vicidial.org

[davesdatasystems]

This may be a stupid question.

If i go into the firewall on OpenSUSE and stop all services and add only the external ip addresses i need to. Do i also need to do the internal network ip addresses?

[Kumba]

Give this a read: https://en.opensuse.org/SuSEfirewall2

While it's going to be more information then you need, anything you see in 'yast firewall' will likely be explained by this page. Basically all you are doing in the firewall configuration under yast is setting the options of the SuSEfirewall2 script. So if you understand what the script is doing, you will understand what options you can set using yast firewall.

[williamconley]

This may be a stupid question.

If i go into the firewall on OpenSUSE and stop all services and add only the external ip addresses i need to. Do i also need to do the internal network ip addresses?

The answer to this question depends on your overall configuration and differs mainly based on whether you have a public AND private IP (both) for this server or if the server works with a single IP.

IF you have both public and private IPs (two nic cards, of course), you can set the internal NIC card in the yast firewall to "internal" and unprotected. Then you do not need to add your local IPs to the exception list.
yast firewall -> Interfaces -> {choose NIC} -> Interface Zone (Internal for the local/private network and External for the public network)
If you use this method, do NOT check the "Protect firewall from internal zone" box in "Allowed Services".

IF you have only a private IP, you need to put your internal network's range in the custom list to allow them past the firewall. Technically this is a violation since a hacker could spoof private IPs through your firewall, but I've never seen someone actually get hacked this way (although I've seen many attempts).

IF you have only a public IP, you will NOT be allowing your private IPs through the firewall as they do not access the server through a private IP at all.

We recommend Dynamic Good Guys firewall available Free at ViciWiki.com (because we wrote it). Makes some of this much easier to manage. Not yet upgraded for Vicibox 7.0.0.

[davesdatasystems]

I did not know you could get Dynamic Good Guys firewall for free.

[williamconley]

It's not a firewall, it's a firewall management system. The firewall is always iptables (fail2ban, ufw, etc., all these actually manage iptables!). In fact, many routers (especially those running linux) use iptables as the firewall. Just like Vicidial is not the PBX (asterisk!). Vicidial just does a great job of managing asterisk.

Dynamic Good Guys contains instructions for Full Whitelist Lockdown. After you've done that, you can install DGG which makes it easy to add a new Authorized IP in a simple web interface. Plus you get a special web link to "self-authorize" access when you're out and about. This link can also be sent to remotely located agents/technicians/managers whose IP will change regularly, allowing them to access the system with a Dynamic IP (which will be forgotten at reboot every day).

And it's always been free.

[mattyou1985]

has thir has been an update to this that works with vicibox 2.12 ide like to no please

[williamconley]

Vicibox is in version 7.0.2 presently. 2.12 is viciDIAL not viciBOX.

Vicibox = installer
Vicidial = Dialer Suite for Call Centers

The instructions for Dynamic Good Guys will work with any version of the installer (vicibox) since it starts with a full lockdown. After the full lockdown, The "Dynamic Good Guys" installation is merely to make it easy to add new "allowed IPs" without accessing the command line or logging in via ssh or console: Just surf to a web page and add the new IP and it's "allowed". DGG has not been updated to properly add that easy page to Vicibox 7 yet, but works with Vicibox 6 and before. Installation with Vicibox 6.0.4 will give you the SAME Vicidial version as Vicibox 7.0.2, but different supporting software revision levels (including a different version of the OS).

[mattyou1985]

Vicibox is in version 7.0.2 presently. 2.12 is viciDIAL not viciBOX.

sorry bout that its still a bit confusing learning that installer vicibox suz so much and goautoinstaller duz things difrentley i get it just about that each installer uses a difrent svn and difrent databace seam version as well as both installers use difrent OS so defrent mefords need to be used just wanted to be shore that with VICI 2.12 and over as its using a difent databace (witch one i carnt remenber the name but could find) that thir would be no problums using Dynamic Good Guys

Vicibox = installer
Vicidial = Dialer Suite for Call Centers

so meney versions one can get very ezy lost think it might be an idear for some one to do a time line of sorts for each version with each svn,vici,Asterisk,databace,OS then all could see at what stage you need to change meford for that perticuler releace,ECT

The instructions for Dynamic Good Guys will work with any version of the installer (vicibox) since it starts with a full lockdown. After the full lockdown, The "Dynamic Good Guys" installation is merely to make it easy to add new "allowed IPs" without accessing the command line or logging in via ssh or console: Just surf to a web page and add the new IP and it's "allowed". DGG has not been updated to properly add that easy page to Vicibox 7 yet, but works with Vicibox 6 and before. Installation with Vicibox 6.0.4 will give you the SAME Vicidial version as Vicibox 7.0.2, but different supporting software revision levels (including a different version of the OS).

i did try it on 1 install using ssh it dident go well ill try agen on another new install first

best regards