What IP networks does deb.freepbx.org live on?

FreePBX Installation / Upgrade
1

Since I will have to scrap my ISO install and rebuild from scratch on vanilla Debian 12, I will have to drill holes in its firewall for Debian and freePBX repos. But when I dig for deb.freepbx.org I keep getting tons of ever-changing IPs.

Are you able to provide networks that have to be allowed?

# apt-get update
Hit:1 http://deb.debian.org/debian bookworm InRelease
Hit:2 http://security.debian.org/debian-security bookworm-security InRelease  
Hit:3 http://deb.debian.org/debian bookworm-updates InRelease                 
Hit:4 http://ftp.debian.org/debian stable InRelease                           
0% [Connecting to deb.freepbx.org (52.217.122.113)]^C   
root@www:~/freePBX# dig deb.freepbx.org

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> deb.freepbx.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28624
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;deb.freepbx.org.		IN	A

;; ANSWER SECTION:
deb.freepbx.org.	64	IN	CNAME	deb.freepbx.org.s3.amazonaws.com.
deb.freepbx.org.s3.amazonaws.com. 35070	IN CNAME s3-1-w.amazonaws.com.
s3-1-w.amazonaws.com.	57	IN	CNAME	s3-w.us-east-1.amazonaws.com.
s3-w.us-east-1.amazonaws.com. 5	IN	A	54.231.160.161
s3-w.us-east-1.amazonaws.com. 5	IN	A	3.5.25.89
s3-w.us-east-1.amazonaws.com. 5	IN	A	3.5.12.196
s3-w.us-east-1.amazonaws.com. 5	IN	A	3.5.29.171
s3-w.us-east-1.amazonaws.com. 5	IN	A	54.231.231.105
s3-w.us-east-1.amazonaws.com. 5	IN	A	52.217.196.25
s3-w.us-east-1.amazonaws.com. 5	IN	A	3.5.2.81
s3-w.us-east-1.amazonaws.com. 5	IN	A	52.216.42.25

The addresses keep changing in a matter of a few seconds, so opening firewall to addresses is not feasible. Never did I get the same address between apt-get and dig, having tried half a dozen times.

2

Can you not just use the fdqn in your firewall? Watchguard / pfSense usually allows for this, I know UniFi makes you use the IP address which is annoying.

3

Show me a way to do that.

Different firewalls. I am referring to the local, whereas you are referring to the edge.

4

I think you would need to ask Amazon that, as I doubt that they give Sangoma any guarantees.

I think you may be asking for a level of security that is not compatible with modern cloud based offerings.

As well as Amazon’s choice of address of the day, The certificate is a wildcard:

Common Name
*.s3.amazonaws.com

And you need to configure the resolution of the first CNAME, as the name in the request, for it work to any extent, and even then all you know is you are talking to an Amazon AWS server which is hosting for an unknown, and probably varying set of their customers.

(It looks like community.freepbx.org is actually Cloudflare’s choice of three addresses, although it does look like it has its own certificate, although I suspect the secret key is an a, shared, Cloudflare machine.)

5

Basically, this draws a huge, red cross over the freePBX pilot that I was running with. :frowning:

6

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.