Vicibox 9.0.1 firewall configuration not working

Support forum for the ViciBox ISO Server Install and ISO LiveCD Demo

Moderators: enjay, williamconley, Staydog, mflorell, MJCoate, mcargile, Kumba

Vicibox 9.0.1 firewall configuration not working

Postby red.bull80 » Wed Jan 29, 2020 11:44 am

Hi,
I have just recently returned to the Vicibox world and quite a few changes have happened since. I just finished installing the latest vicibox version 9.0.1 and followed the Vicibox_v9-install manual to the letter. Everything went smooth but one thing I noticed it is not working (as I assume it should) is the build-in firewall.

1. The server is directly connected on the Internet with public IP address
2. eth0 is on the "default" zone
- but, forgive the ignorance, I don't see any "default" zone on the list of zones;
- in the Zones list I have block, dmz, drop, external, home, internal, public, trusted and work... not sure which one to choose (although external or public would make sense)
3. I have set it up for white-listing as explained in the manual.
4. I did populate the VicWhite List with my allowed IP addresses in the format xx.xx.xx.xx/xx
5. I also put 0.0.0.0/0 on the VciBlack just to test it (although this should be obsolete)
6. I did add the VB-firewall.pl --white on the crontab to run every 5 minutes
7. this is what I get when I run VB-firewall.pl --white
vicibox:/ # VB-firewall.pl --white

ViciBox Firewall white/dynamic/black list integration

Database Host : localhost
Database Name : asterisk
Database User : cron
Database Pass : 1234
Database Port : 3306
White list : Enabled
Vici White List : ViciWhite
IPSet White List IPs : whiteips
IPSet White List Nets : whitenets
RFC1918 White List : YES
Dynamic list : Disabled
Black list : Disabled
VoIP Black List : Disabled
Geo Block list : Disabled


Generating White List from IP List 'ViciWhite'...
Found 3 entires to process
Adding RFC1918 IPs to white lists
Writing IPSet rule files to /tmp//VB-WHITE-tmp and /tmp//VB-WHITENET-tmp
Loading white list IPSet rules into Kernel
White List had been loaded!

8. /tmp//VB-WHITE-tmp has
vicibox:/ # cat /tmp//VB-WHITE-tmp
add whiteips xx.xx.xx.xx -exist
add whiteips xx.xx.xx.xx -exist
add whiteips xx.xx.xx.xx -exist
add whiteips 127.0.0.1 -exist

9. /tmp//VB-WHITENET-tmp has
vicibox:/ # cat /tmp//VB-WHITENET-tmp
add whitenets 192.168.0.0/16 -exist
add whitenets 10.0.0.0/8 -exist
add whitenets 172.16.0.0/12 -exist

10. no errors noticed during the whole process

Still, the traffic is not being filtered. I tried to connect using mobile phone and proxies and I am able to access vicidial web interface

Any advice on this?

thank you

red
red.bull80
 
Posts: 2
Joined: Mon Jan 27, 2020 12:00 pm

Re: Vicibox 9.0.1 firewall configuration not working

Postby red.bull80 » Thu Jan 30, 2020 1:30 pm

anyone has been able to setup the white-listing properly?
red.bull80
 
Posts: 2
Joined: Mon Jan 27, 2020 12:00 pm

Re: Vicibox 9.0.1 firewall configuration not working

Postby subkiisp » Sat Feb 15, 2020 3:39 pm

Yes, its working fine at my end..
IF YOU WANT ME TO HIRE FOR THIS, PM me.
Xceed Connections
www.xceedconnections.com
subkiisp
 
Posts: 31
Joined: Tue Feb 14, 2017 7:42 pm

Re: Vicibox 9.0.1 firewall configuration not working

Postby williamconley » Wed Mar 04, 2020 8:55 pm

iptabless-save

remove anything personally identifiable (or change two of the last numbers on the IP)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Vicibox 9.0.1 firewall configuration not working

Postby Fares MEHENI » Fri Apr 10, 2020 11:24 am

Hello,

For my part I still have a problem on the firewall (vicibox 9.0.1).

when i authorize SSH on the public zone (default) and on viciwhite on vicidial i only activate my local ip network and the access remains open to the public. And when I remove the SSH from the public zone I can no longer access even locally. I followed all the steps of the manual.

is the firewalld configured like this or I was wrong somewhere.

----------------------------------------------------------------------
XXXX# VB-firewall.pl --white

ViciBox Firewall white/dynamic/black list integration

Database Host : localhost
Database Name : asterisk
Database User : cron
Database Pass : 1234
Database Port : 3306
White list : Enabled
Vici White List : ViciWhite
IPSet White List IPs : whiteips
IPSet White List Nets : whitenets
RFC1918 White List : YES
Dynamic list : Disabled
Black list : Disabled
VoIP Black List : Disabled
Geo Block list : Disabled


Generating White List from IP List 'ViciWhite'...
Whitelist IPSet rules not found in iptables, white listing might not work
Please run 'touch /etc/sysconfig/scripts/SuSEfirewall2-viciwhite' followed by
SuSEfirewall2 to install and setup the White List rules.

Found 2 entires to process
Adding RFC1918 IPs to white lists
Writing IPSet rule files to /tmp//VB-WHITE-tmp and /tmp//VB-WHITENET-tmp
Loading white list IPSet rules into Kernel
White List had been loaded!
------------------------------------------------------------------------------------

cat /tmp//VB-WHITE-tmp
add whiteips 127.0.0.1 -exist

-------------------------------------------------------------------------------------

cat /tmp//VB-WHITENET-tmp
add whitenets 192.168.0.0/24 -exist
add whitenets 192.168.0.0/16 -exist
add whitenets 10.0.0.0/8 -exist
add whitenets 172.16.0.0/12 -exist

---------------------------------------------------------------------------------------

iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere

Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- anywhere anywhere [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination

Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- anywhere anywhere [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination

Chain FORWARD_direct (1 references)
target prot opt source destination

Chain FWDI_public (1 references)
target prot opt source destination
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere

Chain FWDI_public_allow (1 references)
target prot opt source destination

Chain FWDI_public_deny (1 references)
target prot opt source destination

Chain FWDI_public_log (1 references)
target prot opt source destination

Chain FWDO_public (1 references)
target prot opt source destination
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere

Chain FWDO_public_allow (1 references)
target prot opt source destination

Chain FWDO_public_deny (1 references)
target prot opt source destination

Chain FWDO_public_log (1 references)
target prot opt source destination

Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]

Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination

Chain INPUT_direct (1 references)
target prot opt source destination

Chain IN_public (1 references)
target prot opt source destination
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere

Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpts:ndmp:dnp ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
ACCEPT tcp -- anywhere anywhere match-set whiteips src tcp dpt:http ctstate NEW
ACCEPT tcp -- anywhere anywhere match-set whitenets src tcp dpt:http ctstate NEW
ACCEPT tcp -- anywhere anywhere match-set dynamiclist src tcp dpt:http ctstate NEW
ACCEPT tcp -- anywhere anywhere match-set whiteips src tcp dpt:https ctstate NEW
ACCEPT tcp -- anywhere anywhere match-set whitenets src tcp dpt:https ctstate NEW
ACCEPT tcp -- anywhere anywhere match-set dynamiclist src tcp dpt:https ctstate NEW
ACCEPT udp -- anywhere anywhere match-set whiteips src udp dpt:sip ctstate NEW
ACCEPT udp -- anywhere anywhere match-set whiteips src udp dpt:iax ctstate NEW
ACCEPT tcp -- anywhere anywhere match-set whiteips src tcp dpt:8089 ctstate NEW
ACCEPT udp -- anywhere anywhere match-set whitenets src udp dpt:sip ctstate NEW
ACCEPT udp -- anywhere anywhere match-set whitenets src udp dpt:iax ctstate NEW
ACCEPT tcp -- anywhere anywhere match-set whitenets src tcp dpt:8089 ctstate NEW
ACCEPT udp -- anywhere anywhere match-set dynamiclist src udp dpt:sip ctstate NEW
ACCEPT udp -- anywhere anywhere match-set dynamiclist src udp dpt:iax ctstate NEW
ACCEPT tcp -- anywhere anywhere match-set dynamiclist src tcp dpt:8089 ctstate NEW

Chain IN_public_deny (1 references)
target prot opt source destination

Chain IN_public_log (1 references)
target prot opt source destination

Chain OUTPUT_direct (1 references)
target prot opt source destination

----------------------------------------------------------------------------------------------------------------------------------------------------------
And Viciwhite active in vicidial ( with adresse 192.168.0.0/24 )
viciblack not active

--------------------------------------------------------------------------------------------------------------------------------------------------------------
thank you in advance.
Fares MEHENI
 
Posts: 62
Joined: Thu Oct 17, 2019 2:43 am

Re: Vicibox 9.0.1 firewall configuration not working

Postby williamconley » Fri Apr 10, 2020 12:32 pm

public vs private zones only work if they are on completely different interfaces (ie: different network cards) as a rule. The Zone is usually identified by the network device/card (often eth0 or eth1 or ens192 etc).

if you only have one network card and it has only a private network, you should just open the private network to all ports. Since there is really only one zone.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Vicibox 9.0.1 firewall configuration not working

Postby Fares MEHENI » Sat Apr 11, 2020 1:30 pm

williamconley wrote:public vs private zones only work if they are on completely different interfaces (ie: different network cards) as a rule. The Zone is usually identified by the network device/card (often eth0 or eth1 or ens192 etc).

if you only have one network card and it has only a private network, you should just open the private network to all ports. Since there is really only one zone.



my server is installed locally with a private address. I choose which zone by default?
Fares MEHENI
 
Posts: 62
Joined: Thu Oct 17, 2019 2:43 am

Re: Vicibox 9.0.1 firewall configuration not working

Postby williamconley » Sat Apr 11, 2020 2:24 pm

if you have only one network card, you have only one zone. thus you will want to open the private ip address range in your single zone. that's how you fake the internal zone when you don't have two zones. you lock everything down but open the private ip address subnet.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Vicibox 9.0.1 firewall configuration not working

Postby Fares MEHENI » Mon Apr 13, 2020 8:22 am

Hello william thank you very much for your help.

I'm sorry to annoy you again I don't see how to configure the firewall. my server has only one network card and it is connected to the internet with a private address in a local network. I would like to authorize all the ports on the local network and also to authorize some addresses towards the outside of the network (ip of the provideur sip ....)
I don't know which zone to choose and how to use the whitlist. I followed the tutorial to the letter and I activated the whithelist with the addresses that I want authorized outside and in addition the local network (192.168.0.0/24).

My problem when I remove all the services from the zone I can no longer access my server in local SSH. and when I activate the SSH service on the zone it will be open to everything :(
I would like to know how to activate the service I want for authorized addresses on the whitlist only. as in the old firewall version.

Thank you in advance.
Fares MEHENI
 
Posts: 62
Joined: Thu Oct 17, 2019 2:43 am

Re: Vicibox 9.0.1 firewall configuration not working

Postby williamconley » Mon Apr 13, 2020 4:55 pm

since you have only a local IP, and local IPs have NO meaning outside their local networks ...

Code: Select all
iptables-save


But modify any public IPs which may appear so they aren't real anymore. For instance xx.xx.xx.xx for public IPs.

Note that this command does not save anything. it spills your raw firewall to the console. This could (if you wanted) be stored in a text file and used to "recreate" this firewall state with "iptables-restore". But in this case, you're just going to copy it and paste it here so we can see why your local network isn't open after you close your ssh port.

Also, you stated that you followed directions, but no link to the directions in question (or page # from a manual with version of manual?)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Vicibox 9.0.1 firewall configuration not working

Postby Fares MEHENI » Tue Apr 14, 2020 11:50 am

Hi,

this is what it gives iptables_save

to know that I am on the public zone (default) and I avtiver SSH and RTP.

I don't understand why my server is open to the public with ssh. if I delete ssh from the public zone also I will no longer have local access (except on 127.0.0.1)

iptables-save
# Generated by iptables-save v1.6.2 on Tue Apr 14 17:42:22 2020
*nat
: PREROUTING ACCEPT [1431:132058]
: INPUT ACCEPT [39:2069]
: OUTPUT ACCEPT [629:39260]
: POSTROUTING ACCEPT [629:39260]
: OUTPUT_direct - [0:0]
: POSTROUTING_ZONES - [0:0]
: POSTROUTING_ZONES_SOURCE - [0:0]
: POSTROUTING_direct - [0:0]
: POST_public - [0:0]
: POST_public_allow - [0:0]
: POST_public_deny - [0:0]
: POST_public_log - [0:0]
: PREROUTING_ZONES - [0:0]
: PREROUTING_ZONES_SOURCE - [0:0]
: PREROUTING_direct - [0:0]
: PRE_public - [0:0]
: PRE_public_allow - [0:0]
: PRE_public_deny - [0:0]
: PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o eth0 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i eth0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Tue Apr 14 17:42:22 2020
# Generated by iptables-save v1.6.2 on Tue Apr 14 17:42:22 2020
*mangle
: PREROUTING ACCEPT [133690:14104119]
:INPUT ACCEPT [133690:14104119]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [136678:16467199]
: POSTROUTING ACCEPT [136678:16467199]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
: POSTROUTING_direct - [0:0]
: PREROUTING_ZONES - [0:0]
: PREROUTING_ZONES_SOURCE - [0:0]
: PREROUTING_direct - [0:0]
: PRE_public - [0:0]
: PRE_public_allow - [0:0]
: PRE_public_deny - [0:0]
: PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i eth0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Tue Apr 14 17:42:22 2020
# Generated by iptables-save v1.6.2 on Tue Apr 14 17:42:22 2020
*raw
: PREROUTING ACCEPT [133690:14104119]
:OUTPUT ACCEPT [136679:16467639]
:OUTPUT_direct - [0:0]
: PREROUTING_ZONES - [0:0]
: PREROUTING_ZONES_SOURCE - [0:0]
: PREROUTING_direct - [0:0]
: PRE_public - [0:0]
: PRE_public_allow - [0:0]
: PRE_public_deny - [0:0]
: PRE_public_log - [0:0]
:blacklist - [0:0]
:geoblock - [0:0]
:voipbl - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i eth0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PREROUTING_direct -p udp -m set --match-set blackips src -m udp --dport 5060 -j blacklist
-A PREROUTING_direct -p udp -m set --match-set blackips src -m udp --dport 4569 -j blacklist
-A PREROUTING_direct -p tcp -m set --match-set blackips src -m tcp --dport 8089 -j blacklist
-A PREROUTING_direct -p tcp -m set --match-set blackips src -m tcp --dport 80 -j blacklist
-A PREROUTING_direct -p tcp -m set --match-set blackips src -m tcp --dport 443 -j blacklist
-A PREROUTING_direct -p udp -m set --match-set blacknets src -m udp --dport 5060 -j blacklist
-A PREROUTING_direct -p udp -m set --match-set blacknets src -m udp --dport 4569 -j blacklist
-A PREROUTING_direct -p tcp -m set --match-set blacknets src -m tcp --dport 8089 -j blacklist
-A PREROUTING_direct -p tcp -m set --match-set blacknets src -m tcp --dport 80 -j blacklist
-A PREROUTING_direct -p tcp -m set --match-set blacknets src -m tcp --dport 443 -j blacklist
-A PREROUTING_direct -m set --match-set geoblock src -j geoblock
-A PREROUTING_direct -p udp -m set --match-set voipblip src -m udp --dport 5060 -j voipbl
-A PREROUTING_direct -p udp -m set --match-set voipblip src -m udp --dport 4569 -j voipbl
-A PREROUTING_direct -p tcp -m set --match-set voipblip src -m tcp --dport 8089 -j voipbl
-A PREROUTING_direct -p udp -m set --match-set voipblnet src -m udp --dport 5060 -j voipbl
-A PREROUTING_direct -p udp -m set --match-set voipblnet src -m udp --dport 4569 -j voipbl
-A PREROUTING_direct -p tcp -m set --match-set voipblnet src -m tcp --dport 8089 -j voipbl
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
-A blacklist -m limit --limit 1/min -j LOG --log-prefix "BlackList: "
-A blacklist -j DROP
-A geoblock -m limit --limit 1/min -j LOG --log-prefix "GeoBlock: "
-A geoblock -j DROP
-A voipbl -m limit --limit 1/min -j LOG --log-prefix "VoIPBL: "
-A voipbl -j DROP
COMMIT
# Completed on Tue Apr 14 17:42:22 2020
# Generated by iptables-save v1.6.2 on Tue Apr 14 17:42:22 2020
*security
:INPUT ACCEPT [132293:13973706]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [136690:16469615]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Tue Apr 14 17:42:22 2020
# Generated by iptables-save v1.6.2 on Tue Apr 14 17:42:22 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [136690:16469615]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i eth0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o eth0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i eth0 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p udp -m udp --dport 10000:20000 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m set --match-set whiteips src -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m set --match-set whitenets src -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m set --match-set dynamiclist src -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m set --match-set whiteips src -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m set --match-set whitenets src -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m set --match-set dynamiclist src -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p udp -m set --match-set whiteips src -m udp --dport 5060 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p udp -m set --match-set whiteips src -m udp --dport 4569 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m set --match-set whiteips src -m tcp --dport 8089 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p udp -m set --match-set whitenets src -m udp --dport 5060 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p udp -m set --match-set whitenets src -m udp --dport 4569 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m set --match-set whitenets src -m tcp --dport 8089 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p udp -m set --match-set dynamiclist src -m udp --dport 5060 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p udp -m set --match-set dynamiclist src -m udp --dport 4569 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m set --match-set dynamiclist src -m tcp --dport 8089 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Tue Apr 14 17:42:22 2020
Fares MEHENI
 
Posts: 62
Joined: Thu Oct 17, 2019 2:43 am

Re: Vicibox 9.0.1 firewall configuration not working

Postby williamconley » Tue Apr 14, 2020 12:16 pm

Fares MEHENI wrote:-A IN_public_allow -p udp -m udp --dport 10000:20000 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m set --match-set whiteips src -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m set --match-set whitenets src -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT


This appears likely to be your problem.

Note that --dport 22 and --dport 10000:20000 are both set to allow WITHOUT regard to any --match-set. This means those ports are not filtered through any "good guys" vs "bad guys" ip sets. But --dport 80 is filtered through good vs bad sets.

As a test to confirm the issu, you could delete the port 22 open entry and use this at the linux cli instead:

Code: Select all
iptables -I INPUT 1 -p tcp -m set --match-set whiteips src -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
iptables -I INPUT 1 -p tcp -m set --match-set whitenets src -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT


Of course, this assumes that your local network is somewhere in the white ips or white nets. If not, you could try something more like this:

Code: Select all
iptables -I INPUT 1 -s 192.168.1.0/24 -j ACCEPT


Obviously you would replace 192.168.1.0 with your local subnet if that's not your local subnet.

Both of these examples assume that INPUT is the chain in use at some point in the process before packets get dropped. If that's not true, you could replace the INPUT chain name with a chain that's actually being used such as IN_public_allow
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Vicibox 9.0.1 firewall configuration not working

Postby Fares MEHENI » Wed Apr 15, 2020 12:25 pm

thank you very much William, that's exactly what I wanted to do.

I will add an iptables-save to save then launch the iptables-restore command at startup to restore the rules at each restart.
Fares MEHENI
 
Posts: 62
Joined: Thu Oct 17, 2019 2:43 am

Re: Vicibox 9.0.1 firewall configuration not working

Postby williamconley » Thu Apr 16, 2020 3:11 pm

iptables-save does NOT save anything. it just dumps it to screen.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Vicibox 9.0.1 firewall configuration not working

Postby Kumba » Thu Apr 16, 2020 5:40 pm

SSH isn't controlled by the ViciBox Firewall since it's your only lifeline to the server. If you are sure you want to remove access to SSH, you can do that from yast firewall. You just need to remove SSH from the list of allowed services for the public zone which is the 'default' when no zone if specified on an interface.
Kumba
 
Posts: 939
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: Vicibox 9.0.1 firewall configuration not working

Postby williamconley » Thu Apr 16, 2020 6:27 pm

just be sure you are either in an open zone or have opened your ip address (remote or local) for all ports before removing ssh to avoid loss of access.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Vicibox 9.0.1 firewall configuration not working

Postby Fares MEHENI » Fri Apr 17, 2020 9:42 am

Hello,

Yes for security measures I delete all services in the zone (public in my case), and I add rich rules with
Code: Select all
firewall-cmd  --permanent --add-rich-rule '.....'


it's better than going through iptables because with firewall-cmd from firewalld you can make the rules permanent with the argument --permanent

for example to allow all traffic on the local network 192.168.0.0/24:

Code: Select all
firewall-cmd  --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" accept'


to allow RTP traffic for all the addresses in the whiteips list:

Code: Select all
firewall-cmd --add-rich-rule 'rule family="ipv4" source ipset="whiteips" port protocol="udp" port="10000-20000" accept'



thank you all 8)
Fares MEHENI
 
Posts: 62
Joined: Thu Oct 17, 2019 2:43 am

Re: Vicibox 9.0.1 firewall configuration not working

Postby Kumba » Fri Apr 17, 2020 4:04 pm

You should probably leave the RTP ports open to all of the internet. There's no real attack vector there since there's no control method available to you. The other thing is RTP comes from almost anywhere on the internet. If you remove UDP ports 10K-20K from being allowed you will start to run into seemingly random one-way audio issues.

Everything else should work as expected with a whitelist setup since they don't do random port allocations with third-party IPs like SIP.
Kumba
 
Posts: 939
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: Vicibox 9.0.1 firewall configuration not working

Postby williamconley » Fri Apr 17, 2020 4:39 pm

Disagree. While there may not be an attack vector that results in intrusion, DDOS still happens to some clients and that still results in loss of funds (plus a certain amount of embarrassment from "non-professional" working environment).

We always recommend full "whitelist lockdown" with the single exception of the DGG port/file which is impossible to guess and has yet to result in a single attack.

But this is merely the opinion of PoundTeam Incorporated. 8-)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Vicibox 9.0.1 firewall configuration not working

Postby Kumba » Fri Apr 17, 2020 5:43 pm

This is the only RTP security issue I've ever heard about in Asterisk: https://blogs.asterisk.org/2017/09/27/r ... abilities/

This is also mostly a lab vulnerability. I've never seen this attempted in the wild. You would need to intercept the SIP control stream to know the exact port, or spam all 10K RTP ports which which would be like trying to sneak into a police station while shooting off a shotgun. Their suggestion in the ticket is to use SIP over TLS to prevent the RTP from being exploited. Very VERY few carriers do SIP with TLS/SSL and even fewer do SRTP due to the compute overhead needed for encrypting gigs of traffic per second.

They also explain that the real exploit is not authenticating the RTP packets against the IP/port that was negotiated in the SIP's SDP body. In other words, the whole thing was an oversight on the SIP implementation. The RTP stream itself was not the problem. The good news is they match the RTP streams to the expected IP/Port from the SDP now which is part of the 'probation' and 'strictrtp' mechanism in Asterisk v.11.4 and up.

Yes, IP Whitelisting works, but it's not as simple as set and forget. You should be aware that one-way audio with a whitelist can VERY likely be that the RTP endpoint isn't on your list when nothing obvious presents itself. Depending upon your carrier that may very well not be maintainable if they don't handle their own RTP. If you are lucky, and your carrier handles all their own RTP, whitelisting can be a mostly set and forget thing.
Kumba
 
Posts: 939
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: Vicibox 9.0.1 firewall configuration not working

Postby Fares MEHENI » Sat Apr 18, 2020 8:09 am

HI,

Yes totally agree with you, i just gave an example command for RTP so that in my case my carrier handles all their own RTP.
Fares MEHENI
 
Posts: 62
Joined: Thu Oct 17, 2019 2:43 am

Re: Vicibox 9.0.1 firewall configuration not working

Postby williamconley » Tue Apr 21, 2020 10:53 am

Kumba wrote:Yes, IP Whitelisting works, but it's not as simple as set and forget.

I may have to disagree with this statement. Aside from adding a new whitelist IP when needed, it is that simple. Just like locking the doors on your house.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Vicibox 9.0.1 firewall configuration not working

Postby marveelou » Mon Jul 11, 2022 8:54 pm

I've also encountered same issue, I'm not a master of iptables but as far as I understand the matching rule name is different from the VB_firewall script.What i did was only workaround to insert iptables to match whitelistips name in the iptables rules. Here are the code,

iptables -I IN_public_allow 2 -p udp -m set --match-set whitelistips src -m udp --dport 5060 -m conntrack --ctstate NEW -j ACCEPT
iptables -I IN_public_allow 2 -p udp -m set --match-set whitelistips src -m udp --dport 4569 -m conntrack --ctstate NEW -j ACCEPT
iptables -I IN_public_allow 2 -p tcp -m set --match-set whitelistips src -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
iptables -I IN_public_allow 2 -p tcp -m set --match-set whitelistips src -m tcp --dport 8089 -m conntrack --ctstate NEW -j ACCEPT
iptables -I IN_public_allow 2 -p tcp -m set --match-set whitelistips src -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

Thank you
marveelou
 
Posts: 30
Joined: Thu Oct 02, 2014 8:38 pm
Location: Soong 2, Mactan , Cebu, Philippines

Re: Vicibox 9.0.1 firewall configuration not working

Postby covarrubiasgg » Tue Jul 12, 2022 10:37 am

marveelou wrote:I've also encountered same issue, I'm not a master of iptables but as far as I understand the matching rule name is different from the VB_firewall script.What i did was only workaround to insert iptables to match whitelistips name in the iptables rules. Here are the code,

iptables -I IN_public_allow 2 -p udp -m set --match-set whitelistips src -m udp --dport 5060 -m conntrack --ctstate NEW -j ACCEPT
iptables -I IN_public_allow 2 -p udp -m set --match-set whitelistips src -m udp --dport 4569 -m conntrack --ctstate NEW -j ACCEPT
iptables -I IN_public_allow 2 -p tcp -m set --match-set whitelistips src -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
iptables -I IN_public_allow 2 -p tcp -m set --match-set whitelistips src -m tcp --dport 8089 -m conntrack --ctstate NEW -j ACCEPT
iptables -I IN_public_allow 2 -p tcp -m set --match-set whitelistips src -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

Thank you


At this point the firewall issues are solved, you just need to run zypper update in order to install the patches.
covarrubiasgg
 
Posts: 420
Joined: Thu Jun 10, 2010 10:20 am
Location: Tijuana, Mexico

Re: Vicibox 9.0.1 firewall configuration not working

Postby williamconley » Tue Jul 12, 2022 11:32 am

Beware any updates, though, as some things may be fixed and others may break. If you've got it working, and you're whitelisted, may be best to leave it alone unless the server is not yet in production so you can fix anything that may arise before launch. Of course, if it's not yet in production, you should consider the latest installer (although I'm not yet a fan of NFtables ... I still like IPtables more, lol).
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Vicibox 9.0.1 firewall configuration not working

Postby Fares MEHENI » Wed Oct 05, 2022 4:03 am

Hello,

same i like iptables its not easy to separate lol
Thanks for the info William.
Fares MEHENI
 
Posts: 62
Joined: Thu Oct 17, 2019 2:43 am


Return to ViciBox Server Install and Demo

Who is online

Users browsing this forum: No registered users and 11 guests