I am thinking of using the firewall and responsive firewall in FreePBX. What is the normal setup for my hardware router? Should I just allow all traffic to the PBX on a SNAT from external IP to internal address and then just let the PBX sort it all out, or should I be limiting the ports on my policy to just what is needed? If the former, happy days, no more pin holes! If the latter what ports should I be opening?
Its up to you. If you go the multiple pinhole route, you want this page:
Thanks for that. i assume with the pinhole route, I have to be spot on for what my provider wants in terms of ports open too, whereas with everything open it will take whatever RTP range they want to throw at me
The sip session negotiates the RTP port(s) used, and it will be in the range you’ve defined in Asterisk SIP Settings. You don’t have to guess.
Great ports pages set up by Tony. Everyone needs this taped to the wall or whatever. Thanks to Tony and your suggestion.
All done 5060 UDP and 6000-40000 UDP opened.
Turned the firewall on, and it already has 3 attackers in the banned list, only problem is I can still see him attacking. Does the firewall not actually block the attacker?
I assume the odd non-critical invite transaction timeout is a product of these “interventions” from the attackers?
In my setup what i do is when freepbx firewall blocks an attacker, i hard code it into the main firewall to block it in the future before it hits Freepbx again.