Need some help with responsive firewall setup

hi, i am setting up FreePBX 14 rc1.8 with asterisk 13. (fully patched). I don’t think responsive firewall is working properly because i never see any registered endpoints in the status overview of responsive firewall, here is my layout

eth0 - configured to ‘local’ zone - management only vlan (no sip traffic)
eth1 - - configured to ‘internet’ zone - voice vlan where my phones are

i have not assigned to any network zone.
i have no zone selected for sip and chan_sip in the services tab

the phones seem to work fine, but I don’t think responsive firewall is engaged.

fyi, i am connecting phones via sip-tls and srtp, not sure if that makes a difference or not…will responsive firewall work in an encrypted environment?
I would appreciate anyone’s help on this.

fyi, something odd today, I now have 1 registered endpoint in the responsive firewall status. I have 15 phones up and running…i cannot figure out why responsive firewall only see’s one…

anyone have any ideas?


Phones that were registered prior to firewall being enabled have their IPs whitelisted already same as if they had come through responsive process.

I was wondering about that, so i rebooted phones…that did not seem to make a difference, is there a timeout value on the whitelist that might be in play?


Rebooting phone won’t drop them off whitelist. Not sure to be honest on what would. @xrobau might know better. I think only when the extension registers from a new IP.

ah, ok, maybe i need to wait longer.

thanks for the info!

something just occurred to me, what if i have a sip trunk to a gateway (which i do)? the ip would never change…does that mean that the responsive firewall would never list it?..seems like there has to be some timeout eventually?

If the inbound traffic is white listed as trusted in Networks it won’t use the Responsive firewall. Responsive only reports on hosts that register to Asterisk but would otherwise be blocked (internet or external zone)

to be clear, i have not whitelisted the traffic, but I think the system whitelisted it because the connections were already established before responsive firewall was configured. and that is the whitelist i was talking about. i think there must be a timeout on that at some point…maybe i need to bounce the system to get that all straight?

The IPs will be removed when they expire from asterisk. You can do asterisk -rx "core restart when convenient" which will restart asterisk when no calls are active, and will clear out any registrations that may be hanging around.

rob, thanks, i will try that and let you know

rob, i restarted asterisk and indeed, the phones now show up in responsive firewall…yeh!..BUT, the vega gateway connections (3 fxs ports) do not. they are listed as available(pjsip show contacts) and they do work, but they are not listed as an endpoint in responsive firewall…should they be?

1 Like

If you’ve put the IP address of the Vega into FreePBX (which I’m pretty sure you have), it’s already explicitly whitelisted. You won’t’ see it as an endpoint because it’s already allowed through the firewall.

rob, yes, the vega has both fxs and fxo ports. I have a trunk set up for the fxo ports…so, yes, i do have the ip in there. that must be it.

thanks for the info.