Thinking about opening up system to wider internet


(PbxNoob) #1

For a year now I’ve been running FreePBX on my LAN successfully without opening up the system to the wider internet. It’s been working well. There’s an IAX trunk that goes out over ZeroTier but because that’s private/local as well, there’s been no issues.

Now I’m wanting to use Groundwire on my iPhone and for that to work I need to open up my instance to the wider net.

Is there any way I can continue to enjoy the benefits and security of Fail2Ban and the peace from hacking attempts I’ve enjoyed up to now whilst allowing access to

a) The Groundwire servers; any of
167.99.119.244, 159.65.253.49, 167.99.119.203, 165.227.184.188, 167.99.48.91, 159.65.252.186, 159.65.186.176, 159.65.251.173

b) My iPhone’s 3G IP, currently 2XX.XX5.22X.X (obfuscated). Presumably this will occasionally change. Don’t know how often. But the range might stay fairly consistent.

c) My home WAN IP - so I can use the app at home

d) The work WAN IP - so I can use the app at work

Anyone know how best to go about this? Really like Fail2Ban…

Thanks


#2

If your system has been thus far closed to the Internet, I don’t think fail2ban has been of much value to you. It’s been your firewall blocking unwanted traffic. If you see evidence that fail2ban has been hard at work, then maybe you are already open to the Internet and don’t realize it?

My suggestion would be use TLS (pjsip), and forward only this traffic through your firewall. Use secure SIP passwords as always.

I happily use Groundwire over TLS with FreePBX.


(PbxNoob) #3

When I first started using FreePBX on this LAN there was a TINY chink in my firewall’s armour left over from an old CCTV NVR and Fail2Ban protected us then, so even though I closed that chink pretty quickly I can see how Fail2Ban WOULD have been proactive had we been open. I clumsily worded this and I can see why you’ve corrected me but I just mean Fail2Ban is good stuff.

I will look into TLS and PJSIP. Thank you.

is that just a case of only opening those ports and only forwarding that traffic through to the internal machine sat behind the router?


(PbxNoob) #4

Another query if I may?

At the moment my setup is quite simple and stuff, after many weeks of tweaking and playing, mostly just works. A few glitches with bugs but mostly really solid and reliable.
If I start adding TLS into the mix, really I just want that to apply to my iOS softphone - is it possible to selectively use TLS?? Cheers!


#5

Yes

Yes. You only have to use TLS where you want it.

I do have a word of caution: setting up TLS can be tricky. Since you are asking an external service to register to you (Groundwire’s push notification service) it will require a valid TLS certificate with a domain name pointing to your WAN IP (where the PBX resides).

For Groundwire push service to register to you, you will need that DNS name anyway. You will have to figure out how to get a certificate. Certificate Manager will get you one from Let’s Encrypt, but you need to permit port 80 through your firewall for that. A $7.88 special from Namecheap is easier to deal with. Once you buy it, you can import it into the Certificate Manager and not worry about it again for a year.


#6

Recent improvements have made that safe and hassle free.


(PbxNoob) #7

That sounds helpful. Really helpful.

I’ve been Googling for a tutorial / walkthrough on this but nothing but the 2016 article for SIP is coming up and of course that doesn’t take into accout the changes from a few days ago to the firewall module. I noticed in that blog post you linked to it says:

By default the LetsEncrypt Rules parameter is disabled, and should remain disabled for most configurations.

I found that really confusing. Does it mean most configurations NOT using TLS and LetsEncrypt, or most configurations which ARE?!


#8

My guess is most folks are NOT using TLS was almost certainly the assumption of whoever wrote the referenced quote.

As noted, the recent updates make the LetsEncrypt firewall rules automatic if you are using the distro,


(Lorne Gaetz) #9

The firewall module has a user parameter to open up world access to the LE validation folders. The note is intended to explain that generally there is no need to have this option permanently enabled, because it’s enabled and disabled automatically by Certificate Manager before and after cert validation.