Responsive Firewall - Driving me Crazy!

Hello all,
I have changed my SIP port to a high number 4xxxx. I use Vitelity as my SIP provider. As long as i use a register string, I am able to connect to Vitelity and have had no problems. I am running out of channels and Vitelity told me that I need to move to IP Authentication. For this i need to change my PORT back to 5060 or forward my 4xxxx port to 5060 only for vitelity’s servers.

I tried to add port forwarding in firewall-4.rules. The port forwarding for 5060 doesn’t work because i keep getting a busy signal for incoming calls. Is this even possible with FreePBX 13 built in firewall?

If port forwarding isn’t going to work, I read that port 5060 can be configured to only respond to DNS string. So if i can setup the firewall to only respond to mypbxHost.domain.com instead of an IP address, this should prevent all the hackers from finding my pbx server by ip scans.

Changing the port to a high port number really lowered the number of attacks on my pbx servers. Now that vitelity will only work on 5060 with IP authentication, I need to figure out a way to minimize the hack attempts. The responsive firewall does a good job at blocking the hackers but on one server I had like 45 IPs that it was actively blocking. All these take up cpu and memory resources.

I just want to be able to minimize the exposure to my pbx system on the web utilizing the built in Firewall.

What do you guys suggest, I do?

If I were you, I would go back to port 5060 for SIP and let the FreePBX firewall do its job. If the firewall operation is overloading your server, you can also uninstall the module and manually define the iptables rules, specifically allowing connections to port 5060 only for IPs that belong to your provider, in this case vitelity.

Nothing says that you need to use 5060 as your port, at all. When you use IP auth with them, you’re going to give them IPs that can make calls and you’re going to point your numbers to the IP:port of your PBX (or where ever you are sending the calls.)

Nothing requires you to use 5060.

BlazeStudios - When I change the SIP bind port on my FreePBX to 4xxxxx and turn on IP Authentication, I can make outgoing calls but incoming calls get a fast busy. I had Vitelity look into it and they sent me logs with Invite to 5060 that my PBX server was not responding to because the SIP bind port is on 4xxxx. In Vitelity portal, I am not able to add an IP address with a port number. It gives me an error "Invalid IP Address: After reading your post i tried to add the IP like this xx.xx.xx.xx:4xxxx and i got invalid IP address errror.

Arielgrin - at this point this is what I am thinking. But with roaming clients and dynamic IP this solution wont work well. I am trying to avoid VPN / DDNS and hoping to do this with builtin firewall and avoid unnecessary scans and attacks against the server.

I forgot how crappy those guys can be. You can only route numbers to “endpoints” and you can only have IP with no ports for “endpoints” because endpoints are how you IP auth…

Contact support and see what they can do.

I have contacted Vitelity a number of times and their techs give me the same generic response, “we can only support port 5060 for SIP with IP authentication”

I just hate to expose the phone server on 5060. This is annoying i’ve spent so much time trying to figure out a solution. Everyone is telling me to disable the builtin firewall and use iptables. Responsive firewall works great with roaming clients so far… I just want to minimize the visibility of the pbx server to random scans.

Then you’ll have to use 5060 and the System Firewall to allow only those with access in.

The System Firewall is iptables and it also provides a way for you to hook your own rules in, IPv4 or IPv6.

I read that /etc/firewall-4.rules can be used to add my own rules. But I am not able to do port forwarding for vitelity there. I did set up a port forwarding as a test for the web admin and that worked but the port forward for 5060 for Vitality so give me a busy signal still.

I was hoping to use the 5060 string matching with dns name to drop all connections to pbx IP address. That should drop all the random scanners. That I dont knw how to write the rule to test in the firewall4 rules file.

The System Firewall is deny all by default. You have to tell it what you want to allow in. The system will look at your trunks for what IPs they are using and add them into the Firewall so you don’t have to.

If you have users that are connecting via dynamic IPs, you turn on the Responsive Firewall so it can do rate limiting and allow good users in and block bad users.

I have numerous systems running either in the cloud or direct on the Internet with the System Firewall running. I have had zero issues with attacks getting through.

1 Like

Simply put asterisk back on 5060 and let firewall do its job. Add the network range you want to allow in, and that is it.

You’re having all these problems because you’re trying to do things you don’t understand, for reasons that make no sense (ie, DNS is used to look up IP addresses. That’s it).

Honesty. Put everything back to default. Remove whatever you’ve tried to add in the local firewall rules. Tell firewall to only accept traffic from your provider, and that’s it. Nothing else needs to happen.

3 Likes

If you use IP authentication with Vitelity, you have to forward port 5060. They will send subsequent requests, e.g. BYEs only to port 5060, never to the source port that your original invite may have come from.

IIRC, this is always the right answer for Vitelity. Last year we went around and around about something they were doing and it seems to me that they could do almost everything to a different port, but a bunch of stuff ended up being bound irrevocably to 5060, so stuff would work most of the time. As such, the recommendation was to turn on the firewall, block everything that wasn’t Vitelity, and just do the stupid thing. Yes, not using 5060 is best practice. You’re using Vitelity, so that’s not really an option. :smile:

As has been pointed out, the System Firewall (which is different than the Responsive firewall for your "non-local’ phones), the System Firewall is now smart enough to know which hosts you are using for trunks and should open those for you. I personally don’t let the system do it - I always fat-finger the IP addresses for my providers even though I don’t have to anymore.

We (as a community) have already beaten this particular goblin pretty much to death. You aren’t doing anything really new or exciting. The system, when configured correctly, should “just work” even though you are using Vitelity. :wink:

Remember - the System Firewall is good. The Responsive Firewall is different, and is your friend if you have external (to your network) phones. You can disable Responsive Firewall entirely if you don’t have people trying to connect from coffee houses and similar dens of inequity…

Thank you guys. I am going to put everything back to 5060 and let the firewall run and do its thing.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.