FreePBX Firewall Thread! (2nd Post has status)

Tags: #<Tag:0x00007f70279767a8>

(D Rubie) #101


I like the 5 minute delay so you don’t lock yourself out of your system…its a simple approach. The problem I had did not lock me out of the system…because the firewall wizard ran after an update and I always placed my IP address in the trusted zone, also the Ethernet interface was set to trusted.

With both of these failsafes turned on I was able to ssh to the server and turn off iptables to reset everything. What was happening is that only ip addresses that were trusted was allowed to register/sign on the system. As I said version 13.0.6 fixed whatever was causing that issue.

I will run the update to get the 5 min delay…because who knows what can happen.


(Rob Thomas) #102

I found a system that had managed to - somehow - get itself confused enough that the firewall rules were half there, and half not there.

The good news is, I now know what to look for, and it’ll self-heal if that happens again!

I’ve got a good feeling about 13.0.9!

(Lorne Gaetz) #103

Just got this message:

Firewall Rules corrupted! Restarting in 5 seconds

Explains a few mysteries…

(Rob Thomas) #104

I’d love to know WHAT’S breaking iptables. 8-\

Edit: If you look in /tmp/firewall.log, it’ll say what’s missing - either interfaces or rtp ports, and ipv4 or ipv6.


Just want to be sure I’m not missing something… So the new 5-minute “Safe Mode” means that anyone launching a DDOS attack that crashes your server gets a free pass through your firewall after it reboots? What’s safe about that??

(TheJames) #106

Glad to see such a respected member of the community is testing out beta software and working to improve the user experience. All feedback is valuable and helps us improve. This is the great thing about the open source community. Please test out your theory and let us know what happens. If things do not work as expected please feel free to file a bug report at with steps to reproduce your results. As always the code is available on github if you would like to provide any patches. Patches are always welcome.


Works exactly as expected. Server crashes. Server reboots. Bad guys get a 5-minute free pass through the disabled firewall. Glad you have a sense of humor about it… so far.

(TheJames) #108

How did you make the server crash? Can you provide steps to reproduce this attack vector?

(Rob Thomas) #109

After an insanely obvious suggestion by @SysAdminMan I’m now not letting you install the firewall module if the sysadmin RPM isn’t installed. facepalm. Sorry for being dumb. That and a couple of other things makes 13.0.10. Which I’m feeling REALLY good about.

Edit: Another fix in 13.0.11 was some bad chan_sip detection.


Hi Rob

Edit - Just saw you made the code change with the 1000 default. Many thanks!


Hi Rob

Actually, I’m still seeing an error about /proc/timer_list (failed to open stream).

(firewall |

I think it just needs to check it exists before trying to open here?

    public function getCurrentJiffie() {
            $jf = file("/proc/timer_list", \FILE_IGNORE_NEW_LINES);
            // Find the first entry that is 'jiffies: ' and return it
            foreach ($jf as $l) {

Also, even when bypassing that warning I don’t see the firewall start after 5 minutes (even though the message in the GUI about being disabled for the first 5 minutes disappears). Please could you point me to how the firewall is getting started so I can check if this is specific to me or a general thing. The firewall rules do actually get applied if I enable/disable the firewall in the GUI, so it is working OK I think, just not getting started after the 5 minute period.

One last thought … it seems during those first 5 minutes any default firewall rules are left in place. There’s a chance, depending on what rules where in place before the FreePBX firewall was enabled, the user could still find themselves locked out.

If it’s decided to have this 5 minute “open” period it’s probably a good idea to actively ACCEPT and flush any rules.

Thanks - Matt

(Andrew Nagy) #112

If you manually modify any code in the firewall it won’t start. Just FYI.


Ah, ok, thanks Andrew. I’ll wait to see if Rob pushes out a fix for the issue I’m having with timer_list and see if the firewall starts normally after that.

Thanks - Matt

(Adam Kayden) #114

is this firewall going to work with HA ?

(xp) #116

FYI Rob,

Wouldn’t it be possible to create a check box or switch named “Add all registered IPs to Other zone”? This could eliminate the need to add a separate zone called register. This would effectively add a target rule in the fpbxknownreg chain that will go to the zone-other chain, which can run any extra or custom services to allow the registered IPs in. This eliminates the need for a whole lot of extra work, and at least is a place to start until smarter people than I have a better idea of what to do. (Unless said idea is already being worked on, then I’ll just stop talking. :slight_smile: And if that is the case my feature request/bug report can be deleted -

-Jon, Xpedeus


Hello. I just installed the latest FreePBX 13.0 on centos 7 per the wiki here: and ran into the following when trying to install the module from the webui:

Exception: Hook file '/var/spool/asterisk/incron/firewall.firewall' was not picked up by Incron after 5 seconds. Is it not running?  

		if (!$deleted) {			throw new \Exception("Hook file '$filename' was not picked up by Incron after 5 seconds. Is it not running?");		}

and the related callstack information:







This shows up when I now try to load the landing page. My systemctl status for incrond is as follows:

[root@pbx ~]# systemctl status incrond
● incrond.service - Inotify System Scheduler
Loaded: loaded (/usr/lib/systemd/system/incrond.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2016-06-16 22:25:01 PDT; 16min ago
Process: 908 ExecStart=/usr/sbin/incrond (code=exited, status=0/SUCCESS)
Main PID: 915 (incrond)
CGroup: /system.slice/incrond.service
└─915 /usr/sbin/incrond

Jun 16 22:25:01 incrond[915]: loading table local
Jun 16 22:25:01 incrond[915]: loading table sysadmin
Jun 16 22:25:01 incrond[915]: loading user tables
Jun 16 22:25:01 incrond[915]: loading table for user root
Jun 16 22:25:01 incrond[915]: ready to process filesystem events
Jun 16 22:25:01 systemd[1]: Started Inotify System Scheduler.
Jun 16 22:25:20 incrond[915]: (system::sysadmin) CMD (/usr/bin/sysadmin_manager firewall.firewall)
Jun 16 22:25:42 incrond[915]: (system::sysadmin) CMD (/usr/bin/sysadmin_manager firewall.firewall)
Jun 16 22:34:47 incrond[915]: (system::sysadmin) CMD (/usr/bin/sysadmin_manager firewall.firewall)
Jun 16 22:40:54 incrond[915]: (system::sysadmin) CMD (/usr/bin/sysadmin_manager firewall.firewall)

I had also been having issues with firewalld and extensions trying to register timing out, but resolved the timeout issues when stopping and disabling firewalld. Obviously, I’d rather not have the firewall be down but I was testing to make sure I installed everything else correctly and in the process found that my yate client running in the same subnet can only register with my Centos 7 FreePBX system when firewalld is stopped. I installed the module in hopes of fixing this but installing the module led to my now not being able to access the ui at all.

I had also installed sysadmin using yum install since the module admin was warning me regarding having sysadmin rpm installed prior to installing the firewall module and I’m not sure if this did irreversible damage to the system.

I tried to run “fwconsole uninstall firewall” and when following that with “fwconsole restart” and loading the webui, I’d get:


System Admin
Copyright 2016 by Schmoozecom, Inc., All rights reserved

By installing, copying, downloading, distributing, inspecting or using
the materials provided herewith, you agree to all of the terms of use as
outlined in our End User Agreement which can be found and reviewed at

I had tried yum removing sysadmin as well and I still get the same message from the documentroot of the webui.

At this point, I’d be more than OK with reverting back to a working version and wait for a version of the module that will run with CentOS 7 but can’t find info on this.

Thank you.

(Andrew Nagy) #118

Sysadmin, which firewall requires, only works on the freepbx distro.

(Rob Thomas) #119

There are other requirements, such as a compatible zend loader, which all stem from the need of a secure manner of being able to do stuff as root from the webui.

However, I’ll be making sure that Firewall works perfectly with the new C7 based distro, when it’s released.


in the meantime, is there any advice for a civilian like myself on how to revert to what I had before so that I can regain access to the webui…that is, outside of reinstalling freepbx? I may also opt for disabling firewalld and migrate the rules to the iptables service if that’s not ill-advised. Thanks!


upon doing a bit of reading, I’m just a bit confused. Accordingly to the firewall entry in the wiki here:, “The Firewall module is a 100% Free Open Source Module, licenced under the AGPL v3. The code is hosted on with a mirror on GitHub for your convenience. Pull requests are welcome!”. And it requires

is a RPM package that allows secure privilege escalation in limited
circumstances. Firewall requires this to alter the system iptables
rules. This RPM is installed on most modern RPM-based distros.
Currently there is no method for privilege escalation without this
package. Support for non-rpm-based operating systems is on hold until
this issue is resolved.”

But I’ve been reading that sysadmin is a commercial module which depends on Zend guard loader and more so that any component that requires it is only commercially available.

I just wanted to get some clarity on this before I find out that I’m spending all this time on a firewall that I, as a non-commercial user, will never have access to. Thanks.