Page 1 of 1

Firewall help for VICIbox V9.0.0

PostPosted: Tue Oct 01, 2019 9:10 am
by xenia2608
Setup for 30 agent (100 channel) :
1 dB server DDR4 2133 16 GB ram, 256 GB SSD, quad core @3.7 GHZ, Xeon E1240 v6
1 web-dialer-archive ,DDR4 2133 16 GB ram, 512 GB SSD, quad core @3.7 GHZ, Xeon E1240 v6 .
Manual recording , ulaw, alaw. No g729

Os : Vicibox v9
VERSION: 2.14-719a
BUILD: 190930-2110

Database server is stand alone in case of increase in capacity I will separate dialer and web server, but for now I will try to push this configuration to max channel with 30 agents.
Both server is dedicated cloud server with internal network enabled to communicate with each other and also accessible using their public ip separately .

For installation following vicibox installation manual.

installation setup help needed :
During setup of network configuration manual says external network should belong to external zone of firewall, which i selected . used command vicibox-install to proceed with installation of database server .

For database server
Do you want to enable inbuilt firewall (y/n) : which option should i select ? I selected No for now(please help) .successfully installed database server without any issue .

For web, dialer server :
Do you want to enable inbuilt firewall (y/n) : which option should i select ? I selected No for now(please help) .successfully installed web and dialer server without any issue .

I can access database from dialer server using private network. everything seems to be working fine for now .

Now enabled whitelist and dynamic list ip using manual and Updated my static ip to access vicidial. In manual it says to edit public zone of firewall and remove asterisk and apache2 from allowed services , after doing this i can not access web page of vicidial and even i am not able to register my phone (enabled external ip in phone setting) even though i have defined my static ip in whitelist using webportal. Once i allow services apache and sip on public zone my phone get registered and i can access vicidial web, alos it works when i allow services on external zone .

My question is :

Should i enable inbuilt firewall during installation of database , web, dialer and archive server ?
At initial network setup manual says to define external zone of firewall for external ip while during setup of whitelist it says to edit public zone of firewall ? (is there any differences between both zone) .
Which zone should i select during network setup for external network, external zone or public zone of firewall ?
After removal of allowed services apache2 and asterisk (sip is not allowed by default), no access to server.

Help

Re: Firewall help for cluster installtaion

PostPosted: Wed Oct 02, 2019 8:34 am
by xenia2608
Followed every steps from this thread : http://www.vicidial.org/VICIDIALforum/v ... =8&t=38741
Even Consulted OP of this thread but still no success till now .

Here are steps which i followed :
Enabled inbuilt firewall during installation. External NIC is set to external zone according to manual . My vicidial ip is : 10.0.0.1 and database ip is : 10.0.0.2 . After completion of installation , i was not able to access web portal using public ip before setting up firewall . In manual it says to edit public zone to configure firewall, so i switched to external NIC eth0 to public zone , where apache2 and asterisk, rtp was allowed by default . Removed asterisk from allowed services of public zone . After setting it to public zone webportal is accessible by public ip as its already allowed .

Setting up firewall :
### Enable iptables white list rules with : touch /etc/sysconfig/scripts/SuSEfirewall2-viciwhite
### commented out every line in crontab which has " VBfirewall.pl " by default . ###
### crontab entry : * * * * * /usr/local/bin/VB-firewall.pl --white --quiet
@reboot /usr/local/bin/VB-firewall.pl --white --quiet
### Didn't enable vicidynamic
### restarted the server


After all these steps i added my few static ip to ViciWhite list from web portal .

### reloaded firewall using : firewall-cmd --reload

To check whether my whitelist ip is loaded or not

Here is output of :

/usr/local/bin/VB-firewall.pl

ViciBox Firewall white/dynamic/black list integration

Database Host : 10.0.0.2
Database Name : asterisk
Database User : cron
Database Pass : 1234
Database Port : 3306
White list : Disabled
Dynamic list : Disabled
Black list : Enabled
Vici Black List : viciblack
IPSet Black IPs : badips
IPSet Black Nets : badnets
VoIP Black List : Disabled
Geo Block list : Disabled


Generating Black List from IP List 'viciblack'...
Found 0 IPs to process
Writing IPSet rule files to /tmp//VB-BLACK-tmp and /tmp//VB-BLACKNET-tmp
Loading Black list IPSet rules into Kernel
Black List had been loaded!



/usr/local/bin/VB-firewall.pl --white

ViciBox Firewall white/dynamic/black list integration

Database Host : 10.0.0.2
Database Name : asterisk
Database User : cron
Database Pass : 1234
Database Port : 3306
White list : Enabled
Vici White List : ViciWhite
IPSet White List IPs : whitelistips
IPSet White List Nets : whitelistnets
RFC1918 White List : YES
Dynamic list : Disabled
Black list : Disabled
VoIP Black List : Disabled
Geo Block list : Disabled


Generating White List from IP List 'ViciWhite'...
Found 4 entires to process
Adding RFC1918 IPs to white lists
Writing IPSet rule files to /tmp//VB-WHITE-tmp and /tmp//VB-WHITENET-tmp
Loading white list IPSet rules into Kernel
ipset v6.36: Error in line 1: The set with the given name does not exist ###(what is this error ?)###
White List had been loaded!



ipset -L whitelistips
Name: whitelistips
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 328
References: 0
Number of entries: 5
Members:
139.xx.2x.1xx
1x4.2xx.3x.7
10x.x3x.1x8.x5
127.0.0.1
x15.x7.1xx.2xx
You have new mail in /var/mail/root


After going through manytimes , i am still not able to register my phone and even i am not able to access webportal once i remove apache2 from allowed services of public zone . According to firewall setup, my sip and web server should be accessible from whitelisted ip. Any help . I am not able to figure it out , what am i missing in whole setup .

In this thread http://www.vicidial.org/VICIDIALforum/v ... =8&t=38741 , everyone is talking about advance tab under allowed services and custom rules, but i am not able to findout any advance tab or custom rule tab in Text mode YAST firewall .

I am stuck at this since 3 days, no progress at all. anyhelp .

Re: Firewall help for cluster installtaion

PostPosted: Wed Oct 02, 2019 5:04 pm
by xenia2608
Sorry for Bumping my post again and again .

If anyone has working inbuilt firewall with Vicibox v9 VERSION: 2.14-719a BUILD: 190930-2110 , please reply here or let me know, if i am doing it in wrong way . Vicibox firewall works great with V8.1.2 .

To me it seems, Vicibox V9 is based on SeLS 15 and SELS 15 uses firewalld instead of SuSEfirewall2. I don't know whether i am wrong or right or i am missing something during setup . followed every steps precisely as defined in manual of v9 but nothing seems to be working . I am not qualified enough to talk about scripts and issues in firewall or to report this in bug fixes , even i am not certain about issues , whether this problem is at my end or its overall system firewall issue .

Thanks

Re: Firewall help for cluster installtaion

PostPosted: Mon Oct 07, 2019 7:58 am
by xenia2608
Update --

After trying several times on different fresh install of vicibox v9 (vmware test) to enable inbuilt vicibox ViciWhite and dynamic list, I still didn't find a way to get it working .

Finally ended up disabling ViciWhite and now i have configured firewall using firewalld . Although haven't tried Blacklist, Voipbl and Geoblock .

For now i am using firewalld syntax to whitelist ips and to allow services .

Set eth0 (interface directly connected to internet) to public .( You can set any zone)

Example :
To allow access of http on specific ip :

sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.4" port port=80 protocol=tcp accept'

For me its working fine on V9 till now . Will update further here if anythings comes up .