Firewall trusts only IP addresses, but not hostnames


I read everywhere (FAQ, fwconsole help, GUI) that it’s possible to add a hostname instead of an IP address to the trusted network, but it doesn’t work for me.

I use FreePBX in a virtual environment (PROXMOX KVM) with a public, static IP like this:

PBX Version:
PBX Firmware: 12.7.5-1807-1.sng7
PBX Service Pack:

IP: a.b.c.d (one of the subnet IP addresses)
Gateway: a.b.y.z (the IP address of the host)
Actually the gateway is a route for to the IP address of the host in a different network.
This kind of network setup is widely used in virtual environments.
IPv6 is also configured.

…and the internet is working fine.

But because the clients connect to FreePBX through the internet and their IP addresses and dynamic, I use FQDN hostnames (DDNS) to reach them. These hostnames are also resolvable and pingable within FreePBX.

But if add these hostnames to FreePBX trusted networks thru the GUI or command line (fwconsole firewall trust my.hostname; fwconsole firewall stop; fwconsole firewall start) they remain blocked.
However, if add the corresponding IP addresses instead, then it works (but it’s not a solution).

Please help me to solve this.

Thank you.

I am seeing similar, but I don’t have time to chase it. Please open a bug ticket. See below.

Keep in mind that adding a FQDN to iptables is 100% possible, however, you will not see the FQDN in the iptables rules. IPTables will resolve the domain when loaded and then write out all the IPs it resolves for that domain to the tables.

So if you enter in your iptables rules when iptables actually adds it in and has three IPs that it resolves to you’ll end up with those three IPs in iptables which means you end up with:

DROP       all  --
DROP       all  --
DROP       all  --

If you do a iptables -L iptables will do a rDNS lookup on the IPs in the list.

So in your case if you are using DDNS for this user and you add their DDNS domain, iptables is going to resolve the current IP that is being used by the DDNS record. If 20 minutes from now that DDNS record changes and iptables hasn’t been reloaded, the new IP isn’t in the list. You would need to restart iptables to make it do a new DNS lookup.

That being said, there is a reason the Responsive Firewall exists and this is 100% that reason. It will do rate limiting/connection marking/tracking and if IPs are being naughty, they are blocked. If IPs come in and they register or auth properly, they are added to a “Good IPs” list that gives them the access they need to the box (like UCP).

So either use the Responsive Firewall or if you’re not using the Distro, write proper iptables rules that will handle your REGISTER/INVITE traffic like the Responsive Firewall.

1 Like

A bit of testing and my earlier issue was with using fwconsole to add to the firewall trusted list. Adding fqdn’s to the trusted list in the GUI works as expected.

1 Like

To BlazeStudios (Tom Ray):
Ok, you say iptables contains the IP address not the hostname and if it changes it won’t be updated automatically. Probably it happens, but my main problem is that the firewall blocks or continues to block immediately after adding a FQDN to the trusted network. But now Igaetz found out that it works with the GUI but not on the console, and I can confirm it.

To lgaetz (Lorne Gaetz):
Thank you for your debugging. I did the same and got similar results.
But also a bit more:

1.1) If you add a FQDN in the GUI, it would be added to the Chain “fpbxhosts”.
1.2) If you add a FQDN on the console, nothing happens in iptables.
1.3) If you add a FQDN on the console and than do fwconsole firewall stop; fwconsole firewall start, nothing happens in iptables.

2.1) If you add an IP-address in the GUI, it would be added to the Chain “fpbxnets”.
2.2) If you add an IP-address on the console, nothing happens in iptables.
2.3) If you add an IP-address on the console and than do fwconsole firewall stop; fwconsole firewall start, then it would be added to the Chain “fpbxnets” just like 2.1).

This means:

  • With IP-addresses, it works in the GUI and on the console, but on the console you have to restart the firewall.
  • With FQDNs it works only in the GUI.

But I’m not sure about BlazeStudios (Tom Ray)'s answer, probably the IP address won’t update later in iptables, but I’m still testing.

The Firewall is based on iptables.what I said earlier is how iptables in general works. The fwconsole command had a bug for submitting FQDNs.

That does not change the fact adding a FQDN for DDNS will resolve that domain to the IP it resolves to when you add it. If the IP changes, it wont just update iptables with it. That is until you restart it and it resolves FQDNs

@BlazeStudios, the FreePBX firewall service continuously resolves fqdn’s in the various firewall zones, and updates the iptables rules as necessary. You can confirm this by adding a valid fqdn to the trusted zone and confirm the IP is present with iptables-save | grep trusted then editing /etc/hosts so it resolves to a different IP address. After a few minutes, the output of iptables-save | grep trusted will reflect the new IP.

There you go. The Firewall has a workaround for it.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.