You should be able to add a hostname as a network, and assign it to a zone. That’s not documented all that well, and, now I think about it, I didn’t actually test that 
That’s the IDEA, at least. Try it?
–Rob
Excellent - I will give it a test. Thanks!
1 Like
Well, I’ve finished my first stab at the documentation!
14 has some pretty significant changes, and for those that are actually running this, the easiest thing to do is to reboot your machine after you install 14. That will completely regenerate the firewall rules.
If you don’t want to, you’ll need to disable the firewall (by clicking on the ‘disable firewall’ button in the module - it won’t delete any of your settings), then reset the iptables rules with these commands:
service iptables stop
service ip6tables stop
Then, when you click ‘enable’, all the firewall rules will be correctly regenerated.
Rob
For clarification in the future after this goes stable you wont need to do that after upgrades
1 Like
Installed the new firewall and locked myself out! I was using a port other than 22 for ssh so wasn’t able to ssh in. Fortunately it was on a hosted server so I was able to get in and use the vnc console to change the port back to 22.
Guessing we would use the Services > Custom Services to allow a specific port for something like that? (when its completed)
This attempt to hack in - would something like this be normal to see in the responsive firewall?
– Executing [7011972597633694@from-sip-external:1] NoOp(“SIP/1.2.3.4-00000000”, “Received incoming SIP connection from unknown peer to 7011972597633694”) in new stack
[2015-09-29 10:19:43] WARNING[2678][C-00000000]: Ext. s:6 @ from-sip-external: “Rejecting unknown SIP connection from 212.83.186.3”
SSH Port should be detected based on what you have setup in the ssh config file on your server.
I was locked out - once I went in and changed it in sshd and restarted I was able to gain access through ssh using port 22. Maybe it’s changed in the latest release?
Was just reporting what I found…
How had you changed the port? It should auto-detect your SSH port.
It should have also been complaining that you didn’t have a Trusted host or Network (which should be the machine you’re coming from, but I don’t insist on that, I just check to make sure that you’ve defined A trusted host or network)
Yes. But you’d only see a couple of attempts before they are blocked.
I’ve tried to explain here here:
Changed the ssh port number in /etc/ssh/sshd_config
When I went back into that file and changed the port back to 22, I was able to ssh in.
On the responsive firewall, that IP address continued to attempt to connect - but it has since stopped, so maybe there was one other setting I missed.
Also, I dont appear to be able to add a host name - error says not a valid ip address
Ah. I think I found my problem there.
private function getSvc_ssh() {
// TODO: Check /etc/ssh/sshd_config
$retarr = array(
"name" => _("SSH"),
"defzones" => array("internal"),
"descr" => _("SSH is the most commonly used system administration tool. It is also a common target for hackers. We strongly recommend using a strong password and SSH keys."),
"fw" => array(array("protocol" => "tcp", "port" => 22)),
"noreject" => true,
);
return $retarr;
}
I’ll fix that today, thanks!
Edit: Aaah. I see why I haven’t done that yet. It’s a root-only file.
Where, exactly, is it not allowing you to enter a hostname? In networks? I may be overenthusiastic with my checks.
I probably need to rename that tab from ‘Networks’ to something else, too.
Edit later: OK, so I had a think about how to do this, as the Web UI doesn’t have permission to read that file, but the firewalld DOES. So I displayed a warning about it, instead:
What do you think of that?
Rob, get this on the FreePBX dashboard today for my network adapter on my box. Not sure what it is recommending…my eth0 is set to trusted. What should it be? Internal?
Trusted Interface Detected
A network interface that is assigned to the ‘Trusted’ zone has been detected.
This is a misconfiguration, possibly by the addition of a new Network Interface.
To ensure your system is protected from attacks, please change the default zone of interface eth0.
Yes. ‘Trusted’ shouldn’t be used for an INTERFACE, only a NETWORK (or Host). Otherwise, it kinda defeats the entire purpose of the firewall 8)
Yikes. Not sure if that was like that all along. My bad. Is there a default zone set for eth0 on install?
Somewhat unrelated/related, where do I go to see banned IPs? Intrusion Detection in Admin Pro module?
Yep, it defaults to Trusted. This is so if your machine decides that it’s got a NEW network interface, you aren’t locked out. However, it yells about it, so you know to get in and fix it!
Still have to do that, which will hopefully be today. I’m probably going to have a new ‘Status’ page or something, with those things on it, and move the Port Detection to there, too.
Thanks. I re-read your text descriptions on the page. Makes sense. Don’t know why I didn’t comprehend it before. I stay up too late. Ha!
To save the zone for the interface, it looks like I have to use the yellow pencil icon.
1 Like
yeah. I’ve actually got a ticket open about that, it’s not the right button. I’m going to use Green Tick, instead.
Edit: Fixed in 1.15
Here’s a snapshot of the status page I’m working on. It’s extremely unfinished, but it’s my Daughter’s 10th birthday tomorrow, so I kinda have to actually go off and be a daddy 
Edit: Poo. Just noticed ‘UNFLITERED’ there. Whoops.
Confirmed the SSH port issue is fixed. Changed the port to something other than 22 and the was able to get access via SSH. Looked in the /tmp/firewall.log and could see it was added into the new rules.
The notice on the Port/Service Maps tab was a little confusing at first - but the message stating it was expected helps.
Also the latest update seems to be keeping settings properly. It appeared to me that the Interfaces and Networks settings weren’t being retained - went back into those settings after going to Dashboard, and they didn’t seems to be keeping them as I set them. I wasn’t sure if it was something I was doing, so by the time I got back to further testing you already had a new update out.
Regarding not able to add a host - I attempted to allow a hostname as a trusted network as I thought that was something that the firewall would allow. Clicked Zones > Networks then tried to add a hostname, but it was expecting an IP address only. You did mention in an earlier post
Other than that, your project is coming along very nicely - thanks for the effort!
1 Like