This is a post made by a personal account regarding a company issue:
So we had this task to migrate asterisk/freepbx to a new server. All good routine stuff we do every once in a while when OS’s become unsupported.
So we proceeded to install the OS, asterisk, all good. Finally proceeded for the FreePBX install:
So looking at the docs we get this:
Manual installations of FreePBX is considered an EXPERTS ONLY exercise. This method of installation is enough to get CORE functionality of FreePBX. Non-commercial modules may not function as expected or detailed in the Wiki's. Certain modules and features may require additional software to be installed and configured on the server.
**** COMMERCIAL MODULES CANNOT BE INSTALLED ON THIS OS ****
Now, EL stands for ENTERPRISE LINUX.
IN ORGANIZATIONS, WE DON’T USE Community driven PoS distros, we use EL with support.
If we are to install any commercial modules, its on OS’s with support contracts. If we have issues, we have an immediate response, not some phantom community with no responsibility. ffs.
(and before anyone tries to suggest “google uses debian” - NO, Google uses an internally developed distro, off debian-testing, with massive works on it, that barely resembles with any community debian.)
Yet again, could this be the right opportunity to ditch a GUI and go full CLI with PBX? Asterisk apparently is distro-agnostic, something that clearly failed miserably here.
Oh, and the tutorials to disable selinux. SELinux already ships with context for Asterisk. God.
If you are running from the distro then it’s SNG7 and not a raw Centos 7 OS, so in that sense Sangoma are supporting the OS as part of the overall software.
If you want something that’s got proper support buy Switchvox. You can’t have your OSS and eat it! There has long been discussions about making FreePBX OS agnostics and it just isn’t going to happen from what I’ve seen.
I personally don’t give a monkeys nuts what the OS is underneath as long as the PBX functions as a PBX.
We’re not running from any distro. As I thought I had mentioned, we manually setup the system. And beside, CentOS is dead. CentOS Stream isn’t production and furthermore we don’t have any EL7 system left. It’s almost 2023.
We do give a damn about what OS is beneath.
Actually after reading the docs a little further we can see stuff that makes my eyes roll. it’s always “disable selinux, disable selinux” because someone apparently is so smart that can’t use the tools to identify the hits and put things to work with SELinux enabled, I mean, it’s mostly httpd and php-fpm context. audit2allow will make all the work for you.
We will put some works into finding alternatives. If indeed as you say making FreePBX OS agnostic is not going to happen, that’s its faith.
Why do you care what’s underneath? Just install from the distro rather than messing around, then if you want to extend with Commercial Modules you will get support.
You do understand that the commercial modules in question are FreePBX commercial modules right? These are not OS level modules. They are modules only for FreePBX, at this time the commercial modules for FreePBX are only supported on the FreePBX (a commercial product). Using the OSS version of FreePBX limits your ability to use FreePBX commercial modules.
What makes you think RedHat EL support is going to extend to Queues Pro in FreePBX?
FreePBX is distro agnostic and even runs on BSD.
Commercial modules only run on the platform “developed” and “maintained” by sangoma.
You do NOT need commercial modules to run FreePBX.
You do NOT need the distro to run FreePBX
If you want commercial support from Sangoma you have to play by their rules. There ARE other support options.
Many of the folks here use non-distro installs and their universes don’t implode.
The sole purpose of the disclaimers are so someone doesn’t come and yell at them when they did it “their way” and the random support person who only knows how to copy and paste from a cheat sheet can’t help you.
Since the golden calf here is the reference of “EL” you should take in to account these type of support policies are the same reason people say EL and NOT redhat.
First because the wording is not exactly clear, plus if you look closely to the documentation guides to install FreePBX on EL stopped in v14. Seems like it’s v16 now.
Documentations that are all into “disabling security” but then put this thing “sangoma firewall” or “responsive firewall” the worst piece of software I’ve seen in a while.
Since I first made this post I’ve made a bunch of FreePBX setups in different environments for testing, right now under my nose I have two instances of FreePBX running, one is the manual option and the other is from the FreePBX distro as it was suggested.
But really, I’ve seen some crappy software, but this sangoma firewall beats records of awful software. On the “wizard” alone it constantly locks out, throws errors and forces a reboot just to regain access.
Literally, first time after configuring the admin user. So if anyone ever apologises for all that (lack of documentation, poor and faulty software, so on) I’ll appologise too for my misunderstanding.
The truth is that, in the end, installing manually is a far superior solution to “freepbx’s distro”.Not only regarding the OS itself, its underlying security but at least with manual setup I can connect properly to the PBX server, configure a Trunk and connect phones without being locked out and constantly having to reboot the instance to regain access, which only happens with the all mighty freepbx distro. Not even mentioning the full bloat that comes in this distro.
I see why the distro is here. It’s a good solution for who does not know how to work systems and then they go and pay for support. However a manual install works perfectly, without all these issues mentioned above. I actually came ranting without actually installing it manually - again, because the documentation sucks, only has EL guides up to v14 when there are debian counterparts up to v16.
It’s not my decision on the software, because if it were … my task is to put it working, and I’ll have it up to speed in no time.
Your beef with FreePBX doesn’t make sense to me and it seems to come from a lack of understanding. Which is fine if you were to try and use the formidable knowledge of the people on this forum to good use and ask for information instead of bashing the product immediately.
You certainly do not have to use any of the commercial modules or even the firewall module when using the distro. They are easily uninstalled. In fact, you can use the below script (credit to @billsimon) to uninstall all commercial modules
for x in $( fwconsole ma list | grep Commercial | awk '{print $2}' ); do fwconsole ma delete $x; done
and you can remove the firewall module easily enough as well and employ your own security solution
fwconsole ma delete firewall
feel free to field any additional questions to the forum, but don’t expect hugs when you write an essay complaining instead of trying to learn
So will you kindly teach me why aren’t those commands on the docs?
Why are the docs outdated and only targeting specific distros (which is funny that’s not even the distro they ship)
I could have not ranted if the documentation was proper, if it was updated, if it was clearly informative.
Usually I work more than spend time on the forums. When the documents are proper, when things are well done, people move forward instead of wasting time asking stuff in forums. I didn’t come here to make questions, I typed RANT right before the title.
And reading in the forums about Sangoma’s amazing responsive firewall, I’d say there’s not so many people answering questions here. Seen posts with relevant questions stalled for half months until someone bumps it by having the same issue.
In my view the sort of security that selinux provides is of very little value on a typical dedicated Asterisk system. Also to use it effectively the person running Asterisk would need to put a lot of thought into how to properly use it.
When I was actively developing Asterisk based stuff, I didn’t actually turn it off, and the only time I think it kicked in was when I transferred a file in a particular way (maybe plain ftp as an anonymous upload); the file got tagged as being from an untrusted source. I don’t think the average office manager or telecoms manager would understand what was going on there, so they would either follow a recipe to turn selinux off, or one to remove the problem tagging, both without understanding he security implications.
An asterisk system that really made use of selinux might have to tag voicemail files by department, etc. I suspect someone designing an selinux FreePBX would do so by taking steps to avoid selinux rejecting operations, rather than actually designing things to benefit from it.
I suggest the biggest source of security sloppiness in the Asterisk world is the result of suggested configurations from ITSPs, who tend to turn down security in a blanket way, rather than thinking carefully about the minimum relaxation needed. Users don’t even seem to consider that a parameter called insecure is reducing security. Part of that is because ITSP don’t think they need to prove who they are, but the insecure=port part is rarely needed.
Another weak area is weak use of Public Key Infrastructure, to avoid custom certificates for every phone, and to use low security, but free CAs, with automation and no protection of private keys.
Lack of real understanding of PKI is also a problem for most web servers.
it will update the context for asterisk, as SELinux and these paths are already coded in.
For FreePBX I don’t see much more than a couple of httpd rw php-fpm and socket access to have it all working.
People do find it easier because that’s what almost all places tell people to do. Period.
Today you can use ausearch and pipe it to audit will give you exactly all hits and what you have to do. Instead people prefer to keep fiddling with iptables like it’s 1998.
While companies are free to give shaite advice, I’m also allowed to rant about it: all good!
Documentation stopped getting updated after certain staffing changes. While that shouldn’t make a difference as the folks who are suppose to document it should not have been unaffected by the shift in staff.
I’ll just leave that cryptic IYKYK
I’m any case prior to my departure documentation was supposed to be maintained by support and QA which all fall under @dolesec perhaps he can answer why things are so far out of date. I am going to play the devil’s advocate and hope it isn’t about pumping support revenue.
There was just another management shift for engineering so I’m not sure if they have any insight but again the maintenance of documentation is delegated to other folks who in theory test and document everything
@maverickws
So you sell free software to your customers/clients and complain about rules set out by the company, which maintains this free software. If this free software would depend on guys like you, who seem to have not contributed anything to the community (just checked your account), freePBX/Asterisk would not exist. Where are you from? Just curious
EDIT: Download the distro…it is reliable and will be supplied with all (security)updates and fixes, needed for a hassle-free experience! You are a Maverick-guy…I am sure you will figure it out, how to configure the firewall.
If you want your own OS, install it…install Virtualbox and run the freePBX distro as a VM…it is 100% stable too…
If you had read more closely the information on the topic, you’d see I’ve already downloaded the distro, put both to work, and even made a comparison between it and the manual install.
If I need a VM I have a few hypervisors sitting at the DC.
Actually, I’ll even add something else:
Our current solution is sitting on a DC over 5Km away from our office. It’s an old machine running asterisk and freepbx oss version.
The solution works over IPSec Site to Site, with phones registering remotely, as soon as I started reading about the “sangoma responsive firewall” found out people struggle to have phones and remote people working which for us simply is trivial. Clearly the FreePBX distro is good, for people to purchase support.
We have over 350 Hosted FreePBX for customers in the UK and don’t tend to have any issues with the responsive firewall.
Occasionally we get some challenges where a home workers IP changes and it gets blocked but that can be overcome by managing OpenVPN through the SysAdmin Pro module.
For OSS I still find it the most comprehensive solution compared to other OSS PBXs (not that there are many left). Is it perfect, no but I don’t expect that from OSS.
Which again is why we run the distro version because we know that on the most part everything will just work and if there is an issue it will likely be fixed fairly quickly.
In terms of documentation, again I don’t know many OSS that does have well maintained and up to date Documentation.
my task is to put it working, and I’ll have it up to speed in no time.
