SOLVED: Responsive firewall is not detecting registration attempts

lblokland · December 21, 2016, 11:01am

Hi,

On our FPX 13.0.190.7 installation the responsive firewall is not working.
We have only enabled CHAN_SIP Protocol on UDP Port 5060 in asterisk and in the firewall the interface (only one, eth0) is set to ‘internal’ ,

I can see hundreds of registration attempts in the asterisk logs, even adding the remote IP to the blacklist in the firewall won’t block it.

Can anyone help me out ?

Cheers.

xrobau · December 21, 2016, 11:54am

If external traffic is arriving at an interface, it should be external. It would have warned you when you picked ‘internal’ that it was probably wrong.

lblokland · December 21, 2016, 12:12pm

Hi Rob,

So, should I select both internal and external on the eth0? (because it is accepting both internal as external traffic?
I didn’t get the warning though, just ran the wizard again…

cheers

lgaetz · December 21, 2016, 12:45pm

No. When setting the zone for an interface, you are setting the default classification for inbound traffic. By default you want Internet traffic to be External.

lblokland · December 21, 2016, 12:48pm

Hi Lorne,

I understand…but in this setup the interface is on the LAN, and a NAT router is responsible for the inbound traffic from the internet to arrive at the pbx.
Therefor the pbx interface (eth0) is responsible for both the lan/local/internal traffic, as well as for the internet/external traffic.

dcitelecom · December 21, 2016, 1:18pm

eth0 is your interface with the outside world and must be set to external. Not sure why the other options even exist. Internal traffic is always trusted so by setting eth0 to internal you are pretty much disabling the firewall imho.

lgaetz · December 21, 2016, 2:15pm

There is nothing unusual about this configuration. As the Hulk said, the interface needs to be set to External, so that BY DEFAULT traffic arriving on this interface is classified as External. You then configure Zones, Networks with all your trusted hosts/subnets so the traffic that is not external gets re-classified properly.

For systems with multiple interfaces, which are quite common. Not every interface is exposed to untrusted traffic, so the user must make that determination.

frankb · December 21, 2016, 2:47pm

@lgaetz just to be clear. In a 2 nic situation where one is exposed directly to the internet (no nat) and one is connected to the LAN should both be set to “external” then simply put your LAN network as a trusted network (for example 192.168.0.0/24)? Or should WAN be set to external and the LAN port should be set to Internal??

lgaetz · December 21, 2016, 3:00pm

Simple rule: Any interface with untrusted (or a mix including untrusted) inbound traffic is set to external. Period. NAT is irrelevant. IP is irrelevant.

lblokland · December 21, 2016, 3:51pm

Hi Lorne,

thanks for that! you saved the day.
problem solved.

Leon