FreePBX Firewall Thread! (2nd Post has status)

firewall
Tags: #<Tag:0x00007f702910bcb0>

#99

But because you have now blacklisted the entire network, how can you now remotely “. . .reboot the machine, log in, fix it, and that’s it” ?

( p.s. And after rereading , I would respectfully state that my post was not a summary , it was in fact a question.)


(Rob Thomas) #100

Um, I don’t know? That’s kinda up to the implementer. At worst, you would call someone and say ‘Can you please push the reset button on machine XYZ’.

You were asking ‘what happens when you turn the firewall on after giving it a bad config’. That’s not how the firewall works. It’s on all the time.


(D Rubie) #101

Rob,

I like the 5 minute delay so you don’t lock yourself out of your system…its a simple approach. The problem I had did not lock me out of the system…because the firewall wizard ran after an update and I always placed my IP address in the trusted zone, also the Ethernet interface was set to trusted.

With both of these failsafes turned on I was able to ssh to the server and turn off iptables to reset everything. What was happening is that only ip addresses that were trusted was allowed to register/sign on the system. As I said version 13.0.6 fixed whatever was causing that issue.

I will run the update to get the 5 min delay…because who knows what can happen.

D R


(Rob Thomas) #102

I found a system that had managed to - somehow - get itself confused enough that the firewall rules were half there, and half not there.

The good news is, I now know what to look for, and it’ll self-heal if that happens again!

I’ve got a good feeling about 13.0.9!


(Lorne Gaetz) #103

Just got this message:

Firewall Rules corrupted! Restarting in 5 seconds

Explains a few mysteries…


(Rob Thomas) #104

I’d love to know WHAT’S breaking iptables. 8-\

Edit: If you look in /tmp/firewall.log, it’ll say what’s missing - either interfaces or rtp ports, and ipv4 or ipv6.


#105

Just want to be sure I’m not missing something… So the new 5-minute “Safe Mode” means that anyone launching a DDOS attack that crashes your server gets a free pass through your firewall after it reboots? What’s safe about that??


(TheJames) #106

Glad to see such a respected member of the community is testing out beta software and working to improve the user experience. All feedback is valuable and helps us improve. This is the great thing about the open source community. Please test out your theory and let us know what happens. If things do not work as expected please feel free to file a bug report at http://issues.freepbx.org with steps to reproduce your results. As always the code is available on github if you would like to provide any patches. Patches are always welcome.


#107

Works exactly as expected. Server crashes. Server reboots. Bad guys get a 5-minute free pass through the disabled firewall. Glad you have a sense of humor about it… so far.


(TheJames) #108

How did you make the server crash? Can you provide steps to reproduce this attack vector?


(Rob Thomas) #109

After an insanely obvious suggestion by @SysAdminMan I’m now not letting you install the firewall module if the sysadmin RPM isn’t installed. facepalm. Sorry for being dumb. That and a couple of other things makes 13.0.10. Which I’m feeling REALLY good about.

Edit: Another fix in 13.0.11 was some bad chan_sip detection.


#110

Hi Rob

Edit - Just saw you made the code change with the 1000 default. Many thanks!


#111

Hi Rob

Actually, I’m still seeing an error about /proc/timer_list (failed to open stream).

(firewall | 13.0.11.1)

I think it just needs to check it exists before trying to open here?

    public function getCurrentJiffie() {
            $jf = file("/proc/timer_list", \FILE_IGNORE_NEW_LINES);
            // Find the first entry that is 'jiffies: ' and return it
            foreach ($jf as $l) {

Also, even when bypassing that warning I don’t see the firewall start after 5 minutes (even though the message in the GUI about being disabled for the first 5 minutes disappears). Please could you point me to how the firewall is getting started so I can check if this is specific to me or a general thing. The firewall rules do actually get applied if I enable/disable the firewall in the GUI, so it is working OK I think, just not getting started after the 5 minute period.

One last thought … it seems during those first 5 minutes any default firewall rules are left in place. There’s a chance, depending on what rules where in place before the FreePBX firewall was enabled, the user could still find themselves locked out.

If it’s decided to have this 5 minute “open” period it’s probably a good idea to actively ACCEPT and flush any rules.

Thanks - Matt


(Andrew Nagy) #112

If you manually modify any code in the firewall it won’t start. Just FYI.


#113

Ah, ok, thanks Andrew. I’ll wait to see if Rob pushes out a fix for the issue I’m having with timer_list and see if the firewall starts normally after that.

Thanks - Matt


(Adam Kayden) #114

is this firewall going to work with HA ?


(xp) #116

FYI Rob,

Wouldn’t it be possible to create a check box or switch named “Add all registered IPs to Other zone”? This could eliminate the need to add a separate zone called register. This would effectively add a target rule in the fpbxknownreg chain that will go to the zone-other chain, which can run any extra or custom services to allow the registered IPs in. This eliminates the need for a whole lot of extra work, and at least is a place to start until smarter people than I have a better idea of what to do. (Unless said idea is already being worked on, then I’ll just stop talking. :slight_smile: And if that is the case my feature request/bug report can be deleted - http://issues.freepbx.org/browse/FREEPBX-12388)

-Jon, Xpedeus


#117

Hello. I just installed the latest FreePBX 13.0 on centos 7 per the wiki here: http://wiki.freepbx.org/display/FOP/Installing+FreePBX+13+on+CentOS+7 and ran into the following when trying to install the module from the webui:

Exception: Hook file '/var/spool/asterisk/incron/firewall.firewall' was not picked up by Incron after 5 seconds. Is it not running?  

		if (!$deleted) {			throw new \Exception("Hook file '$filename' was not picked up by Incron after 5 seconds. Is it not running?");		}

and the related callstack information:


    
      /­var/­www/­html/­admin/­modules/­firewall/­Firewall.class.php231
    
  
      
        4.
        FreePBX\modules\Firewall
        runHook
      

    
      /­var/­www/­html/­admin/­modules/­firewall/­OOBE.class.php28
    
  
      
        3.
        FreePBX\modules\Firewall\OOBE
        oobeRequest
      

    
      /­var/­www/­html/­admin/­modules/­firewall/­Firewall.class.php44
    
  
      
        2.
        FreePBX\modules\Firewall
        oobeHook
      

    
      /­var/­www/­html/­admin/­libraries/­BMO/­OOBE.class.php145
    
  
      
        1.
        OOBE
        runModulesOOBE
      

    
      /­var/­www/­html/­admin/­libraries/­BMO/­OOBE.class.php167
    
  
      
        0.
        OOBE
        showOOBE
      

    
      /­var/­www/­html/­admin/­config.php446
    

This shows up when I now try to load the landing page. My systemctl status for incrond is as follows:

[root@pbx ~]# systemctl status incrond
● incrond.service - Inotify System Scheduler
Loaded: loaded (/usr/lib/systemd/system/incrond.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2016-06-16 22:25:01 PDT; 16min ago
Process: 908 ExecStart=/usr/sbin/incrond (code=exited, status=0/SUCCESS)
Main PID: 915 (incrond)
CGroup: /system.slice/incrond.service
└─915 /usr/sbin/incrond

Jun 16 22:25:01 pbx.box incrond[915]: loading table local
Jun 16 22:25:01 pbx.box incrond[915]: loading table sysadmin
Jun 16 22:25:01 pbx.box incrond[915]: loading user tables
Jun 16 22:25:01 pbx.box incrond[915]: loading table for user root
Jun 16 22:25:01 pbx.box incrond[915]: ready to process filesystem events
Jun 16 22:25:01 pbx.box systemd[1]: Started Inotify System Scheduler.
Jun 16 22:25:20 pbx.box incrond[915]: (system::sysadmin) CMD (/usr/bin/sysadmin_manager firewall.firewall)
Jun 16 22:25:42 pbx.box incrond[915]: (system::sysadmin) CMD (/usr/bin/sysadmin_manager firewall.firewall)
Jun 16 22:34:47 pbx.box incrond[915]: (system::sysadmin) CMD (/usr/bin/sysadmin_manager firewall.firewall)
Jun 16 22:40:54 pbx.box incrond[915]: (system::sysadmin) CMD (/usr/bin/sysadmin_manager firewall.firewall)

I had also been having issues with firewalld and extensions trying to register timing out, but resolved the timeout issues when stopping and disabling firewalld. Obviously, I’d rather not have the firewall be down but I was testing to make sure I installed everything else correctly and in the process found that my yate client running in the same subnet can only register with my Centos 7 FreePBX system when firewalld is stopped. I installed the module in hopes of fixing this but installing the module led to my now not being able to access the ui at all.

I had also installed sysadmin using yum install since the module admin was warning me regarding having sysadmin rpm installed prior to installing the firewall module and I’m not sure if this did irreversible damage to the system.

I tried to run “fwconsole uninstall firewall” and when following that with “fwconsole restart” and loading the webui, I’d get:

0

System Admin 13.0.47.3
Copyright 2016 by Schmoozecom, Inc., All rights reserved

By installing, copying, downloading, distributing, inspecting or using
the materials provided herewith, you agree to all of the terms of use as
outlined in our End User Agreement which can be found and reviewed at
www.schmoozecom.com/cmeula

I had tried yum removing sysadmin as well and I still get the same message from the documentroot of the webui.

At this point, I’d be more than OK with reverting back to a working version and wait for a version of the module that will run with CentOS 7 but can’t find info on this.

Thank you.


(Andrew Nagy) #118

Sysadmin, which firewall requires, only works on the freepbx distro.


(Rob Thomas) #119

There are other requirements, such as a compatible zend loader, which all stem from the need of a secure manner of being able to do stuff as root from the webui.

However, I’ll be making sure that Firewall works perfectly with the new C7 based distro, when it’s released.