FreePBX Firewall Thread! (2nd Post has status)

FreePBX
21

Negatory on ps auxww | grep firewall, does not return results as expected.

22

Awesome. That means it crashedā€¦ And I donā€™t have any logging about WHY it crashed.

You can start it up again by doing this (as root)

php /var/www/html/admin/modules/firewall/hooks/firewall &> /tmp/firewall.log &

23

OK. Got it running now. Will try again.

24

It would have immediately updated the firewall rules. If you have a look at the /tmp/firewall.log file, you should see a bunch of iptables commands

25

firewall.log is 0 bytes.

26

Thatā€™s strange. Try it without the logging. You may need to type ā€˜fgā€™ and then push ^C to kill the current firewall process.

So just run php /var/www/html/admin/modules/firewall/hooks/firewall

This is what you should see, roughly:

[root@ipv6 firewall]# ps auxww | grep firew
root 31812 0.0 0.0 103244 844 pts/0 S+ 04:49 0:00 grep firew
[root@ipv6 firewall]# service iptables stop
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
[root@ipv6 firewall]# hooks/firewall
Starting firewall service
/sbin/iptables -N fpbxfirewall
/sbin/ip6tables -N fpbxfirewall
ip6tables: Chain already exists.
/sbin/iptables -I INPUT -j fpbxfirewall
/sbin/ip6tables -I INPUT -j fpbxfirewall
/sbin/ip6tables -A fpbxfirewall -i lo -j ACCEPT
/sbin/iptables -A fpbxfirewall -i lo -j ACCEPT
/sbin/ip6tables -A fpbxfirewall -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A fpbxfirewall -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/ip6tables -A fpbxfirewall -p udp --sport 1:1024 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A fpbxfirewall -p udp --sport 1:1024 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A fpbxfirewall -p icmp -j ACCEPT
/sbin/ip6tables -A fpbxfirewall -p ipv6-icmp -j ACCEPT
/sbin/iptables -A fpbxfirewall -d 255.255.255.255/32 -j ACCEPT
/sbin/ip6tables -A fpbxfirewall -m pkttype --pkt-type multicast -j ACCEPT
/sbin/iptables -A fpbxfirewall -m pkttype --pkt-type multicast -j ACCEPT
/sbin/ip6tables -A fpbxfirewall -p udp -m udp --dport 67:68 --sport 67:68 -j ACCEPT
/sbin/iptables -A fpbxfirewall -p udp -m udp --dport 67:68 --sport 67:68 -j ACCEPT
/sbin/ip6tables -A fpbxfirewall -p tcp -m tcp --dport 22 -j ACCEPT
/sbin/iptables -A fpbxfirewall -p tcp -m tcp --dport 22 -j ACCEPT
/sbin/iptables -N fpbxsignalling
/sbin/ip6tables -N fpbxsignalling
ip6tables: Chain already exists.
/sbin/ip6tables -A fpbxfirewall -j fpbxsignalling
/sbin/iptables -A fpbxfirewall -j fpbxsignalling
/sbin/iptables -N fpbxsmarthosts
/sbin/ip6tables -N fpbxsmarthosts
ip6tables: Chain already exists.
/sbin/ip6tables -A fpbxfirewall -j fpbxsmarthosts
/sbin/iptables -A fpbxfirewall -j fpbxsmarthosts
/sbin/iptables -N fpbxregistrations
/sbin/ip6tables -N fpbxregistrations
ip6tables: Chain already exists.
/sbin/ip6tables -A fpbxfirewall -j fpbxregistrations
/sbin/iptables -A fpbxfirewall -j fpbxregistrations
/sbin/iptables -N fpbxnets
/sbin/ip6tables -N fpbxnets
ip6tables: Chain already exists.
/sbin/ip6tables -A fpbxfirewall -j fpbxnets
/sbin/iptables -A fpbxfirewall -j fpbxnets
/sbin/iptables -N fpbxinterfaces
/sbin/ip6tables -N fpbxinterfaces
ip6tables: Chain already exists.
/sbin/ip6tables -A fpbxfirewall -j fpbxinterfaces
/sbin/iptables -A fpbxfirewall -j fpbxinterfaces
/sbin/iptables -N fpbxrfw
/sbin/ip6tables -N fpbxrfw
ip6tables: Chain already exists.
/sbin/ip6tables -A fpbxfirewall -m mark --mark 0x2/0x2 -j fpbxrfw
/sbin/iptables -A fpbxfirewall -m mark --mark 0x2/0x2 -j fpbxrfw
/sbin/iptables -N fpbxlogdrop
/sbin/ip6tables -N fpbxlogdrop
ip6tables: Chain already exists.
/sbin/ip6tables -A fpbxfirewall -j fpbxlogdrop
/sbin/iptables -A fpbxfirewall -j fpbxlogdrop
/sbin/iptables -N zone-trusted
/sbin/ip6tables -N zone-trusted
ip6tables: Chain already exists.
/sbin/ip6tables -A zone-trusted -j ACCEPT
/sbin/iptables -A zone-trusted -j ACCEPT
/sbin/ip6tables -A fpbxrfw -m recent --rcheck --seconds 60 --hitcount 11 --name SIGNALLING --rsource -j fpbxlogdrop
/sbin/iptables -A fpbxrfw -m recent --rcheck --seconds 60 --hitcount 11 --name SIGNALLING --rsource -j fpbxlogdrop
/sbin/ip6tables -A fpbxrfw -m recent --set --name SIGNALLING --rsource
/sbin/iptables -A fpbxrfw -m recent --set --name SIGNALLING --rsource
/sbin/ip6tables -A fpbxrfw -m recent --set --name REPEAT --rsource
/sbin/iptables -A fpbxrfw -m recent --set --name REPEAT --rsource
/sbin/ip6tables -A fpbxrfw -m recent --rcheck --seconds 86400 --hitcount 100 --name REPEAT --rsource -j fpbxlogdrop
/sbin/iptables -A fpbxrfw -m recent --rcheck --seconds 86400 --hitcount 100 --name REPEAT --rsource -j fpbxlogdrop
/sbin/ip6tables -A fpbxrfw -j ACCEPT
/sbin/iptables -A fpbxrfw -j ACCEPT
/sbin/ip6tables -A fpbxlogdrop -j LOG --log-prefix 'logdrop: '
/sbin/iptables -A fpbxlogdrop -j LOG --log-prefix 'logdrop: '
/sbin/ip6tables -A fpbxlogdrop -j REJECT
/sbin/iptables -A fpbxlogdrop -j REJECT
/sbin/iptables -N fpbxknownreg
/sbin/ip6tables -N fpbxknownreg
ip6tables: Chain already exists.
/sbin/ip6tables -A fpbxknownreg -m mark --mark 0x1/0x1 -j ACCEPT
/sbin/iptables -A fpbxknownreg -m mark --mark 0x1/0x1 -j ACCEPT
/sbin/iptables -N fpbxsvc-ucp
/sbin/ip6tables -N fpbxsvc-ucp
ip6tables: Chain already exists.
/sbin/ip6tables -A fpbxknownreg -j fpbxsvc-ucp
/sbin/iptables -A fpbxknownreg -j fpbxsvc-ucp
/sbin/ip6tables -D fpbxinterfaces 1
/sbin/ip6tables -A fpbxinterfaces -i eth0 -j zone-trusted
/sbin/iptables -A fpbxinterfaces -i eth0 -j zone-trusted
Looping
Starting update
/sbin/iptables -N fpbxsvc-ssh
/sbin/ip6tables -N fpbxsvc-ssh
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-ssh
/sbin/iptables -A fpbxsvc-ssh -p tcp -m tcp --dport 22 -j ACCEPT
/sbin/iptables -N zone-reject
/sbin/ip6tables -N zone-reject
ip6tables: Chain already exists.
/sbin/iptables -N zone-external
/sbin/ip6tables -N zone-external
ip6tables: Chain already exists.
/sbin/iptables -N zone-other
/sbin/ip6tables -N zone-other
ip6tables: Chain already exists.
/sbin/iptables -N zone-internal
/sbin/ip6tables -N zone-internal
ip6tables: Chain already exists.
/sbin/iptables -A zone-internal -j fpbxsvc-ssh
/sbin/iptables -N fpbxsvc-http
/sbin/ip6tables -N fpbxsvc-http
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-http
/sbin/iptables -A fpbxsvc-http -p tcp -m tcp --dport 80 -j ACCEPT
/sbin/iptables -A zone-internal -j fpbxsvc-http
/sbin/iptables -N fpbxsvc-https
/sbin/ip6tables -N fpbxsvc-https
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-https
/sbin/iptables -A fpbxsvc-https -p tcp -m tcp --dport 443 -j ACCEPT
/sbin/iptables -A zone-external -j fpbxsvc-https
/sbin/iptables -A zone-internal -j fpbxsvc-https
/sbin/iptables -F fpbxsvc-ucp
/sbin/iptables -A fpbxsvc-ucp -p tcp -m tcp --dport 81 -j ACCEPT
/sbin/iptables -A zone-external -j fpbxsvc-ucp
/sbin/iptables -A zone-other -j fpbxsvc-ucp
/sbin/iptables -A zone-internal -j fpbxsvc-ucp
/sbin/iptables -N fpbxsvc-pjsip
/sbin/ip6tables -N fpbxsvc-pjsip
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-pjsip
/sbin/iptables -A fpbxsvc-pjsip -p udp -m udp --dport 5060 -j ACCEPT
/sbin/iptables -A fpbxsvc-pjsip -p tcp -m tcp --dport 9876 -j ACCEPT
/sbin/iptables -A zone-other -j fpbxsvc-pjsip
/sbin/iptables -A zone-internal -j fpbxsvc-pjsip
/sbin/iptables -N fpbxsvc-chansip
/sbin/ip6tables -N fpbxsvc-chansip
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-chansip
/sbin/iptables -A fpbxsvc-chansip -p udp -m udp --dport 5061 -j ACCEPT
/sbin/iptables -A fpbxsvc-chansip -p tcp -m tcp --dport 9877 -j ACCEPT
/sbin/iptables -A zone-internal -j fpbxsvc-chansip
/sbin/iptables -N fpbxsvc-iax
/sbin/ip6tables -N fpbxsvc-iax
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-iax
/sbin/iptables -A fpbxsvc-iax -p udp -m udp --dport 4569 -j ACCEPT
/sbin/iptables -A zone-internal -j fpbxsvc-iax
/sbin/iptables -N fpbxsvc-webrtc
/sbin/ip6tables -N fpbxsvc-webrtc
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-webrtc
/sbin/iptables -A fpbxsvc-webrtc -p tcp -m tcp --dport 8088 -j ACCEPT
/sbin/iptables -A zone-reject -j fpbxsvc-webrtc
/sbin/iptables -N fpbxsvc-provis
/sbin/ip6tables -N fpbxsvc-provis
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-provis
/sbin/iptables -A fpbxsvc-provis -p tcp -m tcp --dport 84 -j ACCEPT
/sbin/iptables -A zone-other -j fpbxsvc-provis
/sbin/iptables -A zone-internal -j fpbxsvc-provis
/sbin/iptables -N fpbxsvc-restapps
/sbin/ip6tables -N fpbxsvc-restapps
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-restapps
/sbin/iptables -A fpbxsvc-restapps -p tcp -m tcp --dport 85 -j ACCEPT
/sbin/iptables -A zone-internal -j fpbxsvc-restapps
/sbin/iptables -N fpbxsvc-xmpp
/sbin/ip6tables -N fpbxsvc-xmpp
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-xmpp
/sbin/iptables -A fpbxsvc-xmpp -p tcp -m tcp --dport 5222 -j ACCEPT
/sbin/iptables -A zone-external -j fpbxsvc-xmpp
/sbin/iptables -A zone-other -j fpbxsvc-xmpp
/sbin/iptables -A zone-internal -j fpbxsvc-xmpp
/sbin/iptables -N fpbxsvc-ftp
/sbin/ip6tables -N fpbxsvc-ftp
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-ftp
/sbin/iptables -A fpbxsvc-ftp -p tcp -m tcp --dport 21 -j ACCEPT
/sbin/iptables -A zone-internal -j fpbxsvc-ftp
/sbin/iptables -N fpbxsvc-tftp
/sbin/ip6tables -N fpbxsvc-tftp
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-tftp
/sbin/iptables -A fpbxsvc-tftp -p udp -m udp --dport 69 -j ACCEPT
/sbin/iptables -A zone-internal -j fpbxsvc-tftp
/sbin/iptables -N fpbxsvc-nfs
/sbin/ip6tables -N fpbxsvc-nfs
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-nfs
/sbin/iptables -A fpbxsvc-nfs -p udp -m udp --dport 2049 -j ACCEPT
/sbin/iptables -A fpbxsvc-nfs -p tcp -m tcp --dport 2049 -j ACCEPT
/sbin/iptables -A fpbxsvc-nfs -p udp -m udp --dport 892 -j ACCEPT
/sbin/iptables -A fpbxsvc-nfs -p udp -m udp --dport 662 -j ACCEPT
/sbin/iptables -A fpbxsvc-nfs -p udp -m udp --dport 32769 -j ACCEPT
/sbin/iptables -A fpbxsvc-nfs -p tcp -m tcp --dport 892 -j ACCEPT
/sbin/iptables -A fpbxsvc-nfs -p tcp -m tcp --dport 662 -j ACCEPT
/sbin/iptables -A fpbxsvc-nfs -p tcp -m tcp --dport 32803 -j ACCEPT
/sbin/iptables -A zone-reject -j fpbxsvc-nfs
/sbin/iptables -N fpbxsvc-smb
/sbin/ip6tables -N fpbxsvc-smb
ip6tables: Chain already exists.
/sbin/iptables -F fpbxsvc-smb
/sbin/iptables -A fpbxsvc-smb -p udp -m udp --dport 137 -j ACCEPT
/sbin/iptables -A fpbxsvc-smb -p udp -m udp --dport 138 -j ACCEPT
/sbin/iptables -A fpbxsvc-smb -p tcp -m tcp --dport 139 -j ACCEPT
/sbin/iptables -A fpbxsvc-smb -p tcp -m tcp --dport 445 -j ACCEPT
/sbin/iptables -A zone-reject -j fpbxsvc-smb
/sbin/iptables -R fpbxfirewall 7 -p udp -m udp --dport 10000:20000 -j ACCEPT
/sbin/iptables -A fpbxsignalling -p udp -m udp --dport 5061 -j MARK --set-xmark 0x1/0x0
/sbin/iptables -A fpbxsignalling -p udp -m udp --dport 5060 -j MARK --set-xmark 0x3/0x0
/sbin/iptables -A fpbxsignalling -p udp -m udp --dport 4569 -j MARK --set-xmark 0x1/0x0
/sbin/iptables -A fpbxsmarthosts -s 202.43.66.5/32 -m mark --mark 0x1/0x1 -j ACCEPT
/sbin/iptables -A fpbxsmarthosts -s 202.43.66.1/32 -m mark --mark 0x1/0x1 -j ACCEPT
/sbin/iptables -A fpbxsmarthosts -s 202.43.66.2/32 -m mark --mark 0x1/0x1 -j ACCEPT
/sbin/iptables -A fpbxsmarthosts -s 202.43.66.4/32 -m mark --mark 0x1/0x1 -j ACCEPT
/sbin/iptables -A fpbxsmarthosts -s 202.43.66.3/32 -m mark --mark 0x1/0x1 -j ACCEPT
/sbin/iptables -A fpbxsmarthosts -s 192.168.15.10/32 -m mark --mark 0x1/0x1 -j ACCEPT
/sbin/iptables -A fpbxregistrations -s 192.168.15.38/32 -j fpbxknownreg
/sbin/iptables -A fpbxregistrations -s 192.168.15.10/32 -j fpbxknownreg
Update complete.
Looping
^C
[root@ipv6 firewall]#

Edit: the ā€˜ip6tables: Chain already existsā€™ is because ā€˜service iptables stopā€™ is dumb, and doesnā€™t clear the ip6tables. Ignore that, if you see it. You can clear it PROPERLY with ā€˜ip6tables -F && ip6tables -Xā€™ before restarting the firewall daemon.

In fact, this is my ā€˜testingā€™ command:

ā€˜iptables -F && iptables -X && ip6tables -F && ip6tables -X && hooks/firewallā€™

That clears both IPv4 and IPv6 firewall tables to a pristine state, and then lets the firewall service recreate them all.

Edit 2: I just discovered that thereā€™s an ā€˜ip6tablesā€™ service. I hadnā€™t noticed that before. So ā€˜service iptables stopā€™ and then ā€˜service ip6tables stopā€™ would have worked fine.

27

Wanted to start from clean slate, restarted pbx box. The firewall service did not start automatically. Or at least it is not running.

Going to have to retire for the night. Feel free to suggest more things I can try tomorrow. Post here or direct message.

This firewall does look very promising.

Going to roll it back, and can willingly reinstall tomorrow.

28

Thatā€™s correct. Itā€™s explicitly NOT set to start up automatically, because if it gets into a state where youā€™re locked out, I want you to be able to reboot the machine to get back into itā€¦

However, Iā€™m going to re-enable that, and publish .6 shortly which WILL start up automatically, and will try to restart the service if it crashes.

Thanks for your testing!

29

Ah, that would be it then. Are you planning a Debian friendly version? Iā€™m guessing from Make Debian "sysadmin rpm" commercial Modules work that this may not be the case ā€¦

30

Yes. See the second post in this thread.

31

Rob, She be running nicely now!

Version 13.0.1.9

 # Generated by iptables-save v1.4.7 on Wed Sep 23 20:07:39 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1953:813083]
:fail2ban-BadBots - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-SIP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache-auth - [0:0]
:fail2ban-recidive - [0:0]
:fpbxfirewall - [0:0]
:fpbxinterfaces - [0:0]
:fpbxknownreg - [0:0]
:fpbxlogdrop - [0:0]
:fpbxnets - [0:0]
:fpbxregistrations - [0:0]
:fpbxrfw - [0:0]
:fpbxsignalling - [0:0]
:fpbxsmarthosts - [0:0]
:fpbxsvc-chansip - [0:0]
:fpbxsvc-ftp - [0:0]
:fpbxsvc-http - [0:0]
:fpbxsvc-https - [0:0]
:fpbxsvc-iax - [0:0]
:fpbxsvc-nfs - [0:0]
:fpbxsvc-pjsip - [0:0]
:fpbxsvc-provis - [0:0]
:fpbxsvc-restapps - [0:0]
:fpbxsvc-smb - [0:0]
:fpbxsvc-ssh - [0:0]
:fpbxsvc-tftp - [0:0]
:fpbxsvc-ucp - [0:0]
:fpbxsvc-webrtc - [0:0]
:fpbxsvc-xmpp - [0:0]
:zone-external - [0:0]
:zone-internal - [0:0]
:zone-other - [0:0]
:zone-reject - [0:0]
:zone-trusted - [0:0]
-A INPUT -j fpbxfirewall
-A INPUT -p tcp -m multiport --dports 21 -j fail2ban-FTP
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-apache-auth
-A INPUT -j fail2ban-SIP
-A INPUT -j fail2ban-SIP
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A INPUT -p udp -m udp --dport 69 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21 -j fail2ban-FTP
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-apache-auth
-A INPUT -j fail2ban-SIP
-A INPUT -j fail2ban-SIP
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A fail2ban-BadBots -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-SIP -j RETURN
-A fail2ban-SIP -j RETURN
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache-auth -j RETURN
-A fail2ban-recidive -j RETURN
-A fpbxfirewall -i lo -j ACCEPT
-A fpbxfirewall -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fpbxfirewall -p udp -m udp --sport 1:1024 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fpbxfirewall -p icmp -j ACCEPT
-A fpbxfirewall -d 255.255.255.255/32 -j ACCEPT
-A fpbxfirewall -m pkttype --pkt-type multicast -j ACCEPT
-A fpbxfirewall -p udp -m udp --dport 10000:20000 -j ACCEPT
-A fpbxfirewall -p tcp -m tcp --dport 22 -j ACCEPT
-A fpbxfirewall -j fpbxsignalling
-A fpbxfirewall -j fpbxsmarthosts
-A fpbxfirewall -j fpbxregistrations
-A fpbxfirewall -j fpbxnets
-A fpbxfirewall -j fpbxinterfaces
-A fpbxfirewall -m mark --mark 0x2/0x2 -j fpbxrfw
-A fpbxfirewall -j fpbxlogdrop
-A fpbxinterfaces -i eth0 -j zone-trusted
-A fpbxinterfaces -i wlan0 -j zone-trusted
-A fpbxknownreg -m mark --mark 0x1/0x1 -j ACCEPT
-A fpbxknownreg -j fpbxsvc-ucp
-A fpbxlogdrop -j LOG --log-prefix "logdrop: "
-A fpbxlogdrop -j REJECT --reject-with icmp-port-unreachable
-A fpbxnets -s 192.xxx.x.xxx/24 -j zone-trusted
-A fpbxnets -s 192.xxx.x.xxx/16 -j zone-trusted
-A fpbxregistrations -s 192.xxx.x.xxx/32 -j fpbxknownreg
-A fpbxregistrations -s 192.xxx.x.xxx/32 -j fpbxknownreg
-A fpbxregistrations -s 192.xxx.x.xxx/32 -j fpbxknownreg
-A fpbxregistrations -s 216.115.69.144/32 -j fpbxknownreg
-A fpbxrfw -m recent --rcheck --seconds 60 --hitcount 11 --name SIGNALLING --rsource -j fpbxlogdrop
-A fpbxrfw -m recent --set --name SIGNALLING --rsource
-A fpbxrfw -m recent --set --name REPEAT --rsource
-A fpbxrfw -m recent --rcheck --seconds 86400 --hitcount 100 --name REPEAT --rsource -j fpbxlogdrop
-A fpbxrfw -j ACCEPT
-A fpbxsignalling -p udp -m udp --dport 5061 -j MARK --set-xmark 0x3/0x0
-A fpbxsvc-chansip -p udp -m udp --dport 5061 -j ACCEPT
-A fpbxsvc-chansip -p tcp -m tcp --dport 9877 -j ACCEPT
-A fpbxsvc-ftp -p tcp -m tcp --dport 21 -j ACCEPT
-A fpbxsvc-http -p tcp -m tcp --dport 80 -j ACCEPT
-A fpbxsvc-https -p tcp -m tcp --dport 443 -j ACCEPT
-A fpbxsvc-iax -p udp -m udp --dport 4569 -j ACCEPT
-A fpbxsvc-nfs -j RETURN
-A fpbxsvc-pjsip -p udp -m udp --dport 5060 -j ACCEPT
-A fpbxsvc-pjsip -p tcp -m tcp --dport 9876 -j ACCEPT
-A fpbxsvc-provis -p tcp -m tcp --dport 84 -j ACCEPT
-A fpbxsvc-restapps -p tcp -m tcp --dport 85 -j ACCEPT
-A fpbxsvc-smb -p udp -m udp --dport 137 -j ACCEPT
-A fpbxsvc-smb -p udp -m udp --dport 138 -j ACCEPT
-A fpbxsvc-smb -p tcp -m tcp --dport 139 -j ACCEPT
-A fpbxsvc-smb -p tcp -m tcp --dport 445 -j ACCEPT
-A fpbxsvc-ssh -p tcp -m tcp --dport 22 -j ACCEPT
-A fpbxsvc-tftp -p udp -m udp --dport 69 -j ACCEPT
-A fpbxsvc-ucp -p tcp -m tcp --dport 81 -j ACCEPT
-A fpbxsvc-webrtc -p tcp -m tcp --dport 8088 -j ACCEPT
-A fpbxsvc-xmpp -p tcp -m tcp --dport 5222 -j ACCEPT
-A zone-external -j fpbxsvc-xmpp
-A zone-internal -j fpbxsvc-ssh
-A zone-internal -j fpbxsvc-http
-A zone-internal -j fpbxsvc-https
-A zone-internal -j fpbxsvc-ucp
-A zone-internal -j fpbxsvc-pjsip
-A zone-internal -j fpbxsvc-chansip
-A zone-internal -j fpbxsvc-iax
-A zone-internal -j fpbxsvc-provis
-A zone-internal -j fpbxsvc-restapps
-A zone-internal -j fpbxsvc-xmpp
-A zone-internal -j fpbxsvc-ftp
-A zone-internal -j fpbxsvc-tftp
-A zone-other -j fpbxsvc-provis
-A zone-other -j fpbxsvc-xmpp
-A zone-reject -j fpbxsvc-webrtc
-A zone-reject -j fpbxsvc-nfs
-A zone-reject -j fpbxsvc-smb
-A zone-trusted -j ACCEPT
COMMIT
# Completed on Wed Sep 23 20:07:39 2015
1 Like
32

I have a sneaking suspicion that I may have messed up here. I was just looking at an Asterisk 11 machine, and that was reporting pjsip being there, and chan_sip listening on port 5061, like that. So Iā€™ll have a look at that tomorrow and see if I can figure out what the problem is there.

Thereā€™s still an ongoing ā€˜Service is crashing and I donā€™t know whyā€™ problem, so Iā€™m going to put it in a wrapper thatā€™ll love it and hug it and log errors to somewhere sensible :sunglasses:

33

OK. Still running old chan_sip here.

34

Hi,

Please see:
http://wiki.freepbx.org/pages/viewpage.action?pageId=33882179

The Voip blacklist support made a massive difference when I put up a test system to see who was attacking it, and what the vulnerabilities were.

The ā€˜vanillaā€™ blacklisting was getting regularly hit, as the approach it uses is especially vulnerable on restarts.

I would strongly suggest you add that to your plugin ā€¦ it is very straightforward.

Thanks.

Yours,

Graham

35

Yes, sorry, I misunderstood your reply (post 6) to my question (post 5) to mean that Debian was now ok for this.

1 Like
36

Thatā€™s cool. Sorry for the confusion :sunglasses: Iā€™ve updated the second post to make that clearer!

The good news is, things arenā€™t totally broken!

37

Iā€™ve added it to the ā€˜Todoā€™ list, thanks!

38

Just updated this instance to the latest distro 10.13.66-5, and attempted to enable the firewall and got this errorā€¦

Thanks for building this Rob!

Whoops\Exception\ErrorException thrown with message "Invalid argument supplied for foreach()"

Stacktrace:
#4 Whoops\Exception\ErrorException in /var/www/html/admin/modules/firewall/Firewall.class.php:469
#3 Whoops\Run:handleError in /var/www/html/admin/modules/firewall/Firewall.class.php:469
#2 FreePBX\modules\Firewall:isTrusted in /var/www/html/admin/modules/firewall/Firewall.class.php:94
#1 FreePBX\modules\Firewall:showLockoutWarning in /var/www/html/admin/modules/firewall/page.firewall.php:21
#0 include in /var/www/html/admin/config.php:539

 Server/Request Data HTACCESS on HTTP_HOST pbx.mycompany.com HTTP_CONNECTION keep-alive CONTENT_LENGTH 15 HTTP_CACHE_CONTROL max-age=0 HTTP_ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 HTTP_ORIGIN http://pbx.mycompany.com HTTP_UPGRADE_INSECURE_REQUESTS 1 HTTP_USER_AGENT Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.99 Safari/537.36 CONTENT_TYPE application/x-www-form-urlencoded HTTP_REFERER http://pbx.mycompany.com/admin/config.php?display=firewall HTTP_ACCEPT_ENCODING gzip, deflate HTTP_ACCEPT_LANGUAGE en-US,en;q=0.8 HTTP_COOKIE lang=en_US; PHPSESSID=u5aajkbvvlm614h597ger2gjf5 PATH /sbin:/usr/sbin:/bin:/usr/bin SERVER_SIGNATURE Apache/2.2.15 (CentOS) Server at pbx.mycompany.com Port 80 SERVER_SOFTWARE Apache/2.2.15 (CentOS) SERVER_NAME pbx.mycompany.com SERVER_ADDR 1.2.3.4 SERVER_PORT 80 REMOTE_ADDR 4.3.2.1 DOCUMENT_ROOT /var/www/html SERVER_ADMIN root@localhost SCRIPT_FILENAME /var/www/html/admin/config.php REMOTE_PORT 32164 GATEWAY_INTERFACE CGI/1.1 SERVER_PROTOCOL HTTP/1.1 REQUEST_METHOD POST QUERY_STRING display=firewall REQUEST_URI /admin/config.php?display=firewall SCRIPT_NAME /admin/config.php PHP_SELF /admin/config.php REQUEST_TIME 1443188367 GET Data display firewall POST Data action enablefw Files empty Cookies lang en_US PHPSESSID u5aajkbvvlm614h597ger2gjf5 Session module_name firewall module_page firewall AMP_user ampuser Object ( [username] => myuserid [id] => [password:ampuser:private] => 4613d15838a0e2ce96ebf58d36e7b4cfb04729c6 [extension_high:ampuser:private] => [extension_low:ampuser:private] => [sections:ampuser:private] => Array ( [0] => * ) [mode:ampuser:private] => database [_deptname] => [_lastactivity] => 1443188368 ) Environment Variables empty Registered Handlers 0. Whoops\Handler\PrettyPageHandler
1 Like
39

Fixed in 13.0.1.13, thanks!

40

Confirmed fixed - thanks Rob

So can we set that up to accept a connection from a hostname - say from a site that is on a dynamic isp connection? Currently I have a remote site that is on dynamic and I have to go in and manually change the iptables to allow a new IP address after a reboot. Tried to set it up to change it automatically, but its still a work in progress :smile: