Negatory on ps auxww | grep firewall, does not return results as expected.
Awesome. That means it crashedā¦ And I donāt have any logging about WHY it crashed.
You can start it up again by doing this (as root)
php /var/www/html/admin/modules/firewall/hooks/firewall &> /tmp/firewall.log &
OK. Got it running now. Will try again.
It would have immediately updated the firewall rules. If you have a look at the /tmp/firewall.log file, you should see a bunch of iptables commands
firewall.log is 0 bytes.
Thatās strange. Try it without the logging. You may need to type āfgā and then push ^C to kill the current firewall process.
So just run php /var/www/html/admin/modules/firewall/hooks/firewall
This is what you should see, roughly:
[root@ipv6 firewall]# ps auxww | grep firew
root 31812 0.0 0.0 103244 844 pts/0 S+ 04:49 0:00 grep firew
[root@ipv6 firewall]# service iptables stop
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
[root@ipv6 firewall]# hooks/firewall
Starting firewall service
/sbin/iptables -N fpbxfirewall
/sbin/ip6tables -N fpbxfirewall
ip6tables: Chain already exists.
/sbin/iptables -I INPUT -j fpbxfirewall
/sbin/ip6tables -I INPUT -j fpbxfirewall
/sbin/ip6tables -A fpbxfirewall -i lo -j ACCEPT
/sbin/iptables -A fpbxfirewall -i lo -j ACCEPT
/sbin/ip6tables -A fpbxfirewall -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A fpbxfirewall -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/ip6tables -A fpbxfirewall -p udp --sport 1:1024 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A fpbxfirewall -p udp --sport 1:1024 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A fpbxfirewall -p icmp -j ACCEPT
/sbin/ip6tables -A fpbxfirewall -p ipv6-icmp -j ACCEPT
/sbin/iptables -A fpbxfirewall -d 255.255.255.255/32 -j ACCEPT
/sbin/ip6tables -A fpbxfirewall -m pkttype --pkt-type multicast -j ACCEPT
/sbin/iptables -A fpbxfirewall -m pkttype --pkt-type multicast -j ACCEPT
/sbin/ip6tables -A fpbxfirewall -p udp -m udp --dport 67:68 --sport 67:68 -j ACCEPT
/sbin/iptables -A fpbxfirewall -p udp -m udp --dport 67:68 --sport 67:68 -j ACCEPT
/sbin/ip6tables -A fpbxfirewall -p tcp -m tcp --dport 22 -j ACCEPT
/sbin/iptables -A fpbxfirewall -p tcp -m tcp --dport 22 -j ACCEPT
/sbin/iptables -N fpbxsignalling
/sbin/ip6tables -N fpbxsignalling
ip6tables: Chain already exists.
/sbin/ip6tables -A fpbxfirewall -j fpbxsignalling
/sbin/iptables -A fpbxfirewall -j fpbxsignalling
/sbin/iptables -N fpbxsmarthosts
/sbin/ip6tables -N fpbxsmarthosts
ip6tables: Chain already exists.
/sbin/ip6tables -A fpbxfirewall -j fpbxsmarthosts
/sbin/iptables -A fpbxfirewall -j fpbxsmarthosts
/sbin/iptables -N fpbxregistrations
/sbin/ip6tables -N fpbxregistrations
ip6tables: Chain already exists.
/sbin/ip6tables -A fpbxfirewall -j fpbxregistrations
/sbin/iptables -A fpbxfirewall -j fpbxregistrations
/sbin/iptables -N fpbxnets
/sbin/ip6tables -N fpbxnets
ip6tables: Chain already exists.
/sbin/ip6tables -A fpbxfirewall -j fpbxnets
/sbin/iptables -A fpbxfirewall -j fpbxnets
/sbin/iptables -N fpbxinterfaces
/sbin/ip6tables -N fpbxinterfaces
ip6tables: Chain already exists.
/sbin/ip6tables -A fpbxfirewall -j fpbxinterfaces
/sbin/iptables -A fpbxfirewall -j fpbxinterfaces
/sbin/iptables -N fpbxrfw
/sbin/ip6tables -N fpbxrfw
ip6tables: Chain already exists.
/sbin/ip6tables -A fpbxfirewall -m mark --mark 0x2/0x2 -j fpbxrfw
/sbin/iptables -A fpbxfirewall -m mark --mark 0x2/0x2 -j fpbxrfw
/sbin/iptables -N fpbxlogdrop
/sbin/ip6tables -N fpbxlogdrop
ip6tables: Chain already exists.
/sbin/ip6tables -A fpbxfirewall -j fpbxlogdrop
/sbin/iptables -A fpbxfirewall -j fpbxlogdrop
/sbin/iptables -N zone-trusted
/sbin/ip6tables -N zone-trusted
ip6tables: Chain already exists.
/sbin/ip6tables -A zone-trusted -j ACCEPT
/sbin/iptables -A zone-trusted -j ACCEPT
/sbin/ip6tables -A fpbxrfw -m recent --rcheck --seconds 60 --hitcount 11 --name SIGNALLING --rsource -j fpbxlogdrop
/sbin/iptables -A fpbxrfw -m recent --rcheck --seconds 60 --hitcount 11 --name SIGNALLING --rsource -j fpbxlogdrop
/sbin/ip6tables -A fpbxrfw -m recent --set --name SIGNALLING --rsource
/sbin/iptables -A fpbxrfw -m recent --set --name SIGNALLING --rsource
/sbin/ip6tables -A fpbxrfw -m recent --set --name REPEAT --rsource
/sbin/iptables -A fpbxrfw -m recent --set --name REPEAT --rsource
/sbin/ip6tables -A fpbxrfw -m recent --rcheck --seconds 86400 --hitcount 100 --name REPEAT --rsource -j fpbxlogdrop
/sbin/iptables -A fpbxrfw -m recent --rcheck --seconds 86400 --hitcount 100 --name REPEAT --rsource -j fpbxlogdrop
/sbin/ip6tables -A fpbxrfw -j ACCEPT
/sbin/iptables -A fpbxrfw -j ACCEPT
/sbin/ip6tables -A fpbxlogdrop -j LOG --log-prefix 'logdrop: '
/sbin/iptables -A fpbxlogdrop -j LOG --log-prefix 'logdrop: '
/sbin/ip6tables -A fpbxlogdrop -j REJECT
/sbin/iptables -A fpbxlogdrop -j REJECT
/sbin/iptables -N fpbxknownreg
/sbin/ip6tables -N fpbxknownreg
ip6tables: Chain already exists.
/sbin/ip6tables -A fpbxknownreg -m mark --mark 0x1/0x1 -j ACCEPT
/sbin/iptables -A fpbxknownreg -m mark --mark 0x1/0x1 -j ACCEPT
/sbin/iptables -N fpbxsvc-ucp
/sbin/ip6tables -N fpbxsvc-ucp
ip6tables: Chain already exists.
/sbin/ip6tables -A fpbxknownreg -j fpbxsvc-ucp
/sbin/iptables -A fpbxknownreg -j fpbxsvc-ucp
/sbin/ip6tables -D fpbxinterfaces 1
/sbin/ip6tables -A fpbxinterfaces -i eth0 -j zone-trusted
/sbin/iptables -A fpbxinterfaces -i eth0 -j zone-trusted
Looping
Starting update
/sbin/iptables -N fpbxsvc-ssh
/sbin/ip6tables -N fpbxsvc-ssh
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-ssh
/sbin/iptables -A fpbxsvc-ssh -p tcp -m tcp --dport 22 -j ACCEPT
/sbin/iptables -N zone-reject
/sbin/ip6tables -N zone-reject
ip6tables: Chain already exists.
/sbin/iptables -N zone-external
/sbin/ip6tables -N zone-external
ip6tables: Chain already exists.
/sbin/iptables -N zone-other
/sbin/ip6tables -N zone-other
ip6tables: Chain already exists.
/sbin/iptables -N zone-internal
/sbin/ip6tables -N zone-internal
ip6tables: Chain already exists.
/sbin/iptables -A zone-internal -j fpbxsvc-ssh
/sbin/iptables -N fpbxsvc-http
/sbin/ip6tables -N fpbxsvc-http
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-http
/sbin/iptables -A fpbxsvc-http -p tcp -m tcp --dport 80 -j ACCEPT
/sbin/iptables -A zone-internal -j fpbxsvc-http
/sbin/iptables -N fpbxsvc-https
/sbin/ip6tables -N fpbxsvc-https
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-https
/sbin/iptables -A fpbxsvc-https -p tcp -m tcp --dport 443 -j ACCEPT
/sbin/iptables -A zone-external -j fpbxsvc-https
/sbin/iptables -A zone-internal -j fpbxsvc-https
/sbin/iptables -F fpbxsvc-ucp
/sbin/iptables -A fpbxsvc-ucp -p tcp -m tcp --dport 81 -j ACCEPT
/sbin/iptables -A zone-external -j fpbxsvc-ucp
/sbin/iptables -A zone-other -j fpbxsvc-ucp
/sbin/iptables -A zone-internal -j fpbxsvc-ucp
/sbin/iptables -N fpbxsvc-pjsip
/sbin/ip6tables -N fpbxsvc-pjsip
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-pjsip
/sbin/iptables -A fpbxsvc-pjsip -p udp -m udp --dport 5060 -j ACCEPT
/sbin/iptables -A fpbxsvc-pjsip -p tcp -m tcp --dport 9876 -j ACCEPT
/sbin/iptables -A zone-other -j fpbxsvc-pjsip
/sbin/iptables -A zone-internal -j fpbxsvc-pjsip
/sbin/iptables -N fpbxsvc-chansip
/sbin/ip6tables -N fpbxsvc-chansip
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-chansip
/sbin/iptables -A fpbxsvc-chansip -p udp -m udp --dport 5061 -j ACCEPT
/sbin/iptables -A fpbxsvc-chansip -p tcp -m tcp --dport 9877 -j ACCEPT
/sbin/iptables -A zone-internal -j fpbxsvc-chansip
/sbin/iptables -N fpbxsvc-iax
/sbin/ip6tables -N fpbxsvc-iax
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-iax
/sbin/iptables -A fpbxsvc-iax -p udp -m udp --dport 4569 -j ACCEPT
/sbin/iptables -A zone-internal -j fpbxsvc-iax
/sbin/iptables -N fpbxsvc-webrtc
/sbin/ip6tables -N fpbxsvc-webrtc
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-webrtc
/sbin/iptables -A fpbxsvc-webrtc -p tcp -m tcp --dport 8088 -j ACCEPT
/sbin/iptables -A zone-reject -j fpbxsvc-webrtc
/sbin/iptables -N fpbxsvc-provis
/sbin/ip6tables -N fpbxsvc-provis
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-provis
/sbin/iptables -A fpbxsvc-provis -p tcp -m tcp --dport 84 -j ACCEPT
/sbin/iptables -A zone-other -j fpbxsvc-provis
/sbin/iptables -A zone-internal -j fpbxsvc-provis
/sbin/iptables -N fpbxsvc-restapps
/sbin/ip6tables -N fpbxsvc-restapps
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-restapps
/sbin/iptables -A fpbxsvc-restapps -p tcp -m tcp --dport 85 -j ACCEPT
/sbin/iptables -A zone-internal -j fpbxsvc-restapps
/sbin/iptables -N fpbxsvc-xmpp
/sbin/ip6tables -N fpbxsvc-xmpp
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-xmpp
/sbin/iptables -A fpbxsvc-xmpp -p tcp -m tcp --dport 5222 -j ACCEPT
/sbin/iptables -A zone-external -j fpbxsvc-xmpp
/sbin/iptables -A zone-other -j fpbxsvc-xmpp
/sbin/iptables -A zone-internal -j fpbxsvc-xmpp
/sbin/iptables -N fpbxsvc-ftp
/sbin/ip6tables -N fpbxsvc-ftp
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-ftp
/sbin/iptables -A fpbxsvc-ftp -p tcp -m tcp --dport 21 -j ACCEPT
/sbin/iptables -A zone-internal -j fpbxsvc-ftp
/sbin/iptables -N fpbxsvc-tftp
/sbin/ip6tables -N fpbxsvc-tftp
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-tftp
/sbin/iptables -A fpbxsvc-tftp -p udp -m udp --dport 69 -j ACCEPT
/sbin/iptables -A zone-internal -j fpbxsvc-tftp
/sbin/iptables -N fpbxsvc-nfs
/sbin/ip6tables -N fpbxsvc-nfs
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-nfs
/sbin/iptables -A fpbxsvc-nfs -p udp -m udp --dport 2049 -j ACCEPT
/sbin/iptables -A fpbxsvc-nfs -p tcp -m tcp --dport 2049 -j ACCEPT
/sbin/iptables -A fpbxsvc-nfs -p udp -m udp --dport 892 -j ACCEPT
/sbin/iptables -A fpbxsvc-nfs -p udp -m udp --dport 662 -j ACCEPT
/sbin/iptables -A fpbxsvc-nfs -p udp -m udp --dport 32769 -j ACCEPT
/sbin/iptables -A fpbxsvc-nfs -p tcp -m tcp --dport 892 -j ACCEPT
/sbin/iptables -A fpbxsvc-nfs -p tcp -m tcp --dport 662 -j ACCEPT
/sbin/iptables -A fpbxsvc-nfs -p tcp -m tcp --dport 32803 -j ACCEPT
/sbin/iptables -A zone-reject -j fpbxsvc-nfs
/sbin/iptables -N fpbxsvc-smb
/sbin/ip6tables -N fpbxsvc-smb
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-smb
/sbin/iptables -A fpbxsvc-smb -p udp -m udp --dport 137 -j ACCEPT
/sbin/iptables -A fpbxsvc-smb -p udp -m udp --dport 138 -j ACCEPT
/sbin/iptables -A fpbxsvc-smb -p tcp -m tcp --dport 139 -j ACCEPT
/sbin/iptables -A fpbxsvc-smb -p tcp -m tcp --dport 445 -j ACCEPT
/sbin/iptables -A zone-reject -j fpbxsvc-smb
/sbin/iptables -R fpbxfirewall 7 -p udp -m udp --dport 10000:20000 -j ACCEPT
/sbin/iptables -A fpbxsignalling -p udp -m udp --dport 5061 -j MARK --set-xmark 0x1/0x0
/sbin/iptables -A fpbxsignalling -p udp -m udp --dport 5060 -j MARK --set-xmark 0x3/0x0
/sbin/iptables -A fpbxsignalling -p udp -m udp --dport 4569 -j MARK --set-xmark 0x1/0x0
/sbin/iptables -A fpbxsmarthosts -s 202.43.66.5/32 -m mark --mark 0x1/0x1 -j ACCEPT
/sbin/iptables -A fpbxsmarthosts -s 202.43.66.1/32 -m mark --mark 0x1/0x1 -j ACCEPT
/sbin/iptables -A fpbxsmarthosts -s 202.43.66.2/32 -m mark --mark 0x1/0x1 -j ACCEPT
/sbin/iptables -A fpbxsmarthosts -s 202.43.66.4/32 -m mark --mark 0x1/0x1 -j ACCEPT
/sbin/iptables -A fpbxsmarthosts -s 202.43.66.3/32 -m mark --mark 0x1/0x1 -j ACCEPT
/sbin/iptables -A fpbxsmarthosts -s 192.168.15.10/32 -m mark --mark 0x1/0x1 -j ACCEPT
/sbin/iptables -A fpbxregistrations -s 192.168.15.38/32 -j fpbxknownreg
/sbin/iptables -A fpbxregistrations -s 192.168.15.10/32 -j fpbxknownreg
Update complete.
Looping
^C
[root@ipv6 firewall]#
Edit: the āip6tables: Chain already existsā is because āservice iptables stopā is dumb, and doesnāt clear the ip6tables. Ignore that, if you see it. You can clear it PROPERLY with āip6tables -F && ip6tables -Xā before restarting the firewall daemon.
In fact, this is my ātestingā command:
āiptables -F && iptables -X && ip6tables -F && ip6tables -X && hooks/firewallā
That clears both IPv4 and IPv6 firewall tables to a pristine state, and then lets the firewall service recreate them all.
Edit 2: I just discovered that thereās an āip6tablesā service. I hadnāt noticed that before. So āservice iptables stopā and then āservice ip6tables stopā would have worked fine.
Wanted to start from clean slate, restarted pbx box. The firewall service did not start automatically. Or at least it is not running.
Going to have to retire for the night. Feel free to suggest more things I can try tomorrow. Post here or direct message.
This firewall does look very promising.
Going to roll it back, and can willingly reinstall tomorrow.
Thatās correct. Itās explicitly NOT set to start up automatically, because if it gets into a state where youāre locked out, I want you to be able to reboot the machine to get back into itā¦
However, Iām going to re-enable that, and publish .6 shortly which WILL start up automatically, and will try to restart the service if it crashes.
Thanks for your testing!
Ah, that would be it then. Are you planning a Debian friendly version? Iām guessing from Make Debian "sysadmin rpm" commercial Modules work that this may not be the case ā¦
Yes. See the second post in this thread.
Rob, She be running nicely now!
Version 13.0.1.9
# Generated by iptables-save v1.4.7 on Wed Sep 23 20:07:39 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1953:813083]
:fail2ban-BadBots - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-SIP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache-auth - [0:0]
:fail2ban-recidive - [0:0]
:fpbxfirewall - [0:0]
:fpbxinterfaces - [0:0]
:fpbxknownreg - [0:0]
:fpbxlogdrop - [0:0]
:fpbxnets - [0:0]
:fpbxregistrations - [0:0]
:fpbxrfw - [0:0]
:fpbxsignalling - [0:0]
:fpbxsmarthosts - [0:0]
:fpbxsvc-chansip - [0:0]
:fpbxsvc-ftp - [0:0]
:fpbxsvc-http - [0:0]
:fpbxsvc-https - [0:0]
:fpbxsvc-iax - [0:0]
:fpbxsvc-nfs - [0:0]
:fpbxsvc-pjsip - [0:0]
:fpbxsvc-provis - [0:0]
:fpbxsvc-restapps - [0:0]
:fpbxsvc-smb - [0:0]
:fpbxsvc-ssh - [0:0]
:fpbxsvc-tftp - [0:0]
:fpbxsvc-ucp - [0:0]
:fpbxsvc-webrtc - [0:0]
:fpbxsvc-xmpp - [0:0]
:zone-external - [0:0]
:zone-internal - [0:0]
:zone-other - [0:0]
:zone-reject - [0:0]
:zone-trusted - [0:0]
-A INPUT -j fpbxfirewall
-A INPUT -p tcp -m multiport --dports 21 -j fail2ban-FTP
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-apache-auth
-A INPUT -j fail2ban-SIP
-A INPUT -j fail2ban-SIP
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A INPUT -p udp -m udp --dport 69 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21 -j fail2ban-FTP
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-apache-auth
-A INPUT -j fail2ban-SIP
-A INPUT -j fail2ban-SIP
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A fail2ban-BadBots -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-SIP -j RETURN
-A fail2ban-SIP -j RETURN
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache-auth -j RETURN
-A fail2ban-recidive -j RETURN
-A fpbxfirewall -i lo -j ACCEPT
-A fpbxfirewall -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fpbxfirewall -p udp -m udp --sport 1:1024 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fpbxfirewall -p icmp -j ACCEPT
-A fpbxfirewall -d 255.255.255.255/32 -j ACCEPT
-A fpbxfirewall -m pkttype --pkt-type multicast -j ACCEPT
-A fpbxfirewall -p udp -m udp --dport 10000:20000 -j ACCEPT
-A fpbxfirewall -p tcp -m tcp --dport 22 -j ACCEPT
-A fpbxfirewall -j fpbxsignalling
-A fpbxfirewall -j fpbxsmarthosts
-A fpbxfirewall -j fpbxregistrations
-A fpbxfirewall -j fpbxnets
-A fpbxfirewall -j fpbxinterfaces
-A fpbxfirewall -m mark --mark 0x2/0x2 -j fpbxrfw
-A fpbxfirewall -j fpbxlogdrop
-A fpbxinterfaces -i eth0 -j zone-trusted
-A fpbxinterfaces -i wlan0 -j zone-trusted
-A fpbxknownreg -m mark --mark 0x1/0x1 -j ACCEPT
-A fpbxknownreg -j fpbxsvc-ucp
-A fpbxlogdrop -j LOG --log-prefix "logdrop: "
-A fpbxlogdrop -j REJECT --reject-with icmp-port-unreachable
-A fpbxnets -s 192.xxx.x.xxx/24 -j zone-trusted
-A fpbxnets -s 192.xxx.x.xxx/16 -j zone-trusted
-A fpbxregistrations -s 192.xxx.x.xxx/32 -j fpbxknownreg
-A fpbxregistrations -s 192.xxx.x.xxx/32 -j fpbxknownreg
-A fpbxregistrations -s 192.xxx.x.xxx/32 -j fpbxknownreg
-A fpbxregistrations -s 216.115.69.144/32 -j fpbxknownreg
-A fpbxrfw -m recent --rcheck --seconds 60 --hitcount 11 --name SIGNALLING --rsource -j fpbxlogdrop
-A fpbxrfw -m recent --set --name SIGNALLING --rsource
-A fpbxrfw -m recent --set --name REPEAT --rsource
-A fpbxrfw -m recent --rcheck --seconds 86400 --hitcount 100 --name REPEAT --rsource -j fpbxlogdrop
-A fpbxrfw -j ACCEPT
-A fpbxsignalling -p udp -m udp --dport 5061 -j MARK --set-xmark 0x3/0x0
-A fpbxsvc-chansip -p udp -m udp --dport 5061 -j ACCEPT
-A fpbxsvc-chansip -p tcp -m tcp --dport 9877 -j ACCEPT
-A fpbxsvc-ftp -p tcp -m tcp --dport 21 -j ACCEPT
-A fpbxsvc-http -p tcp -m tcp --dport 80 -j ACCEPT
-A fpbxsvc-https -p tcp -m tcp --dport 443 -j ACCEPT
-A fpbxsvc-iax -p udp -m udp --dport 4569 -j ACCEPT
-A fpbxsvc-nfs -j RETURN
-A fpbxsvc-pjsip -p udp -m udp --dport 5060 -j ACCEPT
-A fpbxsvc-pjsip -p tcp -m tcp --dport 9876 -j ACCEPT
-A fpbxsvc-provis -p tcp -m tcp --dport 84 -j ACCEPT
-A fpbxsvc-restapps -p tcp -m tcp --dport 85 -j ACCEPT
-A fpbxsvc-smb -p udp -m udp --dport 137 -j ACCEPT
-A fpbxsvc-smb -p udp -m udp --dport 138 -j ACCEPT
-A fpbxsvc-smb -p tcp -m tcp --dport 139 -j ACCEPT
-A fpbxsvc-smb -p tcp -m tcp --dport 445 -j ACCEPT
-A fpbxsvc-ssh -p tcp -m tcp --dport 22 -j ACCEPT
-A fpbxsvc-tftp -p udp -m udp --dport 69 -j ACCEPT
-A fpbxsvc-ucp -p tcp -m tcp --dport 81 -j ACCEPT
-A fpbxsvc-webrtc -p tcp -m tcp --dport 8088 -j ACCEPT
-A fpbxsvc-xmpp -p tcp -m tcp --dport 5222 -j ACCEPT
-A zone-external -j fpbxsvc-xmpp
-A zone-internal -j fpbxsvc-ssh
-A zone-internal -j fpbxsvc-http
-A zone-internal -j fpbxsvc-https
-A zone-internal -j fpbxsvc-ucp
-A zone-internal -j fpbxsvc-pjsip
-A zone-internal -j fpbxsvc-chansip
-A zone-internal -j fpbxsvc-iax
-A zone-internal -j fpbxsvc-provis
-A zone-internal -j fpbxsvc-restapps
-A zone-internal -j fpbxsvc-xmpp
-A zone-internal -j fpbxsvc-ftp
-A zone-internal -j fpbxsvc-tftp
-A zone-other -j fpbxsvc-provis
-A zone-other -j fpbxsvc-xmpp
-A zone-reject -j fpbxsvc-webrtc
-A zone-reject -j fpbxsvc-nfs
-A zone-reject -j fpbxsvc-smb
-A zone-trusted -j ACCEPT
COMMIT
# Completed on Wed Sep 23 20:07:39 2015
I have a sneaking suspicion that I may have messed up here. I was just looking at an Asterisk 11 machine, and that was reporting pjsip being there, and chan_sip listening on port 5061, like that. So Iāll have a look at that tomorrow and see if I can figure out what the problem is there.
Thereās still an ongoing āService is crashing and I donāt know whyā problem, so Iām going to put it in a wrapper thatāll love it and hug it and log errors to somewhere sensible
OK. Still running old chan_sip here.
Hi,
Please see:
http://wiki.freepbx.org/pages/viewpage.action?pageId=33882179
The Voip blacklist support made a massive difference when I put up a test system to see who was attacking it, and what the vulnerabilities were.
The āvanillaā blacklisting was getting regularly hit, as the approach it uses is especially vulnerable on restarts.
I would strongly suggest you add that to your plugin ā¦ it is very straightforward.
Thanks.
Yours,
Graham
Yes, sorry, I misunderstood your reply (post 6) to my question (post 5) to mean that Debian was now ok for this.
Thatās cool. Sorry for the confusion Iāve updated the second post to make that clearer!
The good news is, things arenāt totally broken!
Iāve added it to the āTodoā list, thanks!
Just updated this instance to the latest distro 10.13.66-5, and attempted to enable the firewall and got this errorā¦
Thanks for building this Rob!
Whoops\Exception\ErrorException thrown with message "Invalid argument supplied for foreach()"
Stacktrace:
#4 Whoops\Exception\ErrorException in /var/www/html/admin/modules/firewall/Firewall.class.php:469
#3 Whoops\Run:handleError in /var/www/html/admin/modules/firewall/Firewall.class.php:469
#2 FreePBX\modules\Firewall:isTrusted in /var/www/html/admin/modules/firewall/Firewall.class.php:94
#1 FreePBX\modules\Firewall:showLockoutWarning in /var/www/html/admin/modules/firewall/page.firewall.php:21
#0 include in /var/www/html/admin/config.php:539
Server/Request Data
HTACCESS on
HTTP_HOST pbx.mycompany.com
HTTP_CONNECTION keep-alive
CONTENT_LENGTH 15
HTTP_CACHE_CONTROL max-age=0
HTTP_ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
HTTP_ORIGIN http://pbx.mycompany.com
HTTP_UPGRADE_INSECURE_REQUESTS 1
HTTP_USER_AGENT Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.99 Safari/537.36
CONTENT_TYPE application/x-www-form-urlencoded
HTTP_REFERER http://pbx.mycompany.com/admin/config.php?display=firewall
HTTP_ACCEPT_ENCODING gzip, deflate
HTTP_ACCEPT_LANGUAGE en-US,en;q=0.8
HTTP_COOKIE lang=en_US; PHPSESSID=u5aajkbvvlm614h597ger2gjf5
PATH /sbin:/usr/sbin:/bin:/usr/bin
SERVER_SIGNATURE Apache/2.2.15 (CentOS) Server at pbx.mycompany.com Port 80
SERVER_SOFTWARE Apache/2.2.15 (CentOS)
SERVER_NAME pbx.mycompany.com
SERVER_ADDR 1.2.3.4
SERVER_PORT 80
REMOTE_ADDR 4.3.2.1
DOCUMENT_ROOT /var/www/html
SERVER_ADMIN root@localhost
SCRIPT_FILENAME /var/www/html/admin/config.php
REMOTE_PORT 32164
GATEWAY_INTERFACE CGI/1.1
SERVER_PROTOCOL HTTP/1.1
REQUEST_METHOD POST
QUERY_STRING display=firewall
REQUEST_URI /admin/config.php?display=firewall
SCRIPT_NAME /admin/config.php
PHP_SELF /admin/config.php
REQUEST_TIME 1443188367
GET Data
display firewall
POST Data
action enablefw
Files
empty
Cookies
lang en_US
PHPSESSID u5aajkbvvlm614h597ger2gjf5
Session
module_name firewall
module_page firewall
AMP_user ampuser Object ( [username] => myuserid [id] => [password:ampuser:private] => 4613d15838a0e2ce96ebf58d36e7b4cfb04729c6 [extension_high:ampuser:private] => [extension_low:ampuser:private] => [sections:ampuser:private] => Array ( [0] => * ) [mode:ampuser:private] => database [_deptname] => [_lastactivity] => 1443188368 )
Environment Variables
empty
Registered Handlers
0. Whoops\Handler\PrettyPageHandler
Fixed in 13.0.1.13, thanks!
Confirmed fixed - thanks Rob
So can we set that up to accept a connection from a hostname - say from a site that is on a dynamic isp connection? Currently I have a remote site that is on dynamic and I have to go in and manually change the iptables to allow a new IP address after a reboot. Tried to set it up to change it automatically, but its still a work in progress