Firewall Questions


(Rob Thomas) #13

Firewall requires Sysadmin. Sysadmin assumes that if you have a licence file, it hasn’t been tampered with.


(Alice Brassfield) #14

We do have Sysadmin, we recently bought it last week and I’ll look to see why it is giving that error.

It still says No fpbxinterfaces in ipv6, even though we do have it enabled, would the course of action be to destroy the VM and start over again?


(Alice Brassfield) #15

Hi sorry to go back to an old post, but does FreePBX require a gateway that has ipv6 enabled as well as an actual ipv6 ip assigned to it?

We built a new box and it is still having the same issue and when I check the activation sysadmin is there.


(Rob Thomas) #16

If your machine is still saying the licence file is tampered, then something crazy is happening with your machine, and there’s nothing we can do about that. Sorry!


(Alice Brassfield) #17

Thanks! I am going to take that box down and build a brand new one and hopefully, it all goes well. Thanks again for all the help/


(User permanently banned) #18

I just did the install of FreePBX with Asterisk-NAF for GoogleVoice SIP

I assumed I could Install the FreePBX Firewall.

I just found old posts talking about problems with Firewall on Debian, this is running on ubuntu 18.04

When I go to available modules and click on Firewall it says
Missing Requirements:
The File “/usr/lib/sysadmin/includes.php” must exist.
The Module Named “manager” is required.

From what I read here in this thread “Firewall requires Sysadmin. Sysadmin assumes that if you have a licence file” which seems to imply the FreePBX Firewall is a No-go witgh Open Source FreePBX?

Its all so confusing …


(Dave Burgess) #19

Unless you install a Distro system, the Manager module is not available. In fact, none of the commercial modules are available.

To install the firewall, you need to install a Distro system (not roll-your-own) and then “upgrade” the rest of the system to work with Google Voice. Good luck.


(Rob Thomas) #20

There’s no TECHNICAL reason why not - all the code is open source. The problem is that all the ‘stuff’ for secure privilege escalation of firewall is done as part of Sysadmin (which requires FreePBX Distro).

Someone just needs to figure out a way to do it on other OSs so it DOESN’T require that. And I can’t think of a good way to make it secure - in Distro it’s secure because it’s all root owned and RPM locked, along with all the preexisting integrity checking.


(Chris Coleman) #21

(Posting this here because the github for firewall doesn’t have the issues tab enabled.)
Nice module, Rob, thanks for this responsive firewall, seems to be a basic requirement, loose enough to let users devices log in straight away without making them provide their IP address via port knocker before even trying to log in.
After a quick look at the firewall code on github, it appears the system admin functions used by the responsive freepbx voipfirewall appear to be minimal, mostly to get settings, and generate the fail2ban config.

  1. Gets the GPG object to use for checking the hashes of code files before running them,
  2. Gets the web root directory path for the asterisk management port aka freepbx web app,
  3. Gets the ports used by all the services enabled on the pbx. the web portal itself, rtp, sip, pjsip, webrtc, smb, nfs, iax, ssh, nodjs, http provision, restapps, xmpp, tft*p, VPN, UCP, all of them. And categorizes them into zones like external, other, internal.
  4. fail2ban-generate and fail2ban-start scripts.
    I could be wrong, but it seems like it doesn’t really use a lot of function to get data from the sysadmin module, so it shouldn’t be too too hard to replace with a basic substitute minimal open source version.
    If this isn’t right please share your thoughts. Share them either way actually.

(Rob Thomas) #22

Yeah, that’s not the place to open issues against it. That’s actually just an automatically synchronized mirror from git.freepbx.org, and issues should go on issues.freepbx.org.

But here is EXACTLY the right place to talk about this stuff 8)

Firewall uses Sysadmin for, mainly, secure privilege escalation. It doesn’t use sysadmin (the module) for anything, as far as I remember. It uses the sysadmin RPM for that. That’s utilized by the ‘runHook’ code, which - hopefully - is pretty self explanatory.

The problem for NON Distro machines is that doing that securely is super easy with the Sysadmin hooks, because, it’s been audited and checked multiple times, as well as relying on the Zend integrity checking stuff, AND all being root owned, so it’s not possible to be messed with by an attacker.

All of that is missing for something that’s not running FreePBX Distro. So that’s where the missing pieces are at the moment, and I’d love some pull requests to figure out how to fix it.

The main problem is that you have to run stuff as root (iptables, for example), but you also want to install updates and other things as NOT root, so there needs to be that abstraction/isolation layer. You can’t use sudo, because as soon as you grant sudo access to any file owned by Asterisk/Httpd, your machine is immediately attackable by simply replacing the contents of that file.

Lots of problems, and not any solutions - yet. But I’m hopeful that someone will come up with an idea 8)


FreePBX Firewall Thread! (2nd Post has status)
(Chris Coleman) #23

Gotcha. Securely let the app run some commands that change sensitive operating system settings and or sensitive app settings. There’s many, many ways to do this safely and securely.

Follow up questions:

  1. Is there docs or better a script to install a branch of the app directly from github source onto, let’s say for example, the currently tagged version 15.0 branch, onto an empty CentOS 7. Obviously, it’d result in a plain vanilla version of the app, probably the file hashes wouldn’t be there since that’d be generated after github by another script that does the tarball. The idea is, just to download and run any branch from source.

  2. Also, a script to update an existing install of let’s say an outdated github branch, for example 15.0 from X days ago, by downloading the current 15.0 branch.

  3. Any docs or better script to download the entire app all modules and run all its php unit tests or CI.


(Rob Thomas) #24

There’s nothing magic with pulling from git - just pull! There’s a bunch of instructions here: https://wiki.freepbx.org/display/FOP/Developer+Corner+Home

I, personally, prefer to clone to /usr/src/freepbx/modulename and then ln -s that folder to /var/www/html/admin/modules/modulename, but it’s totally up to you how you do it.

To create the module.sig, you just use the Devtools repo to generate the signature - see https://wiki.freepbx.org/display/FOP/Signing+your+own+modules#Signingyourownmodules-LocalKeyWalkthrough for the walkthrough on how to do it.


(Ronald Mapes) #25

Good Day,
I’ve recently started working on a few FreePBX servers. Learning as I go. I was reading about the firewall piece. I built a new FreePBX server and activated the firewall. Pretty robust firewall. But, I have a question or two. While I was learning about IPtables the first three statements were to be set to DROP, but I notice FreePBX sets them to ACCEPT.

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

I see these followed by several addons like blacklist, hosts, etc. Does this setup better manage the rules by allowing all access first then filtering after access is accepted? How does this work?

Regards,
Ron


(Rob Thomas) #26

It’s normally best to run the command iptables-save (note that is one word, no space) which will dump the ENTIRE iptables entry. The -P flag means ‘if I’m not told otherwise then …’.


(Ronald Mapes) #27

Hello Rob,
Ok, It’ just different than how I learned iptables. Those three initial statements were always set to DROP. Then I followed with the rules to ACCEPT, DENY, DROP, NAT statements. The -N statements are used to access tables that are known fraud? For example -N fpbxblacklist is known fraud IP’s? Is there anything else I need to do to use that function of fpbxblacklist? I read in another link I had to create scripts that tie to fail2ban. I would like to verify the system has set that up while configuring the firewall and there nothing waiting on me to complete.

If the blacklilst is good to go I am going to work to implement the firewall on our live system. The lab worked out without any issue.

Regards,
Ron


(Chris Coleman) #28

Ronald,
You can read more about how it’s supposed to work here:
https://wiki.freepbx.org/display/FPG/Responsive+Firewall
This “Responsive Firewall” is nice because it lets users and devices login to the PBX, without making your system admin, or your users, add their IP address to the whitelist in advance of the login.


(Dave Burgess) #29

… and, if you don’t have “outside” connections (from non-local/non-trusted networks), you can disable it entirely and only allow SIP connections from trusted agencies.


(Ronald Mapes) #30

Good Morning Folks,
Thank you for the information. I’ve been reading the doc’s and forum. Good stuff. Yes, this is something that is proving useful. Implemented it last week.

Regards,


(Ed Soto) #31

Yeah, it makes no sense why they show the Firewall module on the non-official distro. Funny thing is they say no commercial modules will work on the non-official version but they list a dozen of them for you to install like SIPSTATION… They’re not even consistent on what they say. Besides that if you try to install SN7 official ISO to a VPS it won’t work because they don’t have a version that requires no user prompts/input. When dealing with VPS’s you have to setup SSH keys before you can SSH into console but the freakin ISO won’t install by itself for you to upload a key to the VPS… I hope they decide someday to make am official distro that will use default values to install if there is no user input during installation. Anyways, just my rant…


(system) closed #32

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.