Firewall

Description

Simple Firewall implemented through IP tables

Release notes

Show release notes
Version 1.3.0 - Early deployment
  • Feature: Add the ssh profile (M15708)

Version 1.1.0 - General deployment
  • Feature: Ability to configure the firewall default policy. (M9472)
  • Feature: Ability to select the configuration type of your device. (M0)
  • Feature: Ability to define an front-end and back-end interface. (M0)
  • Feature: Ability to define pre and post custom rules for filter. (M0)
  • Feature: Ability to define post custom rules for nat. (M0)

Version 1.0.0 - Early deployment
  • Feature: Split the firewall packet from SMP base (M9756)

Module configuration interface

create_resource_form: .:/usr/share/escaux/glue/lib:/usr/share/escaux/glue/bin/gen_wiki_documentation/src/lib:/usr/share/escaux/glue/bin/gen_wiki_documentation/src/lib/

Default Policy
Configuration type
Frontend Interface
Backend Interface
Additional Filter Pre-rules
Additional Filter Post-rules
Additional Nat Pre-rules
Additional Nat Post-rules

Firewall

Module details

This module will install a simple firewall for easy protection of your device. It is based on blocks of rules that you can add according to the topology of your network. Custom rules are also available.

Release notes

Show release notes

Module configuration interface

create_resource_form: .:/usr/share/escaux/glue/lib:/usr/share/escaux/glue/bin/gen_wiki_documentation/src/lib:/usr/share/escaux/glue/bin/gen_wiki_documentation/src/lib/

Default Policy
Configuration type
Frontend Interface
Backend Interface
Additional Filter Pre-rules
Additional Filter Post-rules
Additional Nat Pre-rules
Additional Nat Post-rules

Module configuration parameters

Default policy:
  • version < 3.0.0 : Select the firewall default policy. This should be DROP, otherwise it will be like you have not any firewall.
  • version >= 3.0.0:The default policy has been removed for security reasons. Now the default policy in incoming, outgoing and forwarding is set to DROP. To open the outgoing, you need to use the “sop” profile.

Configuration type: Your device configuration type. version < 3.0.0
  • SOP: This configuration will allow all traffic required for SOP (Default rtp ports are also opened)..
  • ISAP: This configuration will allow traffic required for ISAP.
  • SMP: This configuration will allow traffic required for SMP.
  • None: No rules will be added. Warning: don't select default policy "DROP" if you have not finished all custom rules. Else you might lost connectivity.

Frontend Interface: The interface exposed to public access.

Backend Interface: The interface which will be used for management access.

Generic Rules Allow (version >= 3.0.0) : list rules provided by this module separated by a comma. I.e.: “sop,relax_ssh”. Each policy group is described in detail:
  • sop:
Traffic Interface Protocol Port Policy
incoming backend TCP 22 ACCEPT
incoming loopback * * ACCEPT
outgoing * * * ACCEPT
  • relax_ssh:
Traffic Interface Protocol Port Policy
incoming * TCP 22 ACCEPT

Module Rules Allow: list of rules provided by a module installed. The format is module’s name separated by a comma. I.e.: “Communication Server, NTP Server”. Each module can generate firewall rules based on it configuration. These rules can be taken into account or not by using this field. If the field is filled up by “all”, the firewall will use all module rules installed on your SOP.

Additional Pre-rules: These are rules that will be added by the user, to customize firewall policies. Attention! Rules defined here will override those defined in rules related to your device configuration type.

Additional Post-rules: These are rules that will be added by the user to customize some firewall policies. Rules defined here will be applied if the request does not match foregoing rules.

Additional rules syntax

Rules must respect iptables syntax without the command iptables or /sbin/iptables (see example below). 
-A INPUT -i eth0 --dport 21 -j DROP
-P OUTPUT DROP
  • The first line will drop all incoming ftp traffic on interface eth0.
  • The second line will drop default for outgoing traffic.

This feature must be used carefully! Use it only if you know what you are doing, otherwise there is a risk to lock your device.

Post installation actions

For changes to take effect, an apply changes action is required after the installation of this module.

Fail2ban management

It is not possible to unban IPs with the currently used version of fail2ban. The banned IPs will be blocked for about 24 hours !

A way to clear the banned IP list is to reload fail2ban: 
$ /etc/init.d/fail2ban reload

In order to check if fail2ban is correctly configured use this on the SOP: 

$ fail2ban-client status

root@00012051:~# fail2ban-client status
Status
|- Number of jail:   1
`- Jail list:      escaux-asterisk

To see the list of banned IPs use: 

$ fail2ban-client status escaux-asterisk

root@00012050:~# fail2ban-client status escaux-asterisk
Status for the jail: escaux-asterisk
|- filter
|  |- File list:   /var/log/asterisk/events 
|  |- Currently failed:   0
|  `- Total failed:   5
`- action
   |- Currently banned:   1
   |  `- IP list:   212.68.194.46 
   `- Total banned:   1

Get the unban command: 
root@00012050:~# fail2ban-client get escaux-asterisk actionunban iptables-allports
iptables -D fail2ban-<name> -s <ip> -j DROP
Command must then be run, but list in fail2ban will then be incorrect

Reloading only the escaux-asterisk jail will also clear banned ip for that jail: 
root@00012050:~# fail2ban-client reload escaux-asterisk
Copyright © Escaux SA