https://configserver.com/cp/csf.html
It is a perl script, producing a very powerful IPTABLES firewall. Setup is very easy and well documented. Big community with great forum support : https://forum.configserver.com/
We use the csf firewall with whitelisting, so we only allow a few ip addresses and domain names to communicate with the internet.
DynDns Domain names are checked every 300 seconds.
So it is very easy to set up a secure white listing firewall with csf in the datacenter and dynamic Ip addresses for the agents, e.g. home offices in combination with DynDns.
Each home office / agent has a dynamic IP with a DynDns Account or a static IP.
The configuration of the csf firewall is text based, all configuration files are in /etc/csf
To allow a static ip we make an entry in /etc/csf/csf.allow
- Code: Select all
###############################################################################
# Copyright 2006-2014, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following IP addresses will be allowed through iptables.
# One IP address per line.
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
# Only list IP addresses, not domain names (they will be ignored)
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port|s/d=ip
# See readme.txt for more information
192.168.1.10
tcp|in/out|d=22|s=46.252.132.XX2/29
tcp|in/out|d=80|s=46.252.132.XX2/29
tcp|in/out|d=443|s=46.252.132.XX2/29
tcp|in/out|d=9001|s=46.252.132.XX2/29
udp|in/out|d=5060:5080|s=46.252.132.XX/29
udp|in/out|d=10000:60000|s=46.252.132.XX2/29
csf -r converts into iptables rules
we find the DynDns Domain names configuration in /etc/csf/csf.dyndns
- Code: Select all
# Homeoffice banana001x
tcp|in/out|d=22|s=banana001x.dyndns.org
tcp|in/out|d=443|s=banana001x.dyndns.org
udp|in/out|d=5060:5065|banana001x.dyndns.org
udp|in/out|d=10000:65534|s=banana001x.dyndns.org
csf -r converts the domain name banana001x.dyndns.org into iptables rules, and updates are made periodically
Now my idea is to setup a white listing firewall with web maintenance from Vicidial.
We need two additional fields for phones and agents :
Firewall Domain Name will be written from phone/agents table into /etc/csf/csf.dyndns , one text entry for every agent / phone
Firewall Ip Address will be written from phone/agents table into /etc/csf/csf.allow , one text entry for every agent / phone
After every entry update of these files a csf -r is making an iptables Firewall update to make the new entries active
It would be a great deal to manage the Ip adresses for the csf firewall in this way
This would be a nice addon for a secure white listing firewall managed by vicidial.
Any ideas ? Any script warriors out there for this project ?
Martin