Hardening - local firewall (not freePBX built-in firewall)

iac · May 11, 2025, 1:11pm

As per policy, I have to harden our new freePBX box, and my initial thought is to enable firewalld and drill the following holes in it:

Inbound:
80/tcp (temporarily)
443/tcp
5060-5090/udp
10000-20000/udp
5060-5090/tcp (if I have to, for SRTP)
10000-20000/tcp (if I have to, for SRTP)

Outbound:
vault.centos.org IPs 443/tcp (initially disabled, so just in case?)
mirrorlist.sangoma.net IPs 80/tcp
package1.sangoma.net IPs 80/tcp (initially disabled, so just in case?)
sng7.com IP 80/tcp (initially disabled, so just in case?)

Am I going to break anything if I set firewalld up as per above?

BlazeStudios · May 11, 2025, 1:14pm

RTP is always UDP even when encrypted.

iac · May 11, 2025, 1:15pm

DTLS is UDP:

But I read that TLS requires TCP. Is this incorrect?

BlazeStudios · May 11, 2025, 1:19pm

SRTP and DTLS are not the same thing. When you’re doing SIP over TLS, you want SRTP. Either way, it’s done over UDP.

iac · May 11, 2025, 1:20pm

If SRTP is UDP just lke DTLS is, then I am golden. Thanks!

iac · May 11, 2025, 1:29pm

When I enabled firewalld and proceeded to add rules, I got this:

Broadcast message from [email protected] (Sun May 11 09:25:59 2025):

Firewall Rules corrupted! Restarting in 5 seconds
More information available in /var/log/asterisk/firewall.log

Broadcast message from [email protected] (Sun May 11 09:26:11 2025):

Firewall service now starting.

What does this mean? Are my rules being rejected/reverted?

I’ve done many firewalls in Linux but never saw anything like this. Is this due to CentOS using a very old vesion of firewalld or is there another reason?

BlazeStudios · May 11, 2025, 1:32pm

What does the log file tell you?

iac · May 11, 2025, 1:39pm

1000s of things. Are you able to narrow down records that I should be looking for?

BlazeStudios · May 11, 2025, 1:51pm

How about between

Broadcast message from [email protected] (Sun May 11 09:25:59 2025):

and

Broadcast message from [email protected] (Sun May 11 09:26:11 2025):

Those look like a good place to start since that’s about the time that error was thrown.

iac · May 11, 2025, 1:56pm

It looks like firewalld is so old on CentOS 7 that it does not support policies.
This box will have to be rebuilt from scratch on Debian 12. I can go home now. This weekend was well wasted

system · May 18, 2025, 1:57pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.