I’ve read a lot of posts on this forum indicating the remote users with dynamic IPs frequently get blocked by the Responsive Firewall, unfortunately I’m not seeing much in the way of analysis of logs or solutions. I’m seeing people are whitelisting IPs until they and get blocked again, rinse and repeat.
We luckily had very verbose logs(9GB in /var/log) so I have quite a bit of info to go on… Hope someone who understand how the responsive firewall works can help us to understand why in our particular case an IP was banned(it happens ever week or two).
Note: In /var/messages I found the iptables rules and in /var/log/asterisk I found the logs for ChallengeSent and SuccesfulAuth.
The pattern I see for all VoIP phones is ChallengeSent by the server to phone, followed by a SuccesfulAuth. But the last entries I see in the logs for this IP before an outage was reported was ChallengeSent for about 10 minutes without a SuccesfulAuth. After a couple minutes I see(2:51 am):
/sbin/iptables -w5 -W10000 -D fpbxregistrations -s xxx.xxx.xxx.xx/32 -j fpbxknownreg
We received a reported outage at 11am.
Sometime after the IP was whitelisted(Connectivity → Firewall → Networks and add the IP) and the phone started working(don’t know exact time).
In the logs I see 1:05 pm a ChallengeSent followed by SucessfulAuth, and a few second later the following command:
/sbin/iptables -w5 -W10000 -A fpbxregistrations -s XXX.XXX.XXX.XXX/32 -j fpbxknownreg
Can anyone with knowledge of the firewall help me to understand why given these events the firewall would block the IP?
I’m going to run the iptables -D command on my IP, then disconnect my phone and expecting to see ChallengeSent repeatedly with no response, then it will be interesting to see if my phone IP gets blocked in an attempt to reproduce this. I’m wondering if people are losing network connection or unplugging their phones for privacy and it’s causing their IP to be blocked potentially but just a theory with out much understanding…