====== FreePBX Security ======
**Background**: https://www.freepbx.org/a-secure-freepbx-is-a-happy-freepbx/
**Pro Tips Video**: https://www.youtube.com/watch?v=CD_k5PrY7Xc
**Setup Guide**: https://www.freepbxhosting.com/comprehensive-freepbx-firewall-setup-guide/
===== Safe Mode =====
Safe Mode is enabled if you **reboot the PBX twice in five minutes** time.
The **firewall rules activation will be delayed by five minutes** to allow an admin to fix the access problem.
===== Firewall =====
**Basic Firewall Configuration - Watch First**: https://youtu.be/CD_k5PrY7Xc
Run the **Firewall Wizard**:
**FreePBX -> Connectivity -> Firewall -> Settings (tab) -> Re-Run Wizard**
* Whitelist Host? -> **Yes**
* Whitelist Network? -> **No**
* Enable Responsive Firewall? -> **Yes**
* Automatically configure Asterisk IP Settings? -> **Yes**
**FreePBX -> Connectivity -> Firewall -> Networks (tab)**
:!: This tab overrides the default permission for an interface.
* **Trusted** -> Only add trusted **admin** IP, network or FQDN
* **Local** -> Add IP, network or FQDN for **normal voice traffic** (where phones are)
**FreePBX -> Connectivity -> Firewall -> Interfaces (tab)**
:!: This tab sets the **Default Traffic Zones**.
* You must set at least one interface as **Internet**
* Single-interface systems will be set as **Internet** (''eth0'')
* ''Trusted'' means **no filtering** at all
**FreePBX -> Connectivity -> Firewall -> Responsive Firewall (tab)**
* Enable for any protocol in use
* This will open ports for limited access
* Too many failures will result in that IP being blocked
**FreePBX -> Connectivity -> Firewall -> Intrusion Detection (tab)**
* Shows blocked IPs
* You can whitelist IPs or networks
===== Older Suggested Firewall Example =====
-A INPUT -p udp -m multiport --dports 5060,5061 -m set --match-set fail2ban-ASTERISK src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 5060,5061 -m set --match-set fail2ban-ASTERISK src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -m set --match-set voip_bl src -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -p udp -m udp --dport 2727 -j ACCEPT
-A INPUT -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p udp -m udp --dport 5060:5061 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 5060:5061 -j ACCEPT
-A INPUT -s known_external_proxy -p udp -m udp --dport 5060:5061 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5061 -m string --string "User-Agent: VaxSIPUserAgent" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060:5061 -m string --string "User-Agent: friendly-scanner" --algo bm --to 65535 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 5060:5061 -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --set --name VOIP --mask 255.255.255.255 --rsource
-A INPUT -p udp -m udp --dport 5060:5061 -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIP --mask 255.255.255.255 --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060:5061 -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --set --name VOIPINV --mask 255.255.255.255 --rsource
-A INPUT -p udp -m udp --dport 5060:5061 -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIPINV --mask 255.255.255.255 --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5061 -m hashlimit --hashlimit-upto 6/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstport --hashlimit-name tunnel_limit -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5061 -m hashlimit --hashlimit-upto 6/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstport --hashlimit-name tunnel_limit -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p icmp -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 137 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 138 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 123 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 5038 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 58080 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 55050 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 514 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p udp -m udp --dport 514 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -j ACCEPT