This is a VERY IMPORTANT concept to understand about PBX In a Flash.
Ward and company take security very f____ing seriously. I mean VERY F_____ing seriously. That is the 2nd item on their mission.
Because of that, everything in the world to be 'tight' is done.
When you install PIAF it installs/configures three things:
iptables
fail2ban
PortKnocker
Iptables is a firewall that runs on the server. It is set to NOT allow ANY TRAFFIC on ANY PORT except from a few known SIP providers and the machine's IP address that you installed from. Read that sentence a few times. If you are on an ISP that changes your IP address that you installed from, you cannot get back on your machine.
fail2ban reads attempts to login from locations you are not allowed to from and BANS that IP from logging in for a period of time. IT READS the values in IPTABLES and updates IPTABLES to BAN your bad IP.
Portknocker - this is YOUR LIFELINE. It is YOUR BACKDOOR into YOUR system. What portknocker does is if YOU send traffic to a series of ports, it will then update iptables with that machines IP address and let you in.
Now let's put this in practice.
You have an ISP at your house that changes your IPs a lot. You host at woot and you have assigned the IP to pbx.mypbx.com
Day 1 - your ip is 123.123.123.123 - you install and configure.
Day 2 - your ISP changed your IP to 123.231.231.231 - you try and log in. Nope, iptables doesn't know that IP address. You can't get in. Now you use nmap and the string that was in your /root/portknocker.faq - Your IP is now added to iptables and you can log in.
Now how do you solve this long term? There are a few ways.
One way is to add a block of ips to iptables. Most ISPs stay within a block. Generally a /16 would work, so you could do: /root/add-ip MyIsp 123.123.123.0/16 - then hit enter, then hit enter again, then choose option 0 for all traffic.
Another way is to spend the money for a dedicated ip.
------------
Yes, I find this security VERY annoying. However, I truly understand it. If I had a call center with 500 phones and was spending thousands a month at a sip provider, this is the ONLY way I would run the system.