FreePBX Firewall


(Paul Bennett) #1

After using FreePBX for several years now we have finally decided to take the plunge and start using the built in Firewall. Currently we do everything from our Sophos firewall. We operate on a WAN and 1 system takes care of 200+ endpoints. with a handful of extensions overseas.
Before we pull the trigger, are there and dos and donts we need to consider before doing this?


(Paul Bennett) #2

Circling back to this. When I enable the firewall and open everything up we get bombarded with anonymous call attempts… And I mean bombarded. If I turn off Anonymous calls and SIP Guests after about 5 mins we are unable to make or receive any calls. If I call my direct line from my cell I get a verizon message saying the the number I’m calling is not in service… Anyone got any ideas


(Defcomllc) #3

Default PJSIP bind port?? I would change it, thats what I did and those attempts stopped. I dont use any default ports… I changed them all to high numbers 40k-50k range You have Responsive Firewall and Intrusion Detection both turned on? Set your interface and networks correctly to the right zones?

Im running Untangle NG Firewall with my FreePBX boxes behind it with Firewall turned on…


(Greg Snover) #4

Exposed boxes should always have Anon and Guests turned off - that’s a given.

When you enable the firewall, your traffic should go DOWN not up.

Like you, I have not until recently used the Firewall - instead I stuck all my boxes behind SonicWALL’s and controlled access from there .

But having finally taken the plunge, I really like it - My guess is you have your interfaces mis-configured and turning on the firewall with the interfaces in the wrong zone is what is leading to more hacking.

Re-Run the wizard and make sure the Internet-Facing interface (if there is more than one) is configured as Internet Zone:

image

Post back when you have re-run the wizard.

P.S. - I actually still have my SonicWALL’s in front of the boxes - but I am ALSO using the built-in firewall - Belt-And-Suspenders!


(Paul Bennett) #5

We still have our behind a SOPHOS too… I do have my PBX In there as the default … But we have Comcast Business as our service provider and there is a Comcast run adtran in there also.
So for example my interface is say 10.10.100.10/24 Which is my FreePBX.
The Adtran has a IP of 10.10.100.12. I have that IP just as a whitelisted IP in the intrusion detection. Te wizard never picked that up anywhere


(Greg Snover) #6

That seems right to me, but I am a Firewall-Noobie so perhaps someone from Sangoma can weigh in - It just seems weird that when you turn it on, Hacking goes up?

I don’t get that if it is properly configured.


(Scristopher7) #7

Is the adtran providing a PRI/T1 connection to your pbx or a sip trunk?
Were you using custom iptables rules before trying to use the sangoma firewall?
If you were using custom iptables rules before and switch to the sangoma firewall and have responsive firewall enabled then that would explain the excess traffic you are seeing to a degree.

If I turn off Anonymous calls and SIP Guests after about 5 mins we are unable to make or receive any calls

This somewhat indicates a misconfiguration in your setup somewhere with your provider unless you absolutely need to accept these, but I am willing to bet that the adtran is supplying a pri to your phone system so that might be the reason why it is setup this way. I would see if comcast could ditch the adtran and just do a sip trunk to you. Though I could be wrong, if so I would recommend getting some logs and pasting them in the pastebin.