FYI CSF?

[isaacl]

Can I use CSF with PBXIAF/IncrediblePBX?
I have a IncrediblePBX VM I'm in the process of setting up on Wable, and I'd like to use that to lock it down.
I've set up CSF previously and know it well, so it would be a lot easier...
Thanks!

 

[wardmundy]

Incredible PBX is open source GPL code so you can use any firewall you like including CSF. Please share your mods for the benefit of all of us.

 

[isaacl]

Thanks Ward!

I don't have anything overly fancy, but I like to lock down pretty much any ports that don't need to be open publicly, and then allow necessary connections in by putting the IP address(es) in to the csf.allow file, or the dynamic DNS hostnames into the csf.dyndns file, once the necessary settings for dynamic DNS are enabled in the csf.conf file - basically setting the DYNDNS setting to how often you want it to check (I use 600 seconds, for every 10 minutes), and then setting DYNDNS_IGNORE to 1.
The global options might come in handy as well, and you can set CSF to pull a copy of the allow, deny, ignore, or dyndns entries from a remote server automatically.
By using dynamic DNS entries on any networks or devices that need to access the server, you should be able to lock everything down, but still be able to access everything from wherever you are.

My only concern was that CSF pretty much gets rid of any other iptables settings/entries, so I would lose anything that's already configured.

I'm setting up a PBX that will using Google Voice for all calls, with no other trunks (at this point) that need to be connected.
If I'm going to allow the phones to connect using the above methods (IP addresses or dynamic DNS hostnames), is there anything else that I would have to open to allow Google Voice to work?
Or will it initialize the connection from the server, which will take care of everything?

Thanks a lot!

 

[wardmundy]

Sounds like you'll be doing exactly what Travelin' Man 3 in Incredible PBX already does.

 

[isaacl]

Yep, definitely a similar concept, just easier for me to set this up and maintain, and I know CSF much better than IPTables. I played with the Travelin' Man script once (probably an earlier version), but I didn't fully understand how to set it up, and this seems to allow me more control, and to lock everything down fully.
I also wrote a basic PHP script on one of my other servers that automatically updates a dynamic DNS entry with the IP address I logged in from, and it's locked down with a htaccess password, which works for me when I'm on the road and need to log in from wherever I am.

Edit: Now that I look at the info for the latest version, it seems very similar - I had tried the original version, which made you browse to a web page to open things up.
Though the warning about FQDN's on the Travelin' Man 3 page seem to make me happy that I'm using this, which works perfectly with FQDN's.

Do you know if I need to open anything up for Google Voice to work?

As a side point, Google Domains give you free dynamic DNS with your domain registration...

 

[wardmundy]

If CSF uses iptables then it has the same shortcoming with FQDNs.

 

[isaacl]

Pretty sure that CSF does it smarter - I've seen the iptables list flash by on a reload, and I've never seen any hostnames in there.

My understanding is that any entry in the dyndns list is resolved every x seconds, depending on the configuration setting, and then the IP(s) from the hostnames in that list are put into the iptables list.

So you won't have any issues with any hostnames in the iptables list.

 

[chris_c_]

You can check two things to see if DYNDNS is working:

1. Check the iptables chain:

sudo iptables -L ALLOWDYNIN -nv
host yourhost.dynamicdomain.com

2. Check the lfd log to see if there are any DYNDNS errors -

cat /var/log/lfd.log | more

 

[wardmundy]

Pretty sure that CSF does it smarter - I've seen the iptables list flash by on a reload, and I've never seen any hostnames in there.

My understanding is that any entry in the dyndns list is resolved every x seconds, depending on the configuration setting, and then the IP(s) from the hostnames in that list are put into the iptables list.

So you won't have any issues with any hostnames in the iptables list.

You'll never see an FQDN entry in an IPtables list. The shortcoming I was referring to is the inability of IPtables to escape gracefully with an unresolvable FQDN. Unless that is handled by other software, IPtables will not load. Presumably, CSF handles that. Easy way to check is to whitelist an FQDN that does not exist and see what happens. Better yet, create a dynamic DNS entry with a provider and enter that FQDN into your whitelist. Then delete the FQDN at the provider site and see what happens on your server.

 

[isaacl]

Going to try that, thanks Ward.

And still wondering if I need to open up any ports/sites for Google Voice to work - any ideas?

Thanks!