Firewalld Whitelist

General Help
1

Running Asterisk 16 with FreePBX 14 – not the distro version – expert – roll your own on Centos 7

I have installed fail2ban and firewalld and both are working fine

I am using flowroute as my SIP Trunk provide over port 5065 (I moved my regular sip port from 5060 to 5065)

The issue is i am getting a ton of connection attempts on my sip port and while fail2ban does catch them and ban them – i would like to simply lock down 5065 so that the only connections allowed are from from flowroute servers in the first place

To that end i did the following:

In the public zone of Firewalld i have added 5065/tcp as an allowed port

I have also added the following rich-rules

firewall-cmd --permanent --zone=public --add-rich-rule=‘rule family=“ipv4” source address=“147.75.60.160/28” port port=“5065” protocol=“tcp” accept’

firewall-cmd --permanent --zone=public --add-rich-rule=‘rule family=“ipv4” source address=“147.75.65.192/28” port port=“5065” protocol=“tcp” accept’

firewall-cmd --permanent --zone=public --add-rich-rule=‘rule family=“ipv4” source address=“34.226.36.32/28” port port=“5065” protocol=“tcp” accept’

firewall-cmd --permanent --zone=public --add-rich-rule=‘rule family=“ipv4” source address=“34.210.91.112/28” port port=“5065” protocol=“tcp” accept’

Do i just use the rich rules and not add 5065/tcp as an allowed port

Do I allow 5065 and use the rich rule set

I just want to make sure this the correct way to setup firewalld

thanks

2

Ok – so just to answer my own question and for future reference in case someone has the same question

the answer i believe is as follows:

first do not allow 5065 (in my case or 5060 if using out of the box settings) as an allowed port

then when setting up the rich rules – at least for flowroute you need to allow traffic to BOTH tcp and udp – this was my mistake – my rich rules above only allowed tcp and not udp as well – this caused intermitent inbound call connections

therefore the correct set of rich rules for locking down flowroute with firewalld are as follows:

firewall-cmd --permanent --zone=public --add-rich-rule=‘rule family=“ipv4” source address=“147.75.60.160/28” port port=“5065” protocol=“tcp” accept’

firewall-cmd --permanent --zone=public --add-rich-rule=‘rule family=“ipv4” source address=“147.75.65.192/28” port port=“5065” protocol=“tcp” accept’

firewall-cmd --permanent --zone=public --add-rich-rule=‘rule family=“ipv4” source address=“34.226.36.32/28” port port=“5065” protocol=“tcp” accept’

firewall-cmd --permanent --zone=public --add-rich-rule=‘rule family=“ipv4” source address=“34.210.91.112/28” port port=“5065” protocol=“tcp” accept’

firewall-cmd --permanent --zone=public --add-rich-rule=‘rule family=“ipv4” source address=“147.75.60.160/28” port port=“5065” protocol=“udp” accept’

firewall-cmd --permanent --zone=public --add-rich-rule=‘rule family=“ipv4” source address=“147.75.65.192/28” port port=“5065” protocol=“udp” accept’

firewall-cmd --permanent --zone=public --add-rich-rule=‘rule family=“ipv4” source address=“34.226.36.32/28” port port=“5065” protocol=“udp” accept’

firewall-cmd --permanent --zone=public --add-rich-rule=‘rule family=“ipv4” source address=“34.210.91.112/28” port port=“5065” protocol=“udp” accept’

i would then suggest running

firewall-cmd --reload

and

firewall-cmd --list-all

hope that helps –

3

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.