Responsive Firewall

I unsure what this statement refers to.

“Note that if you have explicitly granted ‘External’ connections access to a protocol, this filtering and rate limiting will not be used. This is only used when an incoming connection would normally be blocked”

Have granted “external” connections where, the settings below or some settings elsewhere? Can it be made more clear?

If you read the entire blurb from the Responsive page, the first sentence clarifies:

When this [responsive firewall] is enabled, any incoming VoIP connection attempts that would be otherwise rejected are not blocked, and instead allowed a very limited amount of registration attempts.

The Firewall, Services menu item gives you discrete control over access to each individual service on the PBX. If you have the Chan_SIP protocol service set to deny untrusted access in Services, but Chan_SIP is enabled in Responsive, then untrusted users get limited access for registration. If however, you have untrusted access to Chan-SIP enabled in Services, then your responsive settings are ignored, and untrusted users get full access to Chan_SIP as you would expect.

So, if I turn on Responsive Firewall for SIP and IAX, how would I set the Services settings?

Did you read the help that appears immediately below the responsive enabled protocol?

In my case:

IAX stands for Inter Asterisk eXchange. It is more bandwidth efficient than SIP, but few providers support it.
This protocol is being managed by the Responsive Firewall. There is no need to explicitly allow access from zones. Note that hosts in the Trusted Zone will always be allowed full access

But, it is vague unless you already know what to do. What does it imply that I should actually do in the way of settings, turn them all off, or leave the default (Internal) set or what?

Much of the help explains what to do by people who already understand but do not suggest the actual actions to be taken. This leaves those who aren’t completely familiar with how the app works to guess how to translate the statements into actions. Doesn’t work very well.

By the way, I haven’t been able to locate any up to date documentation for the Firewall. Am I missing it?

Since the firewall module is fairly new, any docs you find will be up to date. The wiki has lots of pages:

Browsing to the Firewall Services page(s), you have the option to enable or disable access from each zone for each protocol. External (untrusted user) access to the SIP protocol can be enabled for the External zone by making the External button dark blue, likewise disabled by making the button light blue. To specifically enable access to the Internal (trusted user) zone, you click the internal button making it dark blue. There is also the Other zone, which is provided for edge cases where you have a user classification that does not neatly fit into either trusted or untrusted. You probably don’t need to use it.

Referring specifically to the graphic above, the wording is clear to me, but like you say, perhaps I am blinded somewhat by already knowing how it works.The explanatory text immediately below tells you that this protocol is being managed by responsive, and therefore recommends that you don’t explicitly enable any zones, which is what the graphic shows, all buttons are light blue and disabled. There is the option for advanced users to enable zones if they wish.

I was happy to review the link you sent. I tried to arrive at the page via the wiki and still was not able to. If you click on the top item it takes you up one level but I was not able to figure out how to click back down to the item. I have found it difficult to locate info in the wiki so am in the habit of goggling what I am looking for. That is kind of hit and miss.

Buy the way, I was not implying above that I didn’t know how to push the buttons, just needed to understand the strategies and interactions necessary to set them correctly. For example your statement “recommends that you don’t explicitly enable any zones” is clearer than the actual help message. “As you have chosen to use Responsive Firewall for IAX2, it is recommended that you deselect all the zones above for service” is even better. It is know in psychological circles as a “behavioral directive”, do this.