vicidial.org

[Acidshock]

Ok I am going to make a suggestion. It may be unpopular but I have tested it out in several installs and its working great. I would like to suggest that we replace the existing vicibox firewall solution with CSF firewall. It has been used for almost 17 years. It is very easy to integrate into the distro. Simply change the iptables default location. It can use ipset, automatically download and use blacklists, geoip location, etc. In addition, IP's can easily be added into a temporary and/or permanent whitelist or blacklist via command line. Because of this a cron job can be made to add vicidial whitelist/blacklist ips. In addition if people absolutely need a UI because they are not very command line savvy they can use a built in web UI. Furthermore it also has login failure detection, etc. Overall I think it just offers a more tried and true method without us needing to fiddle with the current setup or refine the wheel.

The main reason I bring this up is I have literally had several people come to me to fix their firewall issues in vicibox 10.

Here is their page:
https://www.configserver.com/cp/csf.html

[carpenox]

I agree this would be a great addition, the firewall on V10 is a nightmare, something needs to be fixed or changed for sure.

[dspaan]

Yeah, i'm also a fan of CSF, on each new Linux install i use it as my main firewall. Could it also work with the vicidial dynamic portal?

[Kumba]

I'll take a look at it for ViciBox 11 which will be OpenSuSE with Asterisk 16. The primary reason I am somewhat stuck with firewalld is because yast is integrated with it. It's much easier to talk someone remotely over how to make changes in yast then it is to edit config files.

[dspaan]

I believe you will find these config files super easy. Also, in the latest yast firewall on OpenSuSE you can't add IP adresses to give them access for specific ports, zones or protocols. You have to do that through command line while you can just do nano /etc/csf/csf.allow and add your IP's to give admins SSH access.

[carpenox]

u can do it on command line for firewalld or yast as well just go to /etc/firewalld/zones and edit the files like below:

<zone target="ACCEPT">
<short>Trusted</short>
<description>All network connections are accepted.</description>
<source address="3.216.197.4"/>
<source address="34.196.59.250"/>
<source address="34.200.206.65"/>
<source address="13.56.51.225"/>
<source address="54.151.113.200"/>
<source address="54.193.203.218"/>
<source address="74.208.245.123"/>
<service name="apache2"/>
<service name="apache2-ssl"/>
<service name="sip"/>
<service name="mysql"/>
<port port="8089" protocol="tcp"/>
<port port="10000-20000" protocol="udp"/>
</zone>

[Kumba]

It's not so much the difficulty in editing a text file, it's more about the target audience's comfort with Linux. My general goal is to make every release of ViciBox easier to work with for the average IT guy. For me that's a guy whose primary experience is Windows desktop with limited networking/router knowledge and likely little to no Linux exposure let alone experience.

I'm not opposed to switching to anything that works better, but that is the lens I look at it through first. I'll put CSF on the list for ViciBox 11 feature consideration.

[williamconley]

In other words designing a web interface to edit that file OR creating a page in Vicidial and method of storage into that file is necessary for our End Users. While the DGG authorized IPs page was outside Vicidial, it was simplistic in nature and made it possible for anyone to add an IP for authorized access with Zero linux knowledge ... in fact, with no access to the linux interface required at all. So a secretary can be assigned that task by the owner.

Our method to limit access to the Authorized IPs page was a simple code in the URL. And that page updated a file used by the "xt_recent" iptables module.

This seems similar, just that the IP list represents a specifc section of an XML file. An interface to modify just that portion (keeping everything above and below it) or an interface to manage the entire file by allowing source addresses, service names and ports and port ranges could create a similar experience. Keeping it out of the Vicidial interface could reduce the likelihood that someone would jump onto a manager's workstation who has access to the page and add themselves. Plus "outside vici" means implementation could be instantaneous.

If it were modularized in some fashion, it could apply to "whatever" firewall is in use in that particular install (since we seem to be bouncing firewalls quite a bit, lol).

[dspaan]

It's also possible to use Webmin: https://webmin.com/

This is basically your webinterface which then allows you to give certain users limited access to certain files.

[williamconley]

True: But webmin also allows FULL access to the OS and is arguably *not* a simple interface.