This has been on my (and lots of other peoples!) wishlist for a while, and you’ll all be happy to hear that I finally figured out a way to make Responsive firewall a lot more responsive!
A minor, but niggly, issue has been that it can be a bit too enthusiastic with chatty clients, and preemptively ban then before it’s realised they’re legitimate.
I’ve been mentally throwing around some ideas for a while, but I finally figured it all out over the weekend, and I present to you Firewall 13.0.53.2 (or higher!)
The only thing that may be slightly unexpected is that you really have to click ‘Reload’ after it’s installed. It’ll yell about it if you don’t, and until you do that, you won’t get the monitoring features.
After you’ve done that, you will see a new process:
root 8458 0.3 0.2 417288 21608 ? S 00:50 0:04 php /usr/src/freepbx/firewall/hooks/voipfirewalld
root 8478 0.0 0.1 417004 10776 ? S 00:50 0:00 voipfirewalld (Monitor thread)
(If you’re not on 14, you’ll just see two ‘voipfirewalld’ processes, but that is the only difference).
You’ll also see a bunch of new entries in /tmp/firewall.log:
Firewall-Monitoring - Auth failure from 185.22.152.191 detected
Firewall-Monitoring - Auth failure from 185.22.152.191 detected
Firewall-Monitoring - Auth failure from 185.22.152.191 detected
Firewall-Monitoring - Auth failure from 185.22.152.191 detected
Firewall-Monitoring - Auth failure from 185.22.152.191 detected
Firewall-Monitoring - Auth failure from 185.22.152.191 detected
Firewall-Monitoring - Auth failure from 185.22.152.191 detected
Firewall-Monitoring - Auth failure from 185.22.152.191 detected
Firewall-Monitoring - Auth failure from 185.22.152.191 detected
Firewall-Monitoring - Auth failure from 185.22.152.191 detected
Firewall-Monitoring - Auth failure from 185.40.4.126 detected
Firewall-Monitoring - Auth failure from 185.22.152.68 detected
Firewall-Monitoring - Auth failure from 185.22.152.68 detected
Firewall-Monitoring - Auth failure from 185.22.152.68 detected
Firewall-Monitoring - Auth failure from 185.22.152.68 detected
Firewall-Monitoring - Auth failure from 185.22.152.68 detected
Firewall-Monitoring - Auth failure from 185.22.152.68 detected
Firewall-Monitoring - Auth failure from 185.22.152.68 detected
Firewall-Monitoring - Auth failure from 185.22.152.68 detected
Firewall-Monitoring - Auth failure from 185.22.152.68 detected
Firewall-Monitoring - Auth failure from 185.22.152.68 detected
Firewall-Monitoring - Auth failure from 185.40.4.126 detected
A valid entry looks like this:
Firewall-Monitoring - 10.5.108.76 reported as good, adding to whitelist.
1524541732: /sbin/iptables -w5 -W10000 -A fpbxregistrations -s 10.5.108.76/32 -j fpbxknownreg
The ‘-A’ will happen within 30 seconds of the Monitoring process picking it up.
I’ve tested it, and it’s currently in Edge. I’d love for other people to test, as it’s one of the biggest changes to firewall since it was originally written. Feel free to leave feedback here, or open tickets if you have any issues.
Thanks!