ViciBox 10 Firewall white/dynamic list setup

Support forum for the ViciBox ISO Server Install and ISO LiveCD Demo

Moderators: enjay, williamconley, Staydog, mflorell, MJCoate, mcargile, Kumba

ViciBox 10 Firewall white/dynamic list setup

Postby Kumba » Fri Apr 01, 2022 5:50 pm

So one bug and one issue were recently fixed in VB-firewall.pl. The bug was causing entries destined for the dynamic list to be written to the blacklist as initially reported by vkad. The second issue was automatically adding RFC1918 IP space to the white list which caused unintended and unintuitive firewall operation. Below is how you setup the white/dynamic lists in the ViciBox firewall and how it all operates together.

To get these updates, simply do a 'zypper ref & zypper up' to install them.

Setting up the IP Lists in ViciDial:
1) Log into ViciDial
2) Go to Admin --> System Settings
3) Change "Allow IP Lists" to 1 and save
4) Go to Users and click on your admin user (I.E. 6666)
5) Set Modify IP Lists to 1 and save
6) Repeat steps 4 and 5 for any other admin users you want to be able to adjust the whitelist
7) Go to Admin --> IP Lists
8) Click on "Add An IP List" (if 'ViciWhite' is already listed, just click on this and skip to step 12)
9) The IP List ID should be 'ViciWhite' (You can name it something else, but you'll need to use the --whitelist= option with VB-firewall)
10) The IP List Name can be whatever you want like 'Firewall Whitelist', but there needs to be something there
11) Click on Submit to save the new IP List and bring up the window allowing us to add entries
12) Add any IPs you want to include on the IP list. One IP per line.
13) Once you're satisfied with the IP's on the list, click submit to save the changes.

You can also do CIDR entries in step 12 but ViciDial itself won't be able to understand them. If you want to IP restrict agents to specific campaigns I would suggest have different IP lists for ViciDial to use and then the one IP List for just the firewall.

Now modify the crontab for white/dynamic list:
1) run 'crontab -e'
2) Go to the very bottom of the crontab and change the firewall entries to this (If you just want white listing, remove the '--dynamic' from the above two lines) :
Code: Select all
@reboot /usr/bin/VB-firewall --white --dynamic --quiet
* * * * * /usr/bin/VB-firewall --white --dynamic --quiet

3) Press CTRL-X to exit
4) Press 'Y' to save the changes to the crontab and then hit enter

Now to setup the network/firewall configuration:
1) Run 'yast lan'
2) Go to the 'Interfaces' section in the left window and press enter
4) Assign any network device with a LAN IP (192.168.X, 10.X, etc) to the 'trusted' zone
4) Assign any network device with an Internet IP to the 'Public' zone
5) Go to the 'public' section in the left window and press enter
6) Remove all allowed services except for 'rtp' and 'dhcpv6-client' (You can also remove dhcpv6-client if you're not using IPv6)
7) Go to the 'external' section in the left window and press enter
8) Make sure 'apache2', 'apache2-ssl', 'asterisk', and 'rtp' are listed here
9) Once all the above is complete, press ALT-A or F10 to accept and save the changes made
10) Run 'service firewalld restart' to clear out the network config and reload all your changes in, this will also reset network access so be careful if doing this remotely
11) Run 'VB-firewall --white --dynamic' to load up the IPs from your lists, you can add --debug to get extra output

Now for the harder part, to understand what VB-firewall and firewalld are doing to control access.

Firewalld will process any traffic received on a network device (NIC) through the zone that network device is assigned to. That's why it's important to make sure your NICs are in the correct zone. Here's how the zones should be interpreted in firewalld:
Public - Trust no one, assume everything here is hostile to you by default, also they don't like cats
External - You know who these people are, but still want to limit what they can have access to, they like cats just not your cat
Trusted - This is the guy in the break room eating other peoples lunches, has access to everything, and your cat likes them more then you

VB-Firewall integrates with firewalld to act as an IP-based zone assignment system at a global network level. This means that any IP added to the white or dynamic list, regardless of what device that IP is received on, will be processed through the external zone. So if you added 192.168.10.4 to the whitelist, even though this IP originates on your internal 'trusted' LAN, firewalld will assign this IP to the 'external' zone and limit it's access to those services. This is why the RFC1918 inclusion option in VB-firewall.pl is now disabled by default. Previously it would add the whole RFC1918 IP space to the white list causing all sorts of cluster issues since things like MariaDB/MySQL are not allowed services in the 'external' zone. You can still add the RFC1918 IP space to the whitelist, but you'll need to use the '--addrfc1918' option in the VB-firewall.pl entry in the crontab.

There is still a firewalld bug (actual them not me bug) where firewalld will intermittently get into a runaway state. When this happens firewalld will consume 100% of a CPU and eventually drop all network connectivity. This seems to be related to a large number of IPs in an IPSet which makes it more prevalent with black listing then white listing. Generally this condition only seems to trigger when core network changes are made inside 'yast firewall' or 'yast network'. The work-around so far has been to make the changes you need inside yast and then reboot to clear this condition. Alternatively, sometimes this can be cleared up by doing a 'service firewalld restart' although sometimes firewalld itself goes unresponsive. Once you have the core networking done and setup though, things run stably without incident.
Kumba
 
Posts: 920
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: ViciBox 10 Firewall white/dynamic list setup

Postby Kumba » Mon May 02, 2022 9:10 pm

Just fixed an issue where dynamiclist ipset wasn't included as part of the 'external' zone as reported by covarrubiasgg. You can do a 'zypper up' to pull in that update now.

If you have made any changes to the external zone you might get a message like "warning: /etc/firewalld/zones/external.xml created as /etc/firewalld/zones/external.xml.rpmnew". In that case you will need to manually add the ipset by running the following:
Code: Select all
firewall-cmd --permanent --zone=external --add-source=ipset:dynamiclist


You can also run the above command just to make sure it's in there. Worst case scenario it will tell you that the IPSet is already enabled.

The last thing you should do is either reboot or reload the firewall with 'firewall-cmd --reload'. You should now have a working dynamiclist firewall.
Kumba
 
Posts: 920
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida


Return to ViciBox Server Install and Demo

Who is online

Users browsing this forum: No registered users and 15 guests