====== FreePBX Security ======

**Background**: https://www.freepbx.org/a-secure-freepbx-is-a-happy-freepbx/

**Pro Tips Video**: https://www.youtube.com/watch?v=CD_k5PrY7Xc

**Setup Guide**: https://www.freepbxhosting.com/comprehensive-freepbx-firewall-setup-guide/

===== Safe Mode =====

<note important>Safe Mode is enabled if you **reboot the PBX twice in five minutes** time.

The **firewall rules activation will be delayed by five minutes** to allow an admin to fix the access problem.</note>

===== Firewall =====

**Basic Firewall Configuration - Watch First**: https://youtu.be/CD_k5PrY7Xc

Run the **Firewall Wizard**:

**FreePBX -> Connectivity -> Firewall -> Settings (tab) -> Re-Run Wizard**

  * Whitelist Host? -> **Yes**
  * Whitelist Network? -> **No**
  * Enable Responsive Firewall? -> **Yes**
  * Automatically configure Asterisk IP Settings? -> **Yes**

**FreePBX -> Connectivity -> Firewall -> Networks (tab)**

:!: This tab overrides the default permission for an interface.

  * **Trusted** -> Only add trusted **admin** IP, network or FQDN
  * **Local** -> Add IP, network or FQDN for **normal voice traffic** (where phones are)

**FreePBX -> Connectivity -> Firewall -> Interfaces (tab)**

:!: This tab sets the **Default Traffic Zones**.

  * You must set at least one interface as **Internet**
  * Single-interface systems will be set as **Internet** (''eth0'')
  * ''Trusted'' means **no filtering** at all

**FreePBX -> Connectivity -> Firewall -> Responsive Firewall (tab)**

  * Enable for any protocol in use
  * This will open ports for limited access
  * Too many failures will result in that IP being blocked

**FreePBX -> Connectivity -> Firewall -> Intrusion Detection (tab)**

  * Shows blocked IPs
  * You can whitelist IPs or networks

===== Older Suggested Firewall Example =====

<file>
-A INPUT -p udp -m multiport --dports 5060,5061 -m set --match-set fail2ban-ASTERISK src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 5060,5061 -m set --match-set fail2ban-ASTERISK src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -m set --match-set voip_bl src -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -p udp -m udp --dport 2727 -j ACCEPT
-A INPUT -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p udp -m udp --dport 5060:5061 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 5060:5061 -j ACCEPT
-A INPUT -s known_external_proxy -p udp -m udp --dport 5060:5061 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5061 -m string --string "User-Agent: VaxSIPUserAgent" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060:5061 -m string --string "User-Agent: friendly-scanner" --algo bm --to 65535 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 5060:5061 -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --set --name VOIP --mask 255.255.255.255 --rsource
-A INPUT -p udp -m udp --dport 5060:5061 -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIP --mask 255.255.255.255 --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060:5061 -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --set --name VOIPINV --mask 255.255.255.255 --rsource
-A INPUT -p udp -m udp --dport 5060:5061 -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIPINV --mask 255.255.255.255 --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5061 -m hashlimit --hashlimit-upto 6/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstport --hashlimit-name tunnel_limit -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5061 -m hashlimit --hashlimit-upto 6/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstport --hashlimit-name tunnel_limit -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p icmp -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 137 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 138 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 123 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 5038 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 58080 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 55050 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 514 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p udp -m udp --dport 514 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -j ACCEPT
</file>