Versions prior to 13.0.3 were vulnerable to an issue with the custom port range not being correctly validated, and it was possible for an attacker who had webuser privileges to gain root privileges. This was fixed in 13.0.3, and is now available for automatic upgrades.
Current state of the module
Firewall is now deemed stable. This means that it’s now being switched to an active/beta development track. New features will be added to Beta, and then when they’re bug-free, will be moved to the release track.
The third post (the one below this) will be kept up to date as much as possible.
This is only working on RHEL 6-based machines, with the sysadmin-rpm package installed, at the moment. This means that this is limited to FreePBX Distro, AsteriskNow, PIAF(? I think they have syadmin-rpm?), etc.
C7, Debian, Ubuntu, etc, are 100% not working, and are going to entail a significant amount of work. There is no ETA, sorry.
Documentation for this module is contained in the FreePBX Wiki. As this is a reasonably complex module, please read and comment on what it’s missing, or what is unclear!
- Fail2Ban can intercept and inject itself ABOVE the firewall. This needs work.
- /tmp/firewall.log now captures all logging and errors correctly. If you get an alert that the firewall process is not running, please paste the last few lines of that file into your error report!
Tasks Remaining (Last update 2015-11-12)
(This is in rough order of priority)
- Figure out what to do about fail2ban being overly enthusiastic
- Add a new zone, ‘Registered’, rather than just allowing them UCP access
- Bonus awesome idea: Integrate into User Manager, so you can let ext 1234 have ssh, ucp, and admin access, but ext 1235 only have ucp
- Remove requirement on sysadmin-rpm
- This is a low priority, because this means that support for everything ELSE (firewalld, ufw, etc) needs to be complete. Sorry. Feel free to submit pull requests, I care, honestly.
This is the primary development environment. If you wish to do development, it’s strongly suggested you start with a CentOS 6 based FreePBX machine (Such as FreePBX Distro, or Asterisk Now).
This is the next target, and will be made part of the new FreePBX Distro CentOS 7-based release, which is expected to be out of beta before the middle of 2016.
Ubuntu and Debian
Low priority. Estimated after CentOS 7 is released.
The cause of the delay is there is, currently, no secure way of doing privilege escalation on the Non-Distro machines. Explanations of why this is hard is in this post.