I am attempting to lock down our PBX via iptables using a whitelist-only access policy.
However, when I did this, FreePBX could no longer communicate to Asterisk, and things like fwconsole, etc would not function.
What ports does FreePBX require to be unlocked, and also what interface does it use to connect locally?
That has nothing to do with iptables. However, if you just use FreePBX firewall, it’s already whitelist only, by default.
It had to have been iptables, as I set a policy of -P INPUT DROP / -P OUTPUT DROP, and FreePBX Panel would not function, as well as fwconsole would simply freeze and throw errors of fwrite/fopen. Once I disabled those policies it functioned as expected.
I am running on CentOS 7.2 on Linode.com and it does not support sysadmin-rpm, so I cannot use FreePBX Firewall.
If you have a default policy of drop and you don’t allow localhost, loopback, and all the other standard settings, nothing will work.
I allowed ‘lo’, and our offices IP, and our Trunks IPs. The purpose of this post is to get the ‘other standard settings’ that FreePBX requires so I may whitelist only.
I remember talking to someone about this and they were using the network address (192.168.0.x) for all of their “internal” connections (like from the FreePBX manager interface). If you do that, then in addition to whitelisting localhost, you have to allow the “local host via the network” as well.
I was hoping for documentation somewhere that says something like:
‘FreePBX makes connections via 127.0.0.1 on ports 111/222/333/444’
You should whitelist the loopback. Their are way to many things to list and changing all the time. Localhost should always be whitelisted through anything.
I’m not saying that locking the system down tight is wrong, but not allowing all connections from 127.0.0.1 is probably a little overly constrictive. If the server is that compromised, you have far bigger problems than Asterisk.
In answer to your actual question (in case you DO want to do that), you can use the “netstat” command (with options) to find out what is running
iptables -A -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
You need at least those. I strongly urge you to look at the Firewall code, at least, to get an idea of what ports are used.
You can see the default rules here: http://git.freepbx.org/projects/FREEPBX/repos/firewall/browse/drivers/Iptables.class.php#1140
Note that all of the ports FreePBX Uses are set by you. So asking that question is just the same as asking YOURSELF ‘what ports did I set everything to use?’
Thank you xrobau, I did have lo, but not the state policy. I haven’t changed anything from the default port settings, so thats why I was hopeful someone had done this before and had it handy.
I wonder if anyone would know how to get the Firewall/sysadmin-rpm running on:
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.2.1511 (Core)
would save me the headache of doing all of this by hand
Sorry, no chance at all 8-\
I’d recommend that you just use FreePBX Distro on a normal VM host (eg, Vultr or something like that – If you use this link to sign up with Vultr, I get some credit. This is nothing to do with FreePBX, that’s my own personal account), or a professional cloud hosting place. https://cloud.pbxact.com/ is the new shiny Sangoma one, or, any of the others on the FreePBX Hosting Partners page.
We’re already operating on Linode (http://linode.com) I just haven’t gone through the paces of uploading the Distro.
People have had HUGE amounts of problems because Linode don’t support installation from an ISO without hacks and workarounds. Which is why I recommend Vultr.
Unfortunately that’s the exact reason I haven’t gone through it, in order to do it I have to spin it up locally on a VM, then do a rsync copy to a Linode running in recovery mode. But they’ve switched to KVM from Xen so it should be less of a pain.
Oooooor you could just use my vultr link which people seem to have no problems with at all, whatsoever [Again, full disclosure, that’s an affiliate link, so if you sign up using it, I get a few bucks credit, and is not related to the FreePBX project at all]
Last time I checked, it was cheaper, too?
Not anymore, Linode just doubled all their resources for same price, $20 plan is now $10. I think I’ll give it a try.
Why not use the FreePBX hosting at freepbxhosting.com which is part of the FreePBX project and are hosted systems designed just for FreePBX
Or look at our PBXact UCC cloud solution.
Compliance issues in our industry and for our clients, unfortunately. Not to mention we have some modification for a cloud based recordings platform we developed among other things.
Sweet on your modifications on the recording stuff. Can we please get these submitted back for all users to enjoy. The beauty of OpenSource is for everyone to have access to these changes and for others to benefit.