Trusted network blocked by Firewall


#1

This morning, on one of our system, an IP address that was configurerd as a Trusted Network was added to the Blocked Attackers list. It’s the first time that this happens in like 2 years. Anyone else experimented this issue ?


(Sergio Lobera) #2

Hi @chrischevy
Is it whitelisted on the Intrusion detection whitelist ? System Admin > Intrusion Detection


#3

Yes it is, but it wasn’t blocked by Fail2Ban, it was really in the Firewall. The address is also defined as a Trusted Network in the Firewall.


#4

Hi,

The issue occured again, on a different FreePBX. An IP adress that is listed as a “Trusted Network” in the Firewall configuration and is Whitelisted in “Intrusion Detection” (Fail2Ban) got blocked by the Firewall (added to the Blocked Attackers list).

Before removing the block, I copied the /tmp/firewall.log file to my computer to check what happened, and here is what I see regarding the concerned IP address:

Firewall-Monitoring - x.x.x.x reported as good, adding to whitelist.
/sbin/iptables -w5 -W10000 -A fpbxnets -s x.x.x.x/32 -j zone-internal
/sbin/iptables -w5 -W10000 -A fpbxregistrations -s x.x.x.x/32 -j fpbxknownreg
/sbin/iptables -w5 -W10000 -D fpbxregistrations -s x.x.x.x/32 -j fpbxknownreg
/sbin/iptables -w5 -W10000 -A fpbxregistrations -s x.x.x.x/32 -j fpbxknownreg
/sbin/iptables -w5 -W10000 -A fpbxnets -s x.x.x.x/32 -j zone-internal
and so on…

Anyone can help with this ? I didn’t find anything and the Fail2ban logs and the IP address never got banned by Fail2Ban, only by the firewall


#5

Your ‘Firewall’ is in fact just iptables, it is incremental in nature, anything can add rules to it and in any order , the FreePBX ‘firewall’ will add rules, fail2ban will add rules, you can add your own rules if you want, but the end result is always just iptables.
iptables -L

will list then

iptables -S

will verbosely list them in order of precedence (print them all out in order of process) , thus the order of the rule can preempt what you thought was going to happen , so your ‘Trusted Network’ was presumably previously UN-trusted by an iptables rule.


#6

Thanks for the info.
Even if I now know how to list the rules (thanks to you :slight_smile: ), I would like to find a way to prevent this situation from happening again.

I just learned (litterally 2 minutes ago) that in both cases, both customers lost their Internet connectivity for a while, and when the Internet came back online, the phones we’re unable to register. Both FreePBX are clouded and both customers have fixed IPs that are whitelisted in Firewall and Fail2ban.

Could a sudden “rush” of registration requests cause iptables to block the IP (even if whitelisted) ?


(system) closed #7

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.