Once marked as an Attacker, a single request in 24 hour period continues you being marked as an Attacker
fpbxattacker all – anywhere anywhere recent: CHECK seconds: 86400 hit_count: 1 name: ATTACKER side: source mask: 255.255.255.255
If you make more than a 100 requests in a 24 hour period you are labeled as a REPEAT
fpbxattacker all – anywhere anywhere recent: CHECK seconds: 86400 hit_count: 100 name: REPEAT side: source mask: 255.255.255.255
50 attempts in an hour also marks you as REPEAT
fpbxattacker all – anywhere anywhere recent: CHECK seconds: 3600 hit_count: 50 name: REPEAT side: source mask: 255.255.255.255
10 requests in 60 seconds, so one every 6 seconds, will get you a shortblock as a REPEAT.
fpbxshortblock all – anywhere anywhere recent: CHECK seconds: 60 hit_count: 10 name: REPEAT side: source mask: 255.255.255.255
Here is how the traffic is filtered:
Chain fpbxfirewall (1 references)
target prot opt source destination
ACCEPT all – anywhere anywhere
ACCEPT tcp – anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp – anywhere anywhere
ACCEPT all – anywhere 255.255.255.255
ACCEPT all – anywhere anywhere PKTTYPE = multicast
ACCEPT udp – anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
fpbx-rtp all – anywhere anywhere
fpbxblacklist all – anywhere anywhere
fpbxsignalling all – anywhere anywhere
fpbxsmarthosts all – anywhere anywhere
fpbxregistrations all – anywhere anywhere
fpbxnets all – anywhere anywhere
fpbxhosts all – anywhere anywhere
fpbxinterfaces all – anywhere anywhere
fpbxreject all – anywhere anywhere
fpbxrfw all – anywhere anywhere mark match 0x2/0x2
ACCEPT udp – anywhere anywhere state RELATED,ESTABLISHED
fpbxlogdrop all – anywhere anywhere
Basically, despite being in the “registrations” or other allowed lists they still have to go through the rate limiting. If user X is compromised and hacker A connects with their creds then hacker A’s IP is now in the “good lists” and they can reach the UCP, etc. If they starting blasting calls at you then skipping those rate limit checks would allow them to just send calls through you at a high rate with nothing to stop them unless you’re monitoring how many calls.
This could have so many implications outside of just fraud charges. They could slow down your PBX. They could put you at capacity with your provider(s) and start having valid calls rejected. They could get you banned by your provider(s).
Just keep that in mind when you’re thinking about ripping this out and doing your own.