@scottalanmiller said in FreePBX 14 Firewall Start Warning: @jaredbusch said in FreePBX 14 Firewall Start Warning: @scottalanmiller said in FreePBX 14 Firewall Start Warning: Well, we are one step newer, so that might be it. # fwconsole ma list | grep firewall | firewall | 13.0.46.1 | Enabled | AGPLv3+ | I do not know the CLI command to revert, but it is simple to do in the GUI. CLick "Check upgrades and then expand the Firewall and you will have a previous versions option. Tested and you are right, rolling back to 45.5 and the message goes away. You could upgrade to edge and see if it is different, but I would just wait for the next update.

ERL with an AC Lite AP at home as well as many clients. Zero issues.

@dashrender you could see opensips as a software version of this, but in high load scenarios or in transcoding the example @scottalanmiller gives about restricted instruction sets on the video chip is a great example. If Asterisk was created after SIP standards were made it probably would have some type of domain filtering that would make the mobile issue a very easy fix. That being said the responsive firewall was a huge leap forward, but i don’t see anything in their big requests that indicates they are going to go further. I’ve not tried to use the Sangoma SBC or to fix the issue since I’ve moved on. I’m guessing the domain for mobile access is very low amongst FreePBX users, or maybe it’s used on desktops inside a LAN that is not using the responsive firewall.

All the time. I only know this from having to log in every time the firewall gets behind and blocks the remote phones using responsive firewall. I do think FreePBX is great, don't get me wrong. These are some the reasons I still prefer a freeswitch based deployment and enforcing domains as part of authentication. Almost all attempts to brute force authenticate are dropped simply because they don't know the domain (realm) being used and they quickly give up. There is a lot more that I like over FreePBX in my current setup but that has more to do with trying to be a service provider. For a single installation my only gripe is the way the firewall works, how do people use Bria and roam around. That being said they could close that gap at any moment and my only complaint would be the delicacy of updating systems or uploading the wrong format of an audio file. Which apparently only bigbear has ever had problems with. Lol.

The resellers used to do it manually and charged $1 a phone, which is why I think adoption stalled. Plus documentation is horrible. Once you are in the portal its pretty obvious what can be done. I have linked my GUI so that when you add a phone's mac address to my service it uses Yealink API to automatically configured RPS.

@jaredbusch - I thought that is what you meant but did a double-take. LOL

Additionally, I'm looking at the firewall settings Is this expected? I get the list of my trusted items, it shows an empty list for other, but local, internet, and rejected all provide zero feedback. I have the Let's Encrypt sites added to local on the same page as I have my trusted sites added, yet they don't show up as seen above. Thoughts? This makes me think that I have somehow disabled the local zone

Before you can get in to what OS to run the clients on, do you have to ask what apps the business needs to run? If they need some kind of CAD package and it's only offered on Windows, the linux client goes out the window. (pun intended)

@jaredbusch said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost: @nashbrydges said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost: @jaredbusch said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost: @nashbrydges said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost: @brandon220 said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost: I've been using an ERL at home for a while and have them deployed at several business. Zero complaints and I recommend them all the time. I wish I could use it at home. I'm on Bell Canada ftth and they use a different vlan for iptv and internet. All of the online guides I've seen haven't been able to get me to use my ERL and Bell won't give up which VLANs they use. No one hasd figured this information out yet? Sadly not yet, at least not that my Google-fu has allowed me to find. I am a bit amazed because it should only take a mirrored switch port and wireshark to find VLAN tags. This was my thinking as I was reading the posts. This is /should be pretty easy to figure out.

@whoolly said in Switchvox phone issues: Vendor insisted he has never had any VOIP issues with Sonicwall and didn't want to budge on that. Even while it doesn't work. So you know that he'll say this to other customers now, even after this one. Chances are, he's had problems at all customers. SonicWall is culprit #1 for VoIP issues. I mean that literally. I get a call that someone has VoIP audio issues, my first question is always "Do you have a SonicWall?" Nine times out of ten, the answer is yes and nine times out of those ten, the SW was the issue. It's nearly a sure bet with audio issues. Had you led this question purely with "I have these audio issues..." we'd have said "I bet you have a SonicWall."

Just wanted to add @bj to this thread that I think a $100-ish Cloud Router from Mikrotik would blow most hardware away, including Ubiquiti, on pure performance. With the $50 and under models you are still getting 1 million PPS. The new cloud router series really has a crazy amount of power. This still coming from a pure PPS (packets per second) point of view. I think the cheapest cloud router has 12 to 16 cores That would only count for the core routers I am more familiar with (12 to 24 now) in the $500 range. Very poor marketing in the states but very popular with western country WISPS.

@Dashrender said in Cross Post - Help sorting out a Firewall Issue on a Debian Box: A default gateway on the debian box? My thought. I don't think I've seen a system firewall not accept icmp by default. If you stop iptables and still can't ping it's not the firewall.

Factory Reset, Setup, Disable Hardware Checksum Offloading, Works Prefect.

Oops.

@aaronstuder said in Vultr Adds a Free Firewall Service: Is it just me, or is Vultr killing it recently? Are they? With Linode's improved pricing, Vultr still is trailing for us in most use cases. It's a bit too costly and a bit too slow. We just get way more bang for the buck with Linode and Linode has load balancers which I think are a bit more important than firewalls. Vultr is doing well, but killing it seems a bit far as we are migrating off in several cases because it just isn't the best value compared to it's more mature competitor any longer. It's definitely doing better than Digital Ocean these days, though.

@Reid-Cooper said in Fortinet Experiences: I guess it matters then... who else is on the list? What about Sophos, are they an option? Looks like only their disk encryption is. Here is the list: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm.

@Reid-Cooper said in Open source Firewall: pfSense was really good in the past. But I agree, the days of building your own firewall on an old PC that you have are over. Right - the cost just isn't worth running your old PC. Power alone will cost more than the cost of an ER-X or ER-L.

The last step there, "Networks" is still functionally the same, but the GUI has been updated.

@scottalanmiller said in Barracuda Borks Firewalls with Automatic Update: @Dashrender said in Barracuda Borks Firewalls with Automatic Update: ERL for crying out loud! Keep one on spare for just these kinds of emergencies! lol I was thinking the same - most can probably afford to just keep this on the shelf in case of an issue.

By default, traffic will pass between VLANs 1 & 2, unless you go into the firewall & add rules to deny traffic

@stacksofplates said in Open Firewall Ports on CentOS 7 and RHEL 7: @coliver said in Open Firewall Ports on CentOS 7 and RHEL 7: @stacksofplates said in Open Firewall Ports on CentOS 7 and RHEL 7: @coliver said in Open Firewall Ports on CentOS 7 and RHEL 7: @scottalanmiller said in Open Firewall Ports on CentOS 7 and RHEL 7: @coliver said in Open Firewall Ports on CentOS 7 and RHEL 7: Did anyone ever figure out if there was a way to setup files for firewalld? Or was the XML service files the way to go? XML I think. That's what I was afraid of. We're using IPTables on all of our OEL7 servers right now but I think moving to the default firewalld may be a good idea. I'll have to look into the XML config and see how much more difficult, if at all, it is over the IPTables file. It's a shame we can't just copy a single file around anymore but the XML files probably won't be too much more difficult. Ya it's not bad at all. Here's the config from my Identity Management server. It's pretty similar to /etc/sysconfig/system-config-firewall on RHEL 6, just in zone specific XML files. <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="http"/> <service name="https"/> <service name="ntp"/> <service name="dhcpv6-client"/> <service name="kerberos"/> <service name="ldaps"/> <service name="ssh"/> <service name="dns"/> <service name="ldap"/> </zone> Those services are predefined right? You can also build your own services via the same process. Ya and you can define specific ports. I prob could have grabbed a better example. No, I think I've got it just need to investigate actually setting these up.

@RobLewisss said in Linux Iptables Firewall Automation: @JulianJulian Thanks mate! I just downloaded the agent. I'll let you guys know how it works. I also downloaded the agent to one of my Linux systems. It was very quick and simple. The cloud interface picked up the installed agent imediately and I was able to manage it right there. There are different groups that you can place each agent for different rules. Definitely worth testing. Up to 5 servers for free!

@travisdh1 Workaround? Use iptables? Fedora? CentOS6? Ubuntu? Hm.....

@scottalanmiller said: @JaredBusch said: @scottalanmiller said: @JaredBusch said: @scottalanmiller said: @JaredBusch said: While I have never made a how to with a port range, the basic firewalld syntax is used all over the place on this forum by me and every system that I have ever seen that accepts a port range does so with the range hyphenated from lower boundary to upper boundary. I would have thought that this was a colon, though, not a hyphen. I have never seen it commonly used with a colon to represent a range Native IPTables. I rarely work with native IPTables. That would explain a difference in point of view. Yeah, and for me I pretty much have done raw edits on /etc/sysconfig/iptables and never used external tools. Now with FirewallD I'm relearning the syntax for everything on Linux firewalls. Well, at least I'm not the only one then. Learning how to use firewall-cmd still feels a bit odd.

@dafyre said: Scratch that... I was able to figure it out. The configuration that you posted by default denies everything but SSH. Thanks! Correct

@Dashrender said: @johnhooks said: @scottalanmiller said: @johnhooks said: @scottalanmiller said: @johnhooks said: I think it still runs Linux, so yo could probably do most of that. However that kind of defeats the purpose of being centrally managed. VyOS, it is extremely capable. We've been on VyOS or its parent Vyatta for a very, very long time. Ya EdgeMax is, does the USG run VyOS? Yes, they all do the same stuff under the hood. Ok, I didn't realize that. But like I said, I think needing to dig into the cli on the USG kind of defeats the purpose of having everything centrally managed by the controller. I thought I mentioned it's not about fully managing, it's more about the reports/graphs. Yes it's a bit more expensive... Ah I missed that.

@travisdh1 said: @Dashrender said: I've never understood how viruii got around AV products on machines running them. It's my understanding this is somehow possible because of other unpatched flaws in the OS, even though the AV knows about the virus, the virus can still get in through the OS flaw, then using that flaw disable the AV, and pwn the machine. Do I understand that incorrectly? It's normally through another piece of software than the OS today actually. Microsoft finally got most of the holes in their swiss cheese plugged. Ironically, the programming code that many AV use also creates a hole for malware to enter through. Wish I had a few minutes to find those articles that hit recently. yeah I read those too - darn AV companies!

@Dashrender said: @scottalanmiller said: @Dashrender said: So if the OP wants to do web filtering and firewall services - what stuff should he buy? Same thing that I keep saying... ERL and Squid. I just wanted you to post it again LOL. There it is.