I have now successfully installed and configured the current stable version of Elastix....Real nice.

I would like to understand some things about the Security/Firewall module rules.
First, the rules that come already in elastix installation, should I leave them like they are and then add others?
It seems like 0.0.0.0/24 being rejected blocks even the gui access, so I would like to know if anyone has sample config screen shots from top to bottom that you can share or instructions on what to do?

Is there any kind of instructions on configuring this module because elastix without tears does not address it?
Does the firewall directly write to the iptables files?
(note: in error I had set the very first rule in the firewall to reject all and after that, I could only get into the pbx thru the console. I copied some instructions on how to allow/accept the local network 192.168.1.0/24 and now it works again, however I want to make sure that the firewall settings now will overwrite what I put in before)

Is there a fail2ban module for Elastix with gui and instructions for it?

Thanks in advance.

Geego,

The rules that are there should be left in the initial instance as they are set for all the applications used by Elastix, however they should be tightened up.

For example, the SIP port is open to any address, you might want to tighten that down to the address (e.g. local address) of your phones (e.g. 192.168.1.0).

Also if you have a SIP provider coming from an external address, you need to add another SIP rule (and RTP rule) for that providers address. You would add this rule underneath the other SIP rule.

It is worth reading a basic IPTables Guide if you have not worked much with IPTables. the same concepts apply to Elastix Firewall GUI e.g. it looks through all the rules until it finds a match and processes no further. You will notice the deny rule at the end for all ports and 0.0.0.0. What this means is that if it finds no match in the higher rules, then it will definitely match on this rule, and deny the traffic.

The Elastix GUI Firewall writes to an Elastix database. When Elastix starts up (as opposed to Linux starting up), it reads from these rules and starts IPTables. It reads from this database each time you start up, and also when you make changes to the rules, so yes it will overwrite what you had before.

They have commenced a fail2ban implementation, but it looks like they held off for the release of 2.2 (e.g. they have fail2ban installed by default), but due to the unique way that they are doing the IPTables (e.g. from Database), Fail2ban will not work the way that many Internet guides show (e.g. chain ). We do need to wait for Elastix to implement the GUI and code....

Regards

Bob

Geego,

I have commenced a quick guide on the Firewall, but due to many other guides and other work taking priority, I have not had time to finish (I actually have 5 guides open on my desktop now, trying to get them finished...).

Might finish this one up in the next 48 hours, and throw it out there...it is not in depth, but talks about the basic concepts with a few pictures, and talks about renaming one of the port definitions to RTP.

Regards

Bob

Thanks Bob, very informative.

I am starting to correct a whole lot of what I had there.
Your explanation sounds pretty simple and I will update when I am done.
I need to have fail2ban but Elastix takes a long time to come out with the updates (Been waiting for months for the final stable...smile), but it is out and I am now happy.

My only issue is that I have a provider that I cannot get to them unless the Anonymous calls is set to yes.
Hopefully the firewall will take take care of it but do you have any suggestions?

Geeko,

When it comes down to it, it is relatively simple.

I agree updates take a while, but Elastix have learnt not to rush an update, and whilst there are a few small issues with 2.2, overall, the product is stable, useable, and works well in production.

Seriously, many of the basic IPTables guides are very good to read and you will be able to translate the concepts of implementing the rules quite easily.

Yes I am not a big fan of the anonymous either, but with correct firewall rules in place, it becomes a non-event.

Regards

Bob

so, if I am not using IAX then I can block/reject all ip's right?
And still leave it under the sip rule?
And like the pop/smtp rule, I can limit it to the local ip address?
Anything I am not using, just set it to reject in the rules?


Thanks

Yes, you can block/reject all IP's for IAX if you are not using it.

I have to admit haven't played with the POP/SMTP rule, and may depend on your setup....

The best part is that except for the 80/443 rule, you can change it and try it, and if it doesn't work, either turn the firewall off, or correct the rule...

Which is the correct methodology when implementing any firewall rules....test..test...test

Regards

Bob

can you please point me to the IPTables guide that you think is the best and simple one to use/read.

Thanks