Is there a method to check to see if the FreePBX firewall is running via SSH?
We use LabTech (ConnectWise Automate) as our RMM tool and would like to create some sort of monitor to make sure the firewall stays up and running.
1 Like
The firewall.log will exist in /tmp when the firewall is active.
Thank you for the information.
I turned off the firewall (fwconsole firewall disable), confirmed in the GUI it is disabled, and check /tmp/ and the firewall.log is still there. Should it auto delete when stopped/disabled?
Well it might only get deleted during a reboot. I thought it was deleted when it was deactivated. You can just look at what iptables chains/rules are in place. The firewall is just iptables.
There should be an fwconsole command to get firewall information. Start with âfwconsole ?â will get you the list of all fwconsole commands.
https://wiki.freepbx.org/display/FPG/Firewall+Command+Line
Currently there is not an option for status.
iptables -S
If the firewall is off it will show the following:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
Otherwise it will show a whole mess of stuffâŚ
service iptables status | grep Active | awk â{ print $2 }â
active = on
inactive = off
service fail2ban status | grep Active | awk â{ print $2 }â
active = on
inactive = off
if [ -f /etc/asterisk/firewall.enabled ]; then echo âactiveâ; else echo âinactiveâ; fi
â if RF is enabled, this file exists. You can just see if the file exists or not.
active = on
inactive = off
Thank you both for the reply.
davidg: I tried the service iptables status | grep Active | awk â{ print $2 }â command but is shows up inactive but the Firewall is active. The other two commands report back as active so those are working.
If I run iptables -S like Brain suggested it shows iptables is working.
I assume this has something to do with the updates sense 2018
Again, thank you both for your replies. I can use this inside our RMM to better track the firewalls inside our systems.
If you enable the firewall from the command line, the /etc/asterisk/firewall.enabled file doesnât generate. So turns out the script doesnât work unless youâre enabling from GUI.