I just noticed that my freepbx systems seem to be automatically adding hosts to zone trusted w/o me putting anything in to do so. I’ve doubled checked in mysql to see if those hosts are there, but they are not. If I delete the rules from the fpbxhosts chain, when I restart the firewall using fwconsole, the rules are put back in place.
Anyone have any idea why/how it is doing this? Some of these hosts have never contacted the pbx so not clear how it is even learning about them.
LoL, now I’ve figured it out by looking up all the IPs being added. It is adding any host specified in /etc/hosts to zone trusted.
Anyone have any idea why it does that? Googling around has not found anything so far that says this is expected behaviour.
This seems like a bad idea to do this - what if someone’s fpbx box is internet-facing and one adds their SIP provider to /etc/hosts - now that IP has full access to the fpbx box.
Code (bin/getservices) doesn’t say why:
// Grab /etc/hosts and make sure that every host in there is added
// to the trusted zone
To verify this, took some entries out of /etc/hosts and did fwconsole firewall restart and those hosts no longer in iptables.
I’m on vacation this week, but it warrants further investigation. Open a ticket on this pls.
https://issues.freepbx.org/
There is now a Firewall advanced setting to disable this behavior: Major facelift to the FreePBX Firewall
2 Likes
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.