Responsive Firewall + Dynamic IP Address


I’m doing some tests with a clouded FreePBX and I have a question about the Responsive Firewall.
It seems that the only way to get a remote extension to register is to add it’s public IP in the trusted zone.
The description states “When this is enabled, any incoming VoIP connection attempts that would be otherwise rejected are not blocked, and instead allowed a very limited amount of registration attempts.” so I tought that an extension would be allowed to register even if their IP was not added manually to the trusted zone. The extension doesn’t register, but as soon as I add the IP to trusted, it works.

I’m trying to find some info in the logs but I don’t know where the firewall logs are.
Is the firewall supposed to block all unknown IP adresses, even if Responsive is enabled for PJSIP ?

More info that I forgot to mention:
The interface is directly connected to the Internet and is assigned to the Internet zone.

The responsive firewall allows through SIP requests if you enabled the responsive firewall to handle SIP. It works quite nice actually. While testing you may have gotten the IP blocked? It can be blocked by the firewall or fail2ban.

Does it allow request for provisioning or strictly SIP requests ?
Ex: My phones are configured to autoprovision via HTTP from my clouded server, with nothing else configured.

Provisioning is blocked on the internet by default, I believe. Only allows local on enable. SIP has to be enabled on the responsive firewall tab too.

Ok, after reading some of the descriptions in the Services section, I see that some are managed by Responsive Firewall and some are not (not stated at least)

I’m still learning it too but SIP and PJSIP are managed by the responsive firewall. UCP access has a hidden part to it where it allows IP addresses that have a registered SIP to access it even if internet is not enabled. I think the rest work like a normal firewall but I haven’t tested all of them yet.

I will another way: I’ll preconfigure SIP and the provisioning on the phone. If the phone registers, the firewall might allow the provisioning (maybe ?)

Set the HTTP provisioning to internet to begin with and slowly enable the security. If it doesn’t connect while in the internet zone then something provisioning related is misconfigured or the phone cannot contact the provisioning server.

The phone is correctly provisioning when I add the IP in trusted, so my provisioning configuration is good. HTTP is already set to Internet Zone (and I won’t change this, as it’s really not recommended). I’ll do some testing, I should have results in the next minutes.

You enable the Responsive Firewall by protocol - you need to make sure that you have assigned both ChanSIP and PJ-SIP to the responsive firewall and you need to make sure it’s actually getting enabled.

Your /var/log/asterisk/full log will have information pertinent to your search. In addition, there are other logs in the /var/log/asterisk directory that may have information you are looking for.

I was able to connect my phone through the responsive firewall by configuring the SIP account manually. I can see the phone’s public IP in the registered endpoints in the firewall. My issue is only with provisioning…

IIRC, provisioning through a dynamic address without using UCP is between problematic and impossible.

I’ll try someting: use a DDNS name configured with the same public IP as the phone and add it to trusted (or local, not sure)
I’ve read a few posts about this.

1 Like

Firewall basics:

  • When your interface is set to Internet, firewall is deny by default, nothing gets in except traffic from trusted hosts
  • Notwithstanding above, if responsive is enabled, a small number of SIP registrations will be permitted from non trusted hosts. Only SIP packets are allowed, other services such as provisioning are blocked.
  • if a phone successfully registers through the responsive firewall, only then are other services such as provisioning allowed for that host
  • if a phone continues to attempt SIP registrations and never registers, it will first be throttled and ultimately banned by firewall

tl;dr, phones must be provisioned at least once from a trusted host.

This is what I thought but it seems like it doesn’t work for me… My phone is registered (manually configured), I configure the provisioning address and reboot: the phone is still not provisioned. If I add the address in trusted, it works.

Ok, everything works fine when I add a DDNS name to the local zone, so this is what I’ll use for the sites that have dynamic IP adresses.

I do have one more question: I enabled HTTP auhentication for both HTTP and HTTPS, but it seems like the phones don’t need it. With a Mitel/Aastra phone, all I have to type for the phone to be able to provision itself is the address of the clouded FreePBX and port 83. It works without entering the username/password for HTTP Authentication (I think that they don’t support it anyway…). Am I missing something ? Does the fact that the public IP address of where the phones are located being in the Local zone has anything to do with it ?

Bingo !
I got the provisioning to work without having to add any IP to the Local zone. I was doing my tests with one phone. I noticed that a firewall rule was created everytime the phone registered and I was deleted when the phone was rebooted. When I reboot the phone so it can be provisioned, the rule gets deleted, the provisioning is then blocked. Once the provisioning request times out, the phone boots and registers itself, so the rule is created again.

I added a second phone in my tests and it worked perfectly. I just had to keep one phone registered while the other phone was rebooting for provisioning.

That makes sense, when the phone is booting, it is not registered, and is therefore no longer white listed by the firewall. Thinking there should be a nice long lag after a phone unregisters before it is blocked by the firewall for just this situation. Feel free to file a feature request.