I am looking add enabling the Chan_sip feature in the responsive firewall. How unsafe is this? I saw some previous messages complaining that the “very limited attempts” wasn’t so limited? Is there a separate fail2ban setting or does this used the existing fail2ban settings? If the phones are configured correctly they shouldn’t ever fail to login/register? If I enable this feature am I opening my system up to hacking? I have many users who are on a DHCP ISP service so I don’t want to have to keep adding their networks to my whitelist nor do I want to have to find out what the customers IP is when I send out a phone?
You can use a dyn address
-------> You can use DYNAMIC Address
I send phones out to people/organizations I have no control over or access to their networks. I can add anything to their network (like a dynamic IP app). I also saw something about a phone VPN? how? where? Does it work with all phones? The real question though, how bad is enabling chan_sip in responsive firewall and have the bugs been fixed in 14?
I never tried it, but i heard that Sangoma Phones are working very good over VPN.
Responsive firewall works fine, are you aware of any issues?
Obviously the most secure would be using VPN or DYN addresses if your clients don’t have Static IP’s
Which bugs?
I read in the forum that the responsive firewall was allowing more than “a very limited number of login attempts” for chan_sip on the responsive firewall.
That’s not a bug. That’s how it’s supposed to work. The very limited number is in the low single digits, and it’s designed to keep script kiddies (and morons that you work with) from accessing the system.
No I understand it should be limited but the reports were that is wasn’t limiting the attempts? I was under the impression that it would lockout after a few attempts but what they were reporting that it didnt appear to lock them out at all? Are there settings in FreePBX specific to the responsive firewall and chan_sip or does it use the generic settings for fail2ban?
IIRC, the problem was that people were putting their external interfaces in one of the ‘unprotected’ zones. There were a couple of ‘one off’ and text interpretation problems very early on, but all of the ones that we talked about here have been fixed. @xrobau was the point guy on this, as I recall. Perhaps he’d like to chime in here.
ok, great, so my eth0 is set to Internet (default firewall) and I will enable “chan_sip” on the responsive firewall. I don’t have control over the hardware firewall (hosted pbx) and assume everything is open. Should I be able to sleep at night?
I do with the same and sleep fine.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.