How To Disable All External Traffic Except Whitelist? Firewalld Throwing iptables Error

firewall
Tags: #<Tag:0x00007f7020456a68>

(Jake Hassings) #1

Hello, I’ve recently begun updating FreePBX systems from 13 to 15 (distro) and on our own custom rolled systems, we use firewalld so it’s trivial to only allow traffic from a specific source, i.e. IP(s). However, in SNG7, I can’t seem to find a way to disable all external access excepted the whitelisted / “trusted networks”. I’ve tried disabling the adaptive firewall, but I’m still seeing a decent amount of traffic coming through (on the FPBX dashboard), about 10kbps avg.

So, what’s the standard way for blocking all traffic except for whitelist IP source? Is there a way to use firewalld (i.e. before traffic even reaches FPBX’s firewall) without iptables/freepbx internal firewall conflict?

I did search the forums and documentation, but I found a lot of conflicting answers and a few possible solutions (like disabling 'responsive firewall") that seemed to not limit all traffic.

Thanks!


(Lorne Gaetz) #2

Wiki: https://wiki.freepbx.org/pages/viewpage.action?pageId=52068473
Video: Open Source Pro Tips #2 - Firewall Basics


(Jake Hassings) #3

Hi @lgaetz, thanks for the links. So I found:

How do I reject traffic?
All traffic that isn’t explicitly allowed is already rejected. This firewall implements a ‘deny by default’ rule. More information is on the Firewall Zones page. In addition there is a blacklist which can be populated with hosts, see the ‘Blacklist’ tab on

I’ve disabled all services that I can, yet, I’m still seeing incoming traffic on ntop… so what gives?

Additionally, why can’t I “reject” SSH service traffic? I suppose setting to local is fine, just a bit strange that reject is not an option.


(Dave Burgess) #4

This should be the case regardless of the firewall you implement. The firewall operates in promiscuous mode, so the connections to the firewall get processed and rejected.

What kind of incoming traffic are you seeing?