TUTORIAL Mid-call Mobility aka Handover, Handoff.

Discussion in 'PBX in a Flash 3' started by chris_c_, Aug 7, 2018.

?

Would you like me to make a video demonstrating this mid-call mobility aka handover

  1. Yes pics and vids or it didn't happen

    4 vote(s)
    100.0%
  2. No I got it

    0 vote(s)
    0.0%
  1. chris_c_

    chris_c_ Active Member

    Joined:
    Aug 19, 2010
    Messages:
    482
    Likes Received:
    66
    Interesting paradox discovered - FreePBX 14 responsive voip "firewall" module is free GPL, yet it requires "incron" daemon rpm package (this watches changes to the file and directory inodes on the PBX server filesystem) and "system admin" module to be installed first, which requires "zend guard loader" which is used for running obfuscated php byte code ie protected code whose source is not open in order to hinder reading it and or reverse engineering it.


    For research purposes to see how much better these responsive firewall rules are in terms of how they allow for mid-call IP mobility, compared to the stock unresponsive firewall rules which prevent any mid-call IP mobility.

    1. Has anyone here got a FreePBX 14 server up and running with incron, system admin module, and firewall module?
    2. Can you get iptables to print to terminal its responsive firewall rules and share here?
     
    #21 chris_c_, Aug 10, 2018 at 10:25 AM
    Last edited: Aug 10, 2018 at 11:14 AM
  2. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,172
    Likes Received:
    2,391
    If it's encrypted code, it's NOT GPL code. Source code is required to comply with the GPL. Run!
     
  3. jerrm

    jerrm Guru

    Joined:
    Sep 23, 2015
    Messages:
    393
    Likes Received:
    150
    It's not encrypted. The "voipfirewalld" daemon is bundled up in a phar archive, but there isn't even a password on it. Probably to make sure other system changes (like changing the global asmanager.php) won't impact the running firewall code.

    The source is available in the module's "phar" folder with no additional LICENSE, so is AGPLv3.

    I'll admit my first thought was the "module" was GPL, but the actual daemon was proprietary. That is not the case - it's all AGPLv3.
     
  4. chris_c_

    chris_c_ Active Member

    Joined:
    Aug 19, 2010
    Messages:
    482
    Likes Received:
    66
    Only the "system admin" module source code is encoded by zend guard loader which basically means that it's php byte code and fed into the interpreter without getting compiled. I can understand why they do that to the system admin module, it's to protect that sensitive admin level code from modification and stops bad guys from seeing how it works so it's hard for them to attack the system, security thru obscurity, not the best security, but better than wide open source when you have to choose between the two.
     
  5. jerrm

    jerrm Guru

    Joined:
    Sep 23, 2015
    Messages:
    393
    Likes Received:
    150
    Have you tried to get it running?

    Sysadmin handles signing/code checking, and is required for the commercial modules. To my knowledge is a distro-only module.

    I think Incron is a dependency of sysadmin, not of the firewall itself.

    Sysadmin also handles the hardware/network config for the distro. Quite possible some of the tables/config info the firewall module uses from are from the sysadmin module.

    Odds of working out of the box on a non-distro system look slim. That said, I don't see anything in the overall structure that would require sysadmin if the config info was available. If someone took the time it could likely be opened up.
     
  6. jerrm

    jerrm Guru

    Joined:
    Sep 23, 2015
    Messages:
    393
    Likes Received:
    150
    And to secure their commercial modules.
     
  7. jerrm

    jerrm Guru

    Joined:
    Sep 23, 2015
    Messages:
    393
    Likes Received:
    150
    I fired up a FPBX13 Distro instance.

    Generated rules attached.

    Biggest question is where the packets get marked. Probably need to generate more traffic with a real config.
     

    Attached Files:

    #27 jerrm, Aug 10, 2018 at 12:30 PM
    Last edited: Aug 10, 2018 at 12:39 PM
    chris_c_ likes this.
  8. chris_c_

    chris_c_ Active Member

    Joined:
    Aug 19, 2010
    Messages:
    482
    Likes Received:
    66
    Looks like voipfirewall (or fpbxfirewall as it names its iptables chains) marks packets with a short numerical type code depending on which port and protocol they come into the firewall to keep track of what type of traffic each packet is, so as to easily know, after a packet gets routed around, what to do with the packet. On first look, it looks well thought out. PIAF/ipbx needs something like this, if not this actual GPL module, to let users get mid-call IP mobility to work effortlessly, no blockage by firewall simply because the client moved to a new IP address mid-call and the client is legitimately trying to reconnect.

    First question to find an answer for is, does this voipfirewall actually depend on functions from the protected system admin module? Or is the fact that voipfirewall "requires" a file from system admin only a formality such that voipfirewall doesn't really call any meaningful functions from the protected system admin module?
     
    #28 chris_c_, Aug 10, 2018 at 1:00 PM
    Last edited: Aug 10, 2018 at 1:05 PM
  9. jerrm

    jerrm Guru

    Joined:
    Sep 23, 2015
    Messages:
    393
    Likes Received:
    150
    Nothing in the filter functionality requires sysdamin.

    The rule generation is might need some of the system configuration sysadmin may provide. I'm not sure where the line is there.

    The voipfrewalld uses some of the sysadmin signature self-check functionality - but again that is not really relevant to the filtering functionality.

    The 1001 chains in the rule set are only to support the menu/checkbox configuration options of the GUI module.

    The core of the work is done with traditional iptables methods. There is a monitor process in voipfirewalld that adds successfully authenticated IPs to a whitelist and removes same IP's from the gray/blacklists. Nothing in the monitor process beyond the self-check (as part of the voipfirewalld phar) is dependent on sysadmin.

    Does any of this work without the distro sysadmin - I don't know - someone with a CentOS install will need to see.

    If it doesn't, I don't see Sangoma EVER changing it. They will site security concerns and legitimate issues with variations between distros for such a system level function.

    Can it be fixed to run without the official distro? Absolutely.

    Is it worth doing so? Probably not, unless someone is really committed to upkeep. Otherwise simplify the core rules and post on Github as an example, maybe with the monitor process. Let folks hang themselves.

    .
     
  10. chris_c_

    chris_c_ Active Member

    Joined:
    Aug 19, 2010
    Messages:
    482
    Likes Received:
    66
    After a quick look, the system admin functions used by the responsive freepbx voipfirewall appear to be minimal, mostly to get settings, and generate the fail2ban config.
    1. Gets the GPG object to use for checking the hashes of code files before running them,
    2. Gets the web root directory path for the asterisk management port aka freepbx web app,
    3. Gets the ports used by all the services enabled on the pbx. the web portal itself, rtp, sip, pjsip, webrtc, smb, nfs, iax, ssh, nodjs, http provision, restapps, xmpp, t*f*t*p, VPN, UCP, all of them. And categorizes them into zones like external, other, internal.
    4. fail2ban-generate and fail2ban-start scripts.
     
  11. chris_c_

    chris_c_ Active Member

    Joined:
    Aug 19, 2010
    Messages:
    482
    Likes Received:
    66
    UPDATE: it appears freepbx dev and aussie rob thomas at sangoma is well in favor of the idea of anyone can modify this responsive voip firewall module by editing the open source code on github to let it run without depending on the sysadmin module.
    "There have been some discussions in this thread, but no-one’s come up with code that solves the fundamental problem - how do we make this secure WITHOUT using Sysadmin and its associated infrastructure?

    And yes, firewall is 100% open source, and if you read the source, all the places that sysadmin is required is documented and explained, in the hope that someone smarter than me can figure out a way to do it 8)"

    We should just write a tiny, bare bones replacement for sysadmin containing the minimal 4-5 functions in sysadmin module used by voipfirewall.
     
  12. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,172
    Likes Received:
    2,391
    Just trying to get this down where the goats can get it...

    So we have an open source module that makes 4-5 required function calls to an encrypted module with no source code, and you're still suggesting that this is open source code? Do we know what information is passed to and returned from the encrypted module with each system call? If not, this is NOT open source code.

    If you know what goes in and what is expected to come out, then it might be an interesting project for @chris_c to tackle this fall. :smartass:

    On the other hand, if you're passing a number (let's say 32) into a black box, and out comes an alphanumeric string (s%$486qm), then let's stop calling the module open source unless the formula is documented to go from 32 to s%$486qm. Otherwise, you're dependent upon an obfuscated component as the actual security mechanism which is perfectly fine. It's just not an open source module. It's PROPRIETARY! And, yes, we could substitute a new black box for theirs, but it's still PROPRIETARY because you're using the secret sauce in the black box as the security mechanism. Once it's revealed, your code is no longer secure because the bad guys can replicate exactly what you've done. Simple as that.

    Rob is a gifted programmer, but he's not a magician. There's a reason he's making function calls to an encrypted component. Otherwise, the code would have been included in the "open source" module itself. :sorcerer:
     
    #32 wardmundy, Aug 11, 2018 at 12:10 AM
    Last edited: Aug 11, 2018 at 12:54 AM
  13. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,172
    Likes Received:
    2,391
    If you can decipher the formulas used in the SysAdmin module, then I see no reason why you couldn't rely upon something like OAuth2 credentials to make the secret sauce both open source AND unique to each server. For some reason, Rob chose not to do that. Without knowing what the function calls actually do, there's no way to figure that out. It would be easy enough to pluck some OAuth2 credentials out of pjsip_custom.conf for those using Google Voice with GVSIP.
     
  14. chris_c_

    chris_c_ Active Member

    Joined:
    Aug 19, 2010
    Messages:
    482
    Likes Received:
    66
    I looked more at the code, and got a reply from Rob with more details, learned that there are 2 parts to this Sysadmin, the Sysadmin PHP module for freepbx web interface, and the Sysadmin RPM package. Anyway, at the risk of putting my foot in my mouth, I really don't think I'll be putting my foot in my mouth about this. This code is not rocket science nor is it doing any mysterious black magic of any sort. The prospects of getting this freepbx responsible voipfirewall working smoothly on PIAF IPBX is most definitely doable, greater than 99%.
     
    jerrm likes this.
  15. chris_c_

    chris_c_ Active Member

    Joined:
    Aug 19, 2010
    Messages:
    482
    Likes Received:
    66
    I think the purposes for the sangoma Sysadmin RPM are
    1. for system security, both code integrity, and to prevent hackers from stealing your data, and to prevent hackers making financial charges on your SIP termination accounts etc., justifiable.
    a. it computes the hash value of each PHP code file before it "includes" it or runs it, so that when a hacker has modified the PHP code file then it detects that and halts the server, and
    b. it calls system level software such as iptables etc as root so that the PHP app doesn't have to run code as a privileged or root user, this is justifiable, yet it's not the only secure way to run code as a privileged or root user,​
    2. for copyright ie license protection ie commercial revenue protection, justifiable.
     
    #35 chris_c_, Aug 11, 2018 at 3:33 PM
    Last edited: Aug 11, 2018 at 9:24 PM
  16. chris_c_

    chris_c_ Active Member

    Joined:
    Aug 19, 2010
    Messages:
    482
    Likes Received:
    66
    QUESTION: For those who have a "sangoma schmoozecom linux 7 iso" already installed on any virtual machine, virtualbox, cloud server, physical machine, anywhere.
    When you login, what's the output of this command:
    echo $releasever

    EDIT: Got it.
     
    #36 chris_c_, Aug 11, 2018 at 3:38 PM
    Last edited: Aug 11, 2018 at 9:23 PM
  17. billsimon

    billsimon Experienced in Asterisk, FreePBX, and SIP

    Joined:
    Jan 2, 2011
    Messages:
    861
    Likes Received:
    261
    Given that the security philosophy and mechanisms are completely different between IncrediblePBX and FreePBX Distro, but the Asterisk and FreePBX code are the same, why not just use FreePBX Distro if you want their security scheme?
     
  18. chris_c_

    chris_c_ Active Member

    Joined:
    Aug 19, 2010
    Messages:
    482
    Likes Received:
    66
    Great question.
    Because mid-call mobility isn't only for my PBXes.
    I want all PIAF/IPBX users fans and community to get this looser VOIP Firewall GPL module so that all users' phones get mid-call mobility.
    I want PBX users be able to keep on running your preferred debian OS, raspbian OS, cebtos 7 OS, OpenVZ container VPS, etc.
    I really don't want to force all PIAF/IPBX owners to reinstall their OS to SNG7 linux distro (which RPi PBX users can't even run!) in order to get this simple little VOIP Firewall GPL module, required to enable automatic mid-call mobility.
    A bit of modification and the VOIP Firewall GPL module'll run on PIAF/IPBX just like all the other GPL modules.
     

Share This Page