TUTORIAL Mid-call Mobility aka Handover, Handoff.

Would you like me to make a video demonstrating this mid-call mobility aka handover

  • Yes pics and vids or it didn't happen

    Votes: 4 100.0%
  • No I got it

    Votes: 0 0.0%

  • Total voters
    4

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
Interesting paradox discovered - FreePBX 14 responsive voip "firewall" module is free GPL, yet it requires "incron" daemon rpm package (this watches changes to the file and directory inodes on the PBX server filesystem) and "system admin" module to be installed first, which requires "zend guard loader" which is used for running obfuscated php byte code ie protected code whose source is not open in order to hinder reading it and or reverse engineering it.


For research purposes to see how much better these responsive firewall rules are in terms of how they allow for mid-call IP mobility, compared to the stock unresponsive firewall rules which prevent any mid-call IP mobility.

1. Has anyone here got a FreePBX 14 server up and running with incron, system admin module, and firewall module?
2. Can you get iptables to print to terminal its responsive firewall rules and share here?
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
If it's encrypted code, it's NOT GPL code. Source code is required to comply with the GPL. Run!
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
If it's encrypted code, it's NOT GPL code. Source code is required to comply with the GPL. Run!
It's not encrypted. The "voipfirewalld" daemon is bundled up in a phar archive, but there isn't even a password on it. Probably to make sure other system changes (like changing the global asmanager.php) won't impact the running firewall code.

The source is available in the module's "phar" folder with no additional LICENSE, so is AGPLv3.

I'll admit my first thought was the "module" was GPL, but the actual daemon was proprietary. That is not the case - it's all AGPLv3.
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
If it's encrypted code, it's NOT GPL code. Source code is required to comply with the GPL. Run!
Only the "system admin" module source code is encoded by zend guard loader which basically means that it's php byte code and fed into the interpreter without getting compiled. I can understand why they do that to the system admin module, it's to protect that sensitive admin level code from modification and stops bad guys from seeing how it works so it's hard for them to attack the system, security thru obscurity, not the best security, but better than wide open source when you have to choose between the two.
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
1. Has anyone here got a FreePBX 14 server up and running with incron, system admin module, and firewall module?
2. Can you get iptables to print to terminal its responsive firewall rules and share here?

Have you tried to get it running?

Sysadmin handles signing/code checking, and is required for the commercial modules. To my knowledge is a distro-only module.

I think Incron is a dependency of sysadmin, not of the firewall itself.

Sysadmin also handles the hardware/network config for the distro. Quite possible some of the tables/config info the firewall module uses from are from the sysadmin module.

Odds of working out of the box on a non-distro system look slim. That said, I don't see anything in the overall structure that would require sysadmin if the config info was available. If someone took the time it could likely be opened up.
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
I can understand why they do that to the system admin module, it's to protect that sensitive admin level code from modification and stops bad guys from seeing how it works...
And to secure their commercial modules.
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
I fired up a FPBX13 Distro instance.

Generated rules attached.

Biggest question is where the packets get marked. Probably need to generate more traffic with a real config.
 

Attachments

  • filter.txt
    18.2 KB · Views: 5
  • nat.txt
    1.2 KB · Views: 4
Last edited:

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
Looks like voipfirewall (or fpbxfirewall as it names its iptables chains) marks packets with a short numerical type code depending on which port and protocol they come into the firewall to keep track of what type of traffic each packet is, so as to easily know, after a packet gets routed around, what to do with the packet. On first look, it looks well thought out. PIAF/ipbx needs something like this, if not this actual GPL module, to let users get mid-call IP mobility to work effortlessly, no blockage by firewall simply because the client moved to a new IP address mid-call and the client is legitimately trying to reconnect.

First question to find an answer for is, does this voipfirewall actually depend on functions from the protected system admin module? Or is the fact that voipfirewall "requires" a file from system admin only a formality such that voipfirewall doesn't really call any meaningful functions from the protected system admin module?
 
Last edited:

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
First question to find an answer for is, does this voipfirewall actually depend on functions from the protected system admin module? Or is the fact that voipfirewall "requires" a file from system admin only a formality such that voipfirewall doesn't really call any meaningful functions from the protected system admin module?
Nothing in the filter functionality requires sysdamin.

The rule generation is might need some of the system configuration sysadmin may provide. I'm not sure where the line is there.

The voipfrewalld uses some of the sysadmin signature self-check functionality - but again that is not really relevant to the filtering functionality.

The 1001 chains in the rule set are only to support the menu/checkbox configuration options of the GUI module.

The core of the work is done with traditional iptables methods. There is a monitor process in voipfirewalld that adds successfully authenticated IPs to a whitelist and removes same IP's from the gray/blacklists. Nothing in the monitor process beyond the self-check (as part of the voipfirewalld phar) is dependent on sysadmin.

Does any of this work without the distro sysadmin - I don't know - someone with a CentOS install will need to see.

If it doesn't, I don't see Sangoma EVER changing it. They will site security concerns and legitimate issues with variations between distros for such a system level function.

Can it be fixed to run without the official distro? Absolutely.

Is it worth doing so? Probably not, unless someone is really committed to upkeep. Otherwise simplify the core rules and post on Github as an example, maybe with the monitor process. Let folks hang themselves.

.
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
After a quick look, the system admin functions used by the responsive freepbx voipfirewall appear to be minimal, mostly to get settings, and generate the fail2ban config.
1. Gets the GPG object to use for checking the hashes of code files before running them,
2. Gets the web root directory path for the asterisk management port aka freepbx web app,
3. Gets the ports used by all the services enabled on the pbx. the web portal itself, rtp, sip, pjsip, webrtc, smb, nfs, iax, ssh, nodjs, http provision, restapps, xmpp, t*f*t*p, VPN, UCP, all of them. And categorizes them into zones like external, other, internal.
4. fail2ban-generate and fail2ban-start scripts.
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
UPDATE: it appears freepbx dev and aussie rob thomas at sangoma is well in favor of the idea of anyone can modify this responsive voip firewall module by editing the open source code on github to let it run without depending on the sysadmin module.
"There have been some discussions in this thread, but no-one’s come up with code that solves the fundamental problem - how do we make this secure WITHOUT using Sysadmin and its associated infrastructure?

And yes, firewall is 100% open source, and if you read the source, all the places that sysadmin is required is documented and explained, in the hope that someone smarter than me can figure out a way to do it 8)"

We should just write a tiny, bare bones replacement for sysadmin containing the minimal 4-5 functions in sysadmin module used by voipfirewall.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Just trying to get this down where the goats can get it...

So we have an open source module that makes 4-5 required function calls to an encrypted module with no source code, and you're still suggesting that this is open source code? Do we know what information is passed to and returned from the encrypted module with each system call? If not, this is NOT open source code.

If you know what goes in and what is expected to come out, then it might be an interesting project for @chris_c to tackle this fall. :smartass:

On the other hand, if you're passing a number (let's say 32) into a black box, and out comes an alphanumeric string (s%$486qm), then let's stop calling the module open source unless the formula is documented to go from 32 to s%$486qm. Otherwise, you're dependent upon an obfuscated component as the actual security mechanism which is perfectly fine. It's just not an open source module. It's PROPRIETARY! And, yes, we could substitute a new black box for theirs, but it's still PROPRIETARY because you're using the secret sauce in the black box as the security mechanism. Once it's revealed, your code is no longer secure because the bad guys can replicate exactly what you've done. Simple as that.

Rob is a gifted programmer, but he's not a magician. There's a reason he's making function calls to an encrypted component. Otherwise, the code would have been included in the "open source" module itself. :sorcerer:
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
If you can decipher the formulas used in the SysAdmin module, then I see no reason why you couldn't rely upon something like OAuth2 credentials to make the secret sauce both open source AND unique to each server. For some reason, Rob chose not to do that. Without knowing what the function calls actually do, there's no way to figure that out. It would be easy enough to pluck some OAuth2 credentials out of pjsip_custom.conf for those using Google Voice with GVSIP.
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
I looked more at the code, and got a reply from Rob with more details, learned that there are 2 parts to this Sysadmin, the Sysadmin PHP module for freepbx web interface, and the Sysadmin RPM package. Anyway, at the risk of putting my foot in my mouth, I really don't think I'll be putting my foot in my mouth about this. This code is not rocket science nor is it doing any mysterious black magic of any sort. The prospects of getting this freepbx responsible voipfirewall working smoothly on PIAF IPBX is most definitely doable, greater than 99%.
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
I think the purposes for the sangoma Sysadmin RPM are
1. for system security, both code integrity, and to prevent hackers from stealing your data, and to prevent hackers making financial charges on your SIP termination accounts etc., justifiable.
a. it computes the hash value of each PHP code file before it "includes" it or runs it, so that when a hacker has modified the PHP code file then it detects that and halts the server, and
b. it calls system level software such as iptables etc as root so that the PHP app doesn't have to run code as a privileged or root user, this is justifiable, yet it's not the only secure way to run code as a privileged or root user,​
2. for copyright ie license protection ie commercial revenue protection, justifiable.
 
Last edited:

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
QUESTION: For those who have a "sangoma schmoozecom linux 7 iso" already installed on any virtual machine, virtualbox, cloud server, physical machine, anywhere.
When you login, what's the output of this command:
echo $releasever

EDIT: Got it.
 
Last edited:

billsimon

Well-Known Member
Joined
Jan 2, 2011
Messages
1,534
Reaction score
727
Given that the security philosophy and mechanisms are completely different between IncrediblePBX and FreePBX Distro, but the Asterisk and FreePBX code are the same, why not just use FreePBX Distro if you want their security scheme?
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
Given that the security philosophy and mechanisms are completely different between IncrediblePBX and FreePBX Distro, but the Asterisk and FreePBX code are the same, why not just use FreePBX Distro if you want their security scheme?
Great question.
Because mid-call mobility isn't only for my PBXes.
I want all PIAF/IPBX users fans and community to get this looser VOIP Firewall GPL module so that all users' phones get mid-call mobility.
I want PBX users be able to keep on running your preferred debian OS, raspbian OS, cebtos 7 OS, OpenVZ container VPS, etc.
I really don't want to force all PIAF/IPBX owners to reinstall their OS to SNG7 linux distro (which RPi PBX users can't even run!) in order to get this simple little VOIP Firewall GPL module, required to enable automatic mid-call mobility.
A bit of modification and the VOIP Firewall GPL module'll run on PIAF/IPBX just like all the other GPL modules.
 

Members online

No members online now.

Forum statistics

Threads
25,779
Messages
167,505
Members
19,199
Latest member
leocipriano
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top