FPBX 15 firewall, hosts being added to zone-trusted without me doing anything

firewall
Tags: #<Tag:0x00007f702558b550>

#1

I just noticed that my freepbx systems seem to be automatically adding hosts to zone trusted w/o me putting anything in to do so. I’ve doubled checked in mysql to see if those hosts are there, but they are not. If I delete the rules from the fpbxhosts chain, when I restart the firewall using fwconsole, the rules are put back in place.
Anyone have any idea why/how it is doing this? Some of these hosts have never contacted the pbx so not clear how it is even learning about them.


#2

LoL, now I’ve figured it out by looking up all the IPs being added. It is adding any host specified in /etc/hosts to zone trusted.
Anyone have any idea why it does that? Googling around has not found anything so far that says this is expected behaviour.


#3

This seems like a bad idea to do this - what if someone’s fpbx box is internet-facing and one adds their SIP provider to /etc/hosts - now that IP has full access to the fpbx box.

Code (bin/getservices) doesn’t say why:
// Grab /etc/hosts and make sure that every host in there is added
// to the trusted zone


#4

To verify this, took some entries out of /etc/hosts and did fwconsole firewall restart and those hosts no longer in iptables.


(Lorne Gaetz) #5

I’m on vacation this week, but it warrants further investigation. Open a ticket on this pls.
https://issues.freepbx.org/


#6

Made https://issues.freepbx.org/browse/FREEPBX-21989


(Lorne Gaetz) #7

There is now a Firewall advanced setting to disable this behavior: Major facelift to the FreePBX Firewall