Part 2 of Open Source Pro Tips is available now. It covers basic configuration of FreePBX Firewall. It was adapted from a talk that I did at Astricon last October.
Hacked? I'm not sure what's going on
Hacked again :/
How To Disable All External Traffic Except Whitelist? Firewalld Throwing iptables Error
New blog post: Some security tips and tricks
freePBX Remote phone or Remote SIP app Help
Failed Authentication in Asterisk Logs from Unknown Registrations
Issue with responsive firewall
Let's Encrypt broken on two FreePBX servers
Zulu - External users
Happy New Year
Responsive firewall "pass through"
Lorne, First, I want to thank you for doing this, I thought I knew what I was doing with the firewall but after watching this, i realize I have it all wrong. I found this very helpful.
I have a question about my specific config, here is my config:
we only support desk phones (about 120), NO softphones and NO remote phones
eth0 - management interface this is how i get to the gui and also users get to UCP
eth1 - voice vlan, all phones and ATA’s are on this network
eth2 - SIP trunk to provider (NOT over Internet)
I think i am set up backwards, from your video, it sounds like i should make eth1 and eth2 “local trusted” as these interfaces will never see untrusted traffic (edge case is someone physically breaks in to the building and plugs into the phone). Currently, i have these configured as internet zones…Should they be Local Trusted?
Also, you make the statement that responsive firewall should only be enabled to handle untrusted traffic. since i would not see untrusted traffic, i should disable the responsive firewall?
Finally, what is the best setting for eth0…i use that for mangement but if i set it to local trusted as well, i will get a dashboard error??
thanks for clarifying these points!
For some things in Firewall, there is not a single correct answer, the video is intended to be an introduction to basic features by means of a typical config.
Let’s take a fictional example, suppose I have an interface defined with IP 192.168.88.10 and a /24 subnet. If I KNOW FOR CERTAIN that this interface will NEVER have any inbound traffic outside the /24 subnet, I can safely set this interface to Local, and be done with it. All inbound traffic will have access to any service which permits local zone access.
But an equally valid config would be to set this interface to Internet, and then create a corresponding rule in Networks that sets 192.168.88.0/24 to Local. The end result is the same. The second case might actually afford a bit more security, supposing my external firewall fails or gets misconfigured at some future date, the PBX firewall is already preconfigured with the expectation that inbound traffic might be mixed with untrusted traffic with appropriate rules in place.
So I would say no, you don’t need to rezone your interfaces to be less secure, nor would I recommend doing so at this point assuming everything works as expected. However, this option is available to you.
If your system need not be configured to allow SIP registrations from untrusted hosts, you should disable responsive. That is the ONLY use case for it.
No. Setting an interface to Trusted triggers a dashboard warning. Setting to Local is a valid interface zone.
Lorne, thanks for the clarification!