall Not working?

Recently I noticed my PBX’s are coming up even though the IP is not in the firewall. It was working before fine. The firewall is enabled. Did a module update change?

When you say “coming up” what are you referring to? Booting? Available on the internet?

Clear your browser history and cache

available on the internet

I came here for the exact same reason. My v13 servers don’t allow this. My 2 v14 servers do. This is a problem. The admin login is open to the world. I used to have to whitelist IP’s to get the login screen and now any IP can see it.

So your PBX server is basically directly connected to the internet as apposed to using a separate dedicated router/firewall between the server/network and the internet?

You ever used cyberlynk? Freepbx officially supported hosted servers. No firewall or router between. Never had an issue until recently. Something changed and it is not good.

Our PBX’s are hosted as well. I am wondering if this is a module bug?

It’s possible - I just did a release of firewall to enable TCP rate limiting. Is firewall actually running? If not, what is in /tmp/firewall.log?

Firewall is running.

Can you pastebin the output of ‘iptables-save’ (that’s one word, not two)

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2018.04.05 08:58:18 =~=~=~=~=~=~=~=~=~=~=~=

e]0;[email protected]:~a[[email protected] ~]# 
e]0;[email protected]:~a[[email protected] ~]# iptables-save
# Generated by iptables-save v1.4.7 on Thu Apr  5 08:58:21 2018
*nat
:PREROUTING ACCEPT [433267:34079938]
:POSTROUTING ACCEPT [302024:18121580]
:OUTPUT ACCEPT [305177:18382936]
:masq-input - [0:0]
:masq-output - [0:0]
-A POSTROUTING -j masq-input 
-A POSTROUTING -j masq-output 
-A POSTROUTING -m mark --mark 0x3/0x3 -j MASQUERADE 
-A masq-input -j MARK --set-xmark 0x1/0xffffffff 
-A masq-output -o eth0 -j MARK --set-xmark 0x2/0x2 
COMMIT
# Completed on Thu Apr  5 08:58:21 2018
# Generated by iptables-save v1.4.7 on Thu Apr  5 08:58:21 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [824:85214]
:fail2ban-apache-auth - [0:0]
:fpbx-rtp - [0:0]
:fpbxattacker - [0:0]
:fpbxblacklist - [0:0]
:fpbxfirewall - [0:0]
:fpbxhosts - [0:0]
:fpbxinterfaces - [0:0]
:fpbxknownreg - [0:0]
:fpbxlogdrop - [0:0]
:fpbxnets - [0:0]
:fpbxregistrations - [0:0]
:fpbxreject - [0:0]
:fpbxrfw - [0:0]
:fpbxshortblock - [0:0]
:fpbxsignalling - [0:0]
:fpbxsmarthosts - [0:0]
:fpbxsvc-chansip - [0:0]
:fpbxsvc-ftp - [0:0]
:fpbxsvc-http - [0:0]
:fpbxsvc-https - [0:0]
:fpbxsvc-iax - [0:0]
:fpbxsvc-isymphony - [0:0]
:fpbxsvc-nfs - [0:0]
:fpbxsvc-pjsip - [0:0]
:fpbxsvc-provis - [0:0]
:fpbxsvc-provis_ssl - [0:0]
:fpbxsvc-restapps - [0:0]
:fpbxsvc-restapps_ssl - [0:0]
:fpbxsvc-smb - [0:0]
:fpbxsvc-ssh - [0:0]
:fpbxsvc-tftp - [0:0]
:fpbxsvc-ucp - [0:0]
:fpbxsvc-vpn - [0:0]
:fpbxsvc-webrtc - [0:0]
:fpbxsvc-xmpp - [0:0]
:fpbxsvc-zulu - [0:0]
:rejsvc-nfs - [0:0]
:rejsvc-smb - [0:0]
:zone-external - [0:0]
:zone-internal - [0:0]
:zone-other - [0:0]
:zone-trusted - [0:0]
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-apache-auth 
-A INPUT -j fpbxfirewall 
-A fail2ban-apache-auth -j RETURN 
-A fpbx-rtp -p udp -m udp --dport 10000:20000 -j ACCEPT 
-A fpbx-rtp -p udp -m udp --dport 4000:4999 -j ACCEPT 
-A fpbxattacker -m recent --set --name ATTACKER --rsource 
-A fpbxattacker -j DROP 
-A fpbxfirewall -i lo -j ACCEPT 
-A fpbxfirewall -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A fpbxfirewall -p icmp -j ACCEPT 
-A fpbxfirewall -d 255.255.255.255/32 -j ACCEPT 
-A fpbxfirewall -m pkttype --pkt-type multicast -j ACCEPT 
-A fpbxfirewall -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT 
-A fpbxfirewall -j fpbx-rtp 
-A fpbxfirewall -j fpbxblacklist 
-A fpbxfirewall -j fpbxsignalling 
-A fpbxfirewall -j fpbxsmarthosts 
-A fpbxfirewall -j fpbxregistrations 
-A fpbxfirewall -j fpbxnets 
-A fpbxfirewall -j fpbxhosts 
-A fpbxfirewall -j fpbxinterfaces 
-A fpbxfirewall -j fpbxreject 
-A fpbxfirewall -m mark --mark 0x2/0x2 -j fpbxrfw 
-A fpbxfirewall -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A fpbxfirewall -j fpbxlogdrop 
-A fpbxhosts -s 127.0.0.1/32 -j zone-trusted 
-A fpbxhosts -s 162.221.93.20/32 -j zone-trusted 
-A fpbxinterfaces -i eth0 -j zone-external 
-A fpbxknownreg -m mark --mark 0x1/0x1 -j ACCEPT 
-A fpbxknownreg -j fpbxsvc-ucp 
-A fpbxknownreg -j fpbxsvc-zulu 
-A fpbxknownreg -j fpbxsvc-restapps 
-A fpbxknownreg -j fpbxsvc-restapps_ssl 
-A fpbxknownreg -j fpbxsvc-provis 
-A fpbxknownreg -j fpbxsvc-provis_ssl 
-A fpbxlogdrop -j DROP 
-A fpbxnets -s 70.61.58.190/32 -j zone-internal 
-A fpbxnets -s 104.231.67.124/32 -j zone-trusted 
-A fpbxnets -s 98.103.75.4/32 -j zone-internal 
-A fpbxnets -s 24.144.180.104/32 -j zone-trusted 
-A fpbxnets -s 24.93.244.180/32 -j zone-trusted 
-A fpbxnets -s 98.103.19.22/32 -j zone-trusted 
-A fpbxnets -s 192.159.66.96/27 -j zone-internal 
-A fpbxnets -s 70.61.58.0/24 -j zone-internal 
-A fpbxregistrations -s 70.61.58.190/32 -j fpbxknownreg 
-A fpbxregistrations -s 74.118.26.100/32 -j fpbxknownreg 
-A fpbxregistrations -s 162.212.218.16/32 -j fpbxknownreg 
-A fpbxreject -j rejsvc-nfs 
-A fpbxreject -j rejsvc-smb 
-A fpbxrfw -m recent --set --name REPEAT --rsource 
-A fpbxrfw -m recent --set --name DISCOVERED --rsource 
-A fpbxrfw -m recent --rcheck --seconds 10 --hitcount 50 --name REPEAT --rsource -j fpbxattacker 
-A fpbxrfw -m recent --rcheck --seconds 86400 --hitcount 1 --name ATTACKER --rsource -j fpbxattacker 
-A fpbxrfw -m recent --rcheck --seconds 60 --hitcount 10 --name SIGNALLING --rsource -j fpbxshortblock 
-A fpbxrfw -m recent --set --name SIGNALLING --rsource 
-A fpbxrfw -m recent --rcheck --seconds 86400 --hitcount 100 --name REPEAT --rsource -j fpbxattacker 
-A fpbxrfw -j ACCEPT 
-A fpbxshortblock -m recent --set --name CLAMPED --rsource 
-A fpbxshortblock -j REJECT --reject-with icmp-port-unreachable 
-A fpbxsignalling -p udp -m udp --dport 5060 -j MARK --set-xmark 0x3/0xffffffff 
-A fpbxsignalling -p udp -m udp --dport 5162 -j MARK --set-xmark 0x1/0xffffffff 
-A fpbxsmarthosts -s 74.118.26.100/32 -m mark --mark 0x1/0x1 -j ACCEPT 
-A fpbxsmarthosts -s 162.212.218.16/32 -m mark --mark 0x1/0x1 -j ACCEPT 
-A fpbxsvc-chansip -p udp -m udp --dport 5060 -j ACCEPT 
-A fpbxsvc-ftp -p tcp -m tcp --dport 21 -j ACCEPT 
-A fpbxsvc-http -p tcp -m tcp --dport 80 -j ACCEPT 
-A fpbxsvc-https -p tcp -m tcp --dport 443 -j ACCEPT 
-A fpbxsvc-iax -p udp -m udp --dport 4569 -j ACCEPT 
-A fpbxsvc-isymphony -p tcp -m tcp --dport 58080 -j ACCEPT 
-A fpbxsvc-isymphony -p tcp -m tcp --dport 55050 -j ACCEPT 
-A fpbxsvc-pjsip -p udp -m udp --dport 5162 -j ACCEPT 
-A fpbxsvc-provis -p tcp -m tcp --dport 83 -j ACCEPT 
-A fpbxsvc-provis_ssl -p tcp -m tcp --dport 1443 -j ACCEPT 
-A fpbxsvc-restapps -p tcp -m tcp --dport 84 -j ACCEPT 
-A fpbxsvc-restapps_ssl -p tcp -m tcp --dport 3443 -j ACCEPT 
-A fpbxsvc-ssh -p tcp -m tcp --dport 22 -j ACCEPT 
-A fpbxsvc-tftp -p udp -m udp --dport 69 -j ACCEPT 
-A fpbxsvc-ucp -p tcp -m tcp --dport 81 -j ACCEPT 
-A fpbxsvc-ucp -p tcp -m tcp --dport 8001 -j ACCEPT 
-A fpbxsvc-ucp -p tcp -m tcp --dport 8003 -j ACCEPT 
-A fpbxsvc-vpn -p udp -m udp --dport 1194 -j ACCEPT 
-A fpbxsvc-webrtc -p tcp -m tcp --dport 8088 -j ACCEPT 
-A fpbxsvc-webrtc -p tcp -m tcp --dport 8089 -j ACCEPT 
-A fpbxsvc-xmpp -p tcp -m tcp --dport 5222 -j ACCEPT 
-A fpbxsvc-zulu -p tcp -m tcp --dport 8002 -j ACCEPT 
-A zone-external -j fpbxsvc-ucp 
-A zone-external -j fpbxsvc-vpn 
-A zone-external -j fpbxsvc-xmpp 
-A zone-internal -j fpbxsvc-ssh 
-A zone-internal -j fpbxsvc-http 
-A zone-internal -j fpbxsvc-https 
-A zone-internal -j fpbxsvc-ucp 
-A zone-internal -j fpbxsvc-pjsip 
-A zone-internal -j fpbxsvc-chansip 
-A zone-internal -j fpbxsvc-iax 
-A zone-internal -j fpbxsvc-webrtc 
-A zone-internal -j fpbxsvc-zulu 
-A zone-internal -j fpbxsvc-isymphony 
-A zone-internal -j fpbxsvc-provis 
-A zone-internal -j fpbxsvc-provis_ssl 
-A zone-internal -j fpbxsvc-vpn 
-A zone-internal -j fpbxsvc-restapps 
-A zone-internal -j fpbxsvc-restapps_ssl 
-A zone-internal -j fpbxsvc-xmpp 
-A zone-internal -j fpbxsvc-ftp 
-A zone-internal -j fpbxsvc-tftp 
-A zone-other -j fpbxsvc-ucp 
-A zone-other -j fpbxsvc-pjsip 
-A zone-other -j fpbxsvc-provis 
-A zone-other -j fpbxsvc-provis_ssl 
-A zone-other -j fpbxsvc-vpn 
-A zone-other -j fpbxsvc-xmpp 
-A zone-trusted -j ACCEPT 
COMMIT
# Completed on Thu Apr  5 08:58:21 2018
e]0;[email protected]:~a[[email protected] ~]#

Looks perfect to me. However, I did just release 13.0.51.1 to fix an issue with machines with older Zulu builds on it, so you might want to upgrade to that, and make sure everything is still working.

Edit: Actually, that’s NOT running the latest version, so yes - you want to update.

Not a fix to your problem, but a work around. I have Logmein Hamachi as a VPN and only allow web traffic thru its interface. I block all port 80, SSH, etc traffic on eth0, blocking out everything but VPN traffic.

After performing yesterday firewall update (13.0.52) module, on my dashboard i have a notification about “Firewall Service not Running”.

I have stop/start the service with no luck.

Any suggestions?

Thanks!

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.