Wednesday, May 4, 2016

CSF firewall installation and configuration for VOIP/PBX systems-Part 2

After installation of csf firewall and webmin done on part 1 of this document, part 2 will concentrate on only configuration of the firewall, configuration to be done is described in steps below.

a. Allowing IP/IP blocks with fully access to the server.
You may start the configuration by adding you own block which should have fully access to pbx/voip system,fully access means the ip's should have fully access to all ports on the server these IP's should be your private LAN ip or ISP ip's if your configuring service providers voip/pbx system, to do so logon to your system via https://serverip:1000, then go to System > ConfigServer Security & Firewall, then csf - ConfigServer Firewall section, add your ip/ip blocks to Quick Allow and Quick Ignore,as seen on example below:

Don't forget to click on Quick Allow and Quick Ignore to save it to configuration file.
You should also add you Voip provider IP, if your system is connecting to online voip provider, otherwise you might experience issue when calls are routed to voip provider.

b. Allowing specific ports for IP/IP blocks without fully access.
Now go Firewall Configuration, to add ports which should be accessible for anyone without fully access to the server, if your voip system is accessible from the Internet, these are ports will be seen directly from the Internet.
You may allow as many ports as you can  for ports going out, but you should restrict ports which are coming to your server as minimum as you can, as far as my research below ports working fine for PBX/VOIP systems,

   i. Incoming
Only allow voip/pbx pors 5060:5061 and 10001:20000 which are used as media ports for some pbx systems, so the setup may look as below.
       a. TCP

         b. UDP

   ii. Outgoing
As i said you may allow as outgoing ports as you can, no problem on this.

       a. TCP
       b. UDP

So the setting will look as below,

c. Blocking ping from outside
You may also need to block ping from outside as means of security, to do search for Allow incoming PING and change it from ON(1) to OFF(0).

d. Enabling the firewall
When all configuration is done, you should enable the firewall for it to be operation on your server, go back to the beginning of configuration file and look for TESTING part and turn it off, as seen below:

e. Testing the firewall
After enabling the configuration you should now test the firewall to make sure it works as intended, below are hints for testing.

-Test if all pbx users are able to call via the pbx, also monitor if they can hear the voice with required quality.
-Test if the users coming from restricted IP are able to access the admin interface of PBX/VOIP, i mean any traffic going to port 80/443, they should not as the access to only be available to allowed IP's.

There a lot of settings which can be done on CSF firewall, but above is minimum which can be used to lock down your VOIP/PBX systems,drop down comments if you face any problem implementing the settings.