I have set up some rules in iptables for port forwarding and masquerading. These have been saved in the iptables startup file using:
service iptables save
The freepbx firewall can be started using:
fwconsole firewall start
…however this flushes all of my existing rules and replaces them with the freepbx firewall rules.
Is there a method of starting the freepbx firewall which can preserve my default rules without flushing them?
The last time someone asked this question, there were a few really good reasons why Rob (@xrobau) said “No”.
It seems to me that his position was that there are very few things you need to do in the firewall that you can’t do with the GUI, and if there were any, let him know.
Have you put in a Feature Request for the specific items you want to add?
Forwarding and Masq were previously explicitly NOT supported. However, the decision was made a couple of weeks ago that we ARE going to support it.
I’ll be working on it early next year.
Thanks Rob for this update. I am very happy to hear that you will be working on this in the new year. I hope you have an enjoyable seasonal break
In answer to Dave Burgess above, I know FPBX has its own VPN settings in the GUI but OpenVPN has a fair bit more to it than the GUI allows.
We are networking three remote FreePBX sites to a central FreePBX, which handles most (but not all) of the trunks. The remote sites are all behind a NAT on dynamic IPs, whilst the central PBX is NONAT and Static IP in a Data Centre. For one remote site to call another remote site, it must go via the central server. Furthermore, one of the remote sites is in a jurisdiction that blocks VOIP, so to make this work seamlessly I have set up a VPN client on each machine and a VPN server on the central PBX. The Server VPN needs to have Forward and Masquerade set up so that clients can see each other.
It’s fairly easy to set up OpenVPN manually in the ovpn files and then to insert the relevant rules into iptables. Everything works until the FreePBX firewall kicks in and overwrites my iptables rules.
So I am delighted that Rob will be looking into this soon. In the meantime - I will just try not to restart the firewall!
Merry Christmas everyone
Take a look at http://issues.freepbx.org/browse/FREEPBX-13123
I had the same issue as you, I reported it and got it fixed.
Yes I did see this issue, but it doesn’t seem fixed for me.
The thread above suggests that “Forwards and Masquerading” was not included in the fix, but that it has now been decided to support it.
Rob says he will look into this, so I look forward to seeing his New Year’s resolution… (pun intended).
Good morning Rob,
Wishing you a Happy New Year and was wondering if you had started work on this issue as yet?
Hi Again Rob,
Did you get a chance to look at this issue please?
SInce the original report was raised, I had occasion to restart another server which has thrown up the same issue. After restart, the FreePBX firewall wipes out my Forward and NAT Masquerade rules.
Hi again Rob,
Just bumping this issue which is not yet resolved.
Any updates please?
Hello again Rob,
I do hope I haven’t caused you any offence. If so, I assure you it was unintentional and I do appreciate your valuable guidance.
Sorry to sound so needy but this firewall issue is still causing problems. I did download a recent update to the Firewall, which of course required a reload. Again all my forwarding and nat rules were flushed which broke the VPN.
I realise you must have other priorities, but you mentioned this was a job for “early in the New year”, so I was just wondering if you had a timeline for this?
Sorry, it hasn’t got to the top of my list. I do find it surprising that it’s causing you problems though.
TBH it isnt causing huge problems, its just that everytime there is a reboot or restart involving the firewall, I have to manually re enter the forward and masquerade rules.
It doesn’t happen that often so more of an annoyance really. Just something that keeps nagging at me to do…
I fully understand you have other priorities.
Isn’t there a “custom” thing that can be executed after the server restarts?
I seem to recall someone needing something that ran on every boot (it’s been a few years ago) but don’t you guys have something in “fwconsole start” that executes a batch file in /etc/asterisk?
While not solving the problem directly, I’d think it would be pretty simple to check for the existence of a “/etc/asterisk/after_boot” file and source it if it exists as part of fwconsole…
If that existed, Andy’s problem with the additional firewall rules could be solved, someone else’s “after asterisk is running, I need to run this program” problem goes away in one swell foop.