Freepbx firewall vulnerability

I just realized that when freepbx services are turned off (fwconsole stop), the firewall and fail2ban are also turned off. This allows anyone to access the freepbx webgui login page and to try and login to ssh from the WAN. Is there any work around to this? We have two freepbx servers in two seperate locations that act as master and slave for high availability purposes. When the slave server is in its passive state, freepbx and asterisk are turned off to avoid concurrency issues.

Nope the firewall is dependant in the services running. Sorry.

Why? How is this “master/slave” set up?

Can freepbx’s firewall and Centos’ firewalld work in unison? ie. I block SSH and HTTP access on the WAN NIC with firewalld so that even if freepbx services are down, the server is still protected?

That is correct. If you left asterisk running and doing syncing if AstDB the slave would b le sending non stop BLF and MWI and other messaging stuff confusing the phones.

We use Telium’s HAAST module. Basically the servers exchange health status. If ever communication is lost or the master’s health degrades enough, the slave turns on asterisk and freepbx services and takes over.

Why would the phones even be registered? They should only do that when there is a failover.

They are not registered from the phone perspective but asterisk on slave thinks they are as the AstDB is synced. So if asterisk is running on slave it will send all the BLF info and MWI from.the slave and create issues for phones getting conflicting info from 2 servers.

Ok well that is not a supported HA solution. On our HA we solved this to make sure firewall is running. I would take a bug you with your company that sold you the HA solution. That is on them to solve.

Thanks for your help. Is Freepbx ever going to implement an HA solution that allows servers to be geographically dispersed and is safe from syncing corrupted databases?

Haast does support pre/post scripting using their event handlers located at /usr/local/haast/events/. You can write a simple script to startup a basic firewalld ruleset after it shuts down freepbx on the inactive node and place the script in the event file.

I would approach it from that angle as we also are building out a HA setup using HAASt and have noticed the same issue and plan to resolve it in the same way. You can see a example of using post rules to update IP routes at the following telium forum post:

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.