On our FPX 188.8.131.52 installation the responsive firewall is not working.
We have only enabled CHAN_SIP Protocol on UDP Port 5060 in asterisk and in the firewall the interface (only one, eth0) is set to ‘internal’ ,
I can see hundreds of registration attempts in the asterisk logs, even adding the remote IP to the blacklist in the firewall won’t block it.
Can anyone help me out ?
If external traffic is arriving at an interface, it should be external. It would have warned you when you picked ‘internal’ that it was probably wrong.
So, should I select both internal and external on the eth0? (because it is accepting both internal as external traffic?
I didn’t get the warning though, just ran the wizard again…
No. When setting the zone for an interface, you are setting the default classification for inbound traffic. By default you want Internet traffic to be External.
I understand…but in this setup the interface is on the LAN, and a NAT router is responsible for the inbound traffic from the internet to arrive at the pbx.
Therefor the pbx interface (eth0) is responsible for both the lan/local/internal traffic, as well as for the internet/external traffic.
eth0 is your interface with the outside world and must be set to external. Not sure why the other options even exist. Internal traffic is always trusted so by setting eth0 to internal you are pretty much disabling the firewall imho.
There is nothing unusual about this configuration. As the Hulk said, the interface needs to be set to External, so that BY DEFAULT traffic arriving on this interface is classified as External. You then configure Zones, Networks with all your trusted hosts/subnets so the traffic that is not external gets re-classified properly.
For systems with multiple interfaces, which are quite common. Not every interface is exposed to untrusted traffic, so the user must make that determination.
@lgaetz just to be clear. In a 2 nic situation where one is exposed directly to the internet (no nat) and one is connected to the LAN should both be set to “external” then simply put your LAN network as a trusted network (for example 192.168.0.0/24)? Or should WAN be set to external and the LAN port should be set to Internal??
Simple rule: Any interface with untrusted (or a mix including untrusted) inbound traffic is set to external. Period. NAT is irrelevant. IP is irrelevant.
thanks for that! you saved the day.