To get these updates, simply do a 'zypper ref & zypper up' to install them.
Setting up the IP Lists in ViciDial:
1) Log into ViciDial
2) Go to Admin --> System Settings
3) Change "Allow IP Lists" to 1 and save
4) Go to Users and click on your admin user (I.E. 6666)
5) Set Modify IP Lists to 1 and save
6) Repeat steps 4 and 5 for any other admin users you want to be able to adjust the whitelist
7) Go to Admin --> IP Lists
Click on "Add An IP List" (if 'ViciWhite' is already listed, just click on this and skip to step 12)9) The IP List ID should be 'ViciWhite' (You can name it something else, but you'll need to use the --whitelist= option with VB-firewall)
10) The IP List Name can be whatever you want like 'Firewall Whitelist', but there needs to be something there
11) Click on Submit to save the new IP List and bring up the window allowing us to add entries
12) Add any IPs you want to include on the IP list. One IP per line.
13) Once you're satisfied with the IP's on the list, click submit to save the changes.
You can also do CIDR entries in step 12 but ViciDial itself won't be able to understand them. If you want to IP restrict agents to specific campaigns I would suggest have different IP lists for ViciDial to use and then the one IP List for just the firewall.
Now modify the crontab for white/dynamic list:
1) run 'crontab -e'
2) Go to the very bottom of the crontab and change the firewall entries to this (If you just want white listing, remove the '--dynamic' from the above two lines) :
- Code: Select all
@reboot /usr/bin/VB-firewall --white --dynamic --quiet
* * * * * /usr/bin/VB-firewall --white --dynamic --quiet
3) Press CTRL-X to exit
4) Press 'Y' to save the changes to the crontab and then hit enter
Now to setup the network/firewall configuration:
1) Run 'yast lan'
2) Go to the 'Interfaces' section in the left window and press enter
4) Assign any network device with a LAN IP (192.168.X, 10.X, etc) to the 'trusted' zone
4) Assign any network device with an Internet IP to the 'Public' zone
5) Go to the 'public' section in the left window and press enter
6) Remove all allowed services except for 'rtp' and 'dhcpv6-client' (You can also remove dhcpv6-client if you're not using IPv6)
7) Go to the 'external' section in the left window and press enter
Make sure 'apache2', 'apache2-ssl', 'asterisk', and 'rtp' are listed here9) Once all the above is complete, press ALT-A or F10 to accept and save the changes made
10) Run 'service firewalld restart' to clear out the network config and reload all your changes in, this will also reset network access so be careful if doing this remotely
11) Run 'VB-firewall --white --dynamic' to load up the IPs from your lists, you can add --debug to get extra output
Now for the harder part, to understand what VB-firewall and firewalld are doing to control access.
Firewalld will process any traffic received on a network device (NIC) through the zone that network device is assigned to. That's why it's important to make sure your NICs are in the correct zone. Here's how the zones should be interpreted in firewalld:
Public - Trust no one, assume everything here is hostile to you by default, also they don't like cats
External - You know who these people are, but still want to limit what they can have access to, they like cats just not your cat
Trusted - This is the guy in the break room eating other peoples lunches, has access to everything, and your cat likes them more then you
VB-Firewall integrates with firewalld to act as an IP-based zone assignment system at a global network level. This means that any IP added to the white or dynamic list, regardless of what device that IP is received on, will be processed through the external zone. So if you added 192.168.10.4 to the whitelist, even though this IP originates on your internal 'trusted' LAN, firewalld will assign this IP to the 'external' zone and limit it's access to those services. This is why the RFC1918 inclusion option in VB-firewall.pl is now disabled by default. Previously it would add the whole RFC1918 IP space to the white list causing all sorts of cluster issues since things like MariaDB/MySQL are not allowed services in the 'external' zone. You can still add the RFC1918 IP space to the whitelist, but you'll need to use the '--addrfc1918' option in the VB-firewall.pl entry in the crontab.
There is still a firewalld bug (actual them not me bug) where firewalld will intermittently get into a runaway state. When this happens firewalld will consume 100% of a CPU and eventually drop all network connectivity. This seems to be related to a large number of IPs in an IPSet which makes it more prevalent with black listing then white listing. Generally this condition only seems to trigger when core network changes are made inside 'yast firewall' or 'yast network'. The work-around so far has been to make the changes you need inside yast and then reboot to clear this condition. Alternatively, sometimes this can be cleared up by doing a 'service firewalld restart' although sometimes firewalld itself goes unresponsive. Once you have the core networking done and setup though, things run stably without incident.