Troubleshooting firewall module


(Sam Shomi) #1

Is there any way for me to troubleshoot firewall module files such as /var/www/html//modules/firewall/drivers/Iptables.class.php and other related files?

I am trying to troubleshoot a problem with the firewall not populating iptables properly. So I am trying to modify Iptables.class.php to try see what is going on. The problem is that the firewall refuses to work if I make any modifications. It won’t reload the rules into iptables. Even if I just add a line space to that file that does nothing.

I have signature checking disabled in advanced settings but it appears that there is still signature checking that does not allow firewall to run if anything is changed. As soon as I remove the modification, even if it’s just a line space, the firewall starts working again.


(Yois) #2

Comment out line 55 in validator.php and rebuild the phar

Then run voipfirewalld from the shell


Fail2ban again
(Sam Shomi) #3

I will try that. Thank you.


(Sam Shomi) #6

By doing this I found the bug and have a fix. Now how can I allow my changed file to work through Fpbx, at least until Sangoma gets around to fixing it? That validator workaround only allows me to run voipfirewalld phar directly from the cli, it still won’t work through Fpbx.


(Yois) #7

Not (easily) possible.
Submit a pull request and post the link here. Community members can review and approve, and the merge process is fairly quick.


(Sam Shomi) #8

If this project was interested in 3rd party contributions they would have some way for 3rd party developers to properly test the code. There are lots of open source projects that don’t need to make it nearly impossible to alter the code in order to be secure from hackers.


#9

You can alter the code at your whim, and if you disable signature checking then you can us it, which would then cause something to say ‘bad boy, that is insecure’ but in truth that is only that entities opinion, and it would then be up to your skills to know that is ‘not going to happen’ and remain secure.

(Having any later commits based on your work might take a little longer . . . . ;-))


#10

Not necessarily for the firewall module. Extra checks in the module, and hooks add another wrinkle.

It’s a pain.


#11

Oh well, I will stick with my firewall based on CSF and F2B current, which has been working fine since before the FreePBX IDS was introduced.

With hope I spent some time with FPX 16 but all that ioncube blah blah bah still leaves anyone not using a patched (and repatched) and old version of RH using an unsupported versions of PHP and nodejs and F2B and needing a no longer supported incrond leaves my “bemused …”