I have a shared database and want to connect 2 servers. Both are running the integrated responsive firewall. I need to open port 3306 on the shared database server so that the other machine can access it. Adding the IP as 111.222.333.444/32 as a trusted zone works but seems a bit overkill to allow all traffic when I just want to allow one port. Is there a better way?
In order to keep things manageable for the user, the FreePBX Firewall generally treats things either as ‘internal’ to allow access or ‘external’ which filters access. But the Firewall has a third category for atypical situations such as this called ‘Other’. For your database service, you can add a custom service to Services, Custom Service tab on the target PBX, fill out the necessary details, then set that service to ‘Other’. Then you add the connecting host(s) to the Zones, Networks tab, and classify the host as ‘Other’.
OK. Thanks. I did that.
Port 3306 now shows as filtered when I do a port scan from outside and seems to accept connections only from the connecting host in the Zones, Network tab.
I see UCP is accessible from external connections. How would I allow access to another CP panel from the outside without exposing everything? E.g. once an IP is qualified as a SIP client we could also allow CP panel access to the same IP.
You can’t. If responsive is enabled, once a client successfully registers through responsive, the client IP is white listed for all services UCP and provisioning, you can’t pick and choose.
OK but it’s not working like that currently. At the moment I can only access the FreePBX Gui from my whitelisted IP. I can not access it from a site where SIP phones have registered.
What are the settings to open the https port ONLY to registered SIP customers? Currently
"Services, Web Management (Secure)" is set to internal so I guess it’s blocking all outside connections. Should I set it to other or external or did I misunderstand the it’s a totally different setting.
Lorne was incorrect on that. When a phone gets registered only access to SIP ports, phone provisioning and UCP are allowed from that IP. Nothing else. It’s not hookable at this time from.the GUI to allow other services but it’s open source so take a look at the code and add and contribute back. We thought about in user man to set permissions for picking per user or group what other services would be opened for that IP but never got around to adding that feature in firewall.
I would love to but it’s beyond my capabilities. I may open a feature request with a bounty if we can’t find a work around.
If I hadn’t opened port 3306 as OTHER to our shared server I could probably change the “web management (secure)” service to OTHER and manually add known IPs that way but now it would also give them access to port 3306 if I understand correctly.
That is correct on if you moved that to other. Also you would have to update every time their IP changed.
Mea culpa. If you need Admin access from unknown hosts without allowing world access, maybe you want to VPN.
How about simply adding a VirtualHost on say port 12467 and pointing it to our custom CP? Then open that port in the firewall for external. Would that work?
# custom CP
Listen 12467
<VirtualHost *:12467>
DocumentRoot /var/www/html/customCP
</VirtualHost>