Firewall Questions

chris_c · August 11, 2018, 4:00am

(Posting this here because the github for firewall doesn’t have the issues tab enabled.)
Nice module, Rob, thanks for this responsive firewall, seems to be a basic requirement, loose enough to let users devices log in straight away without making them provide their IP address via port knocker before even trying to log in.
After a quick look at the firewall code on github, it appears the system admin functions used by the responsive freepbx voipfirewall appear to be minimal, mostly to get settings, and generate the fail2ban config.

Gets the GPG object to use for checking the hashes of code files before running them,
Gets the web root directory path for the asterisk management port aka freepbx web app,
Gets the ports used by all the services enabled on the pbx. the web portal itself, rtp, sip, pjsip, webrtc, smb, nfs, iax, ssh, nodjs, http provision, restapps, xmpp, tft*p, VPN, UCP, all of them. And categorizes them into zones like external, other, internal.
fail2ban-generate and fail2ban-start scripts.
I could be wrong, but it seems like it doesn’t really use a lot of function to get data from the sysadmin module, so it shouldn’t be too too hard to replace with a basic substitute minimal open source version.
If this isn’t right please share your thoughts. Share them either way actually.

xrobau · August 11, 2018, 5:06am

Yeah, that’s not the place to open issues against it. That’s actually just an automatically synchronized mirror from git.freepbx.org, and issues should go on issues.freepbx.org.

But here is EXACTLY the right place to talk about this stuff 8)

Firewall uses Sysadmin for, mainly, secure privilege escalation. It doesn’t use sysadmin (the module) for anything, as far as I remember. It uses the sysadmin RPM for that. That’s utilized by the ‘runHook’ code, which - hopefully - is pretty self explanatory.

The problem for NON Distro machines is that doing that securely is super easy with the Sysadmin hooks, because, it’s been audited and checked multiple times, as well as relying on the Zend integrity checking stuff, AND all being root owned, so it’s not possible to be messed with by an attacker.

All of that is missing for something that’s not running FreePBX Distro. So that’s where the missing pieces are at the moment, and I’d love some pull requests to figure out how to fix it.

The main problem is that you have to run stuff as root (iptables, for example), but you also want to install updates and other things as NOT root, so there needs to be that abstraction/isolation layer. You can’t use sudo, because as soon as you grant sudo access to any file owned by Asterisk/Httpd, your machine is immediately attackable by simply replacing the contents of that file.

Lots of problems, and not any solutions - yet. But I’m hopeful that someone will come up with an idea 8)

chris_c · August 12, 2018, 11:08pm

Gotcha. Securely let the app run some commands that change sensitive operating system settings and or sensitive app settings. There’s many, many ways to do this safely and securely.

Follow up questions:

Is there docs or better a script to install a branch of the app directly from github source onto, let’s say for example, the currently tagged version 15.0 branch, onto an empty CentOS 7. Obviously, it’d result in a plain vanilla version of the app, probably the file hashes wouldn’t be there since that’d be generated after github by another script that does the tarball. The idea is, just to download and run any branch from source.
Also, a script to update an existing install of let’s say an outdated github branch, for example 15.0 from X days ago, by downloading the current 15.0 branch.
Any docs or better script to download the entire app all modules and run all its php unit tests or CI.

xrobau · August 13, 2018, 6:59pm

There’s nothing magic with pulling from git - just pull! There’s a bunch of instructions here: https://wiki.freepbx.org/display/FOP/Developer+Corner+Home

I, personally, prefer to clone to /usr/src/freepbx/modulename and then ln -s that folder to /var/www/html/admin/modules/modulename, but it’s totally up to you how you do it.

To create the module.sig, you just use the Devtools repo to generate the signature - see https://wiki.freepbx.org/display/FOP/Signing+your+own+modules#Signingyourownmodules-LocalKeyWalkthrough for the walkthrough on how to do it.

rmapes · August 14, 2018, 4:22pm

Good Day,
I’ve recently started working on a few FreePBX servers. Learning as I go. I was reading about the firewall piece. I built a new FreePBX server and activated the firewall. Pretty robust firewall. But, I have a question or two. While I was learning about IPtables the first three statements were to be set to DROP, but I notice FreePBX sets them to ACCEPT.

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

I see these followed by several addons like blacklist, hosts, etc. Does this setup better manage the rules by allowing all access first then filtering after access is accepted? How does this work?

Regards,
Ron

xrobau · August 14, 2018, 7:17pm

It’s normally best to run the command iptables-save (note that is one word, no space) which will dump the ENTIRE iptables entry. The -P flag means ‘if I’m not told otherwise then …’.

rmapes · August 14, 2018, 7:50pm

Hello Rob,
Ok, It’ just different than how I learned iptables. Those three initial statements were always set to DROP. Then I followed with the rules to ACCEPT, DENY, DROP, NAT statements. The -N statements are used to access tables that are known fraud? For example -N fpbxblacklist is known fraud IP’s? Is there anything else I need to do to use that function of fpbxblacklist? I read in another link I had to create scripts that tie to fail2ban. I would like to verify the system has set that up while configuring the firewall and there nothing waiting on me to complete.

If the blacklilst is good to go I am going to work to implement the firewall on our live system. The lab worked out without any issue.

Regards,
Ron

chris_c · August 18, 2018, 11:09pm

Ronald,
You can read more about how it’s supposed to work here:
https://wiki.freepbx.org/display/FPG/Responsive+Firewall
This “Responsive Firewall” is nice because it lets users and devices login to the PBX, without making your system admin, or your users, add their IP address to the whitelist in advance of the login.

cynjut · August 20, 2018, 1:29pm

… and, if you don’t have “outside” connections (from non-local/non-trusted networks), you can disable it entirely and only allow SIP connections from trusted agencies.

rmapes · August 20, 2018, 2:36pm

Good Morning Folks,
Thank you for the information. I’ve been reading the doc’s and forum. Good stuff. Yes, this is something that is proving useful. Implemented it last week.

Regards,

sotonet · August 29, 2018, 8:02pm

Yeah, it makes no sense why they show the Firewall module on the non-official distro. Funny thing is they say no commercial modules will work on the non-official version but they list a dozen of them for you to install like SIPSTATION… They’re not even consistent on what they say. Besides that if you try to install SN7 official ISO to a VPS it won’t work because they don’t have a version that requires no user prompts/input. When dealing with VPS’s you have to setup SSH keys before you can SSH into console but the freakin ISO won’t install by itself for you to upload a key to the VPS… I hope they decide someday to make am official distro that will use default values to install if there is no user input during installation. Anyways, just my rant…

system · August 29, 2019, 8:02pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.