User Tools
voice:pbx:freepbx:freepbx_firewall
Table of Contents
FreePBX Security
Background: https://www.freepbx.org/a-secure-freepbx-is-a-happy-freepbx/
Pro Tips Video: https://www.youtube.com/watch?v=CD_k5PrY7Xc
Setup Guide: https://www.freepbxhosting.com/comprehensive-freepbx-firewall-setup-guide/
Safe Mode
Safe Mode is enabled if you reboot the PBX twice in five minutes time.
The firewall rules activation will be delayed by five minutes to allow an admin to fix the access problem.
Firewall
Basic Firewall Configuration - Watch First: https://youtu.be/CD_k5PrY7Xc
Run the Firewall Wizard:
FreePBX → Connectivity → Firewall → Settings (tab) → Re-Run Wizard
- Whitelist Host? → Yes
- Whitelist Network? → No
- Enable Responsive Firewall? → Yes
- Automatically configure Asterisk IP Settings? → Yes
FreePBX → Connectivity → Firewall → Networks (tab)
This tab overrides the default permission for an interface.
- Trusted → Only add trusted admin IP, network or FQDN
- Local → Add IP, network or FQDN for normal voice traffic (where phones are)
FreePBX → Connectivity → Firewall → Interfaces (tab)
This tab sets the Default Traffic Zones.
- You must set at least one interface as Internet
- Single-interface systems will be set as Internet (
eth0) Trustedmeans no filtering at all
FreePBX → Connectivity → Firewall → Responsive Firewall (tab)
- Enable for any protocol in use
- This will open ports for limited access
- Too many failures will result in that IP being blocked
FreePBX → Connectivity → Firewall → Intrusion Detection (tab)
- Shows blocked IPs
- You can whitelist IPs or networks
Older Suggested Firewall Example
-A INPUT -p udp -m multiport --dports 5060,5061 -m set --match-set fail2ban-ASTERISK src -j REJECT --reject-with icmp-port-unreachable -A INPUT -p tcp -m multiport --dports 5060,5061 -m set --match-set fail2ban-ASTERISK src -j REJECT --reject-with icmp-port-unreachable -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A INPUT -m set --match-set voip_bl src -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT -A INPUT -p udp -m udp --dport 2727 -j ACCEPT -A INPUT -p udp -m udp --dport 4569 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p udp -m udp --dport 5060:5061 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 5060:5061 -j ACCEPT -A INPUT -s known_external_proxy -p udp -m udp --dport 5060:5061 -j ACCEPT -A INPUT -p udp -m udp --dport 5060:5061 -m string --string "User-Agent: VaxSIPUserAgent" --algo bm --to 65535 -j DROP -A INPUT -p udp -m udp --dport 5060:5061 -m string --string "User-Agent: friendly-scanner" --algo bm --to 65535 -j REJECT --reject-with icmp-port-unreachable -A INPUT -p udp -m udp --dport 5060:5061 -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --set --name VOIP --mask 255.255.255.255 --rsource -A INPUT -p udp -m udp --dport 5060:5061 -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIP --mask 255.255.255.255 --rsource -j DROP -A INPUT -p udp -m udp --dport 5060:5061 -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --set --name VOIPINV --mask 255.255.255.255 --rsource -A INPUT -p udp -m udp --dport 5060:5061 -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIPINV --mask 255.255.255.255 --rsource -j DROP -A INPUT -p tcp -m tcp --dport 5060:5061 -m hashlimit --hashlimit-upto 6/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstport --hashlimit-name tunnel_limit -j ACCEPT -A INPUT -p udp -m udp --dport 5060:5061 -m hashlimit --hashlimit-upto 6/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstport --hashlimit-name tunnel_limit -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p icmp -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 137 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 138 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 139 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 445 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 10000 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 123 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p udp -m udp --dport 123 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 5038 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 58080 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 55050 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 514 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p udp -m udp --dport 514 -j ACCEPT -A INPUT -j DROP -A OUTPUT -j ACCEPT
voice/pbx/freepbx/freepbx_firewall.txt · Last modified: 2024/02/06 09:27 by gcooper
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
