New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bug]: Firewall - Interfaces #94
Comments
can agree |
firewall v17.0.1.16 |
thanks a lot @Andsup for the quick response, will check this early next week. |
HI @Andsup Can you share the structure of |
HI,
The requested info :
root@pbx:~# ll -R /etc/network/
/etc/network/:
total 16
drwxr-xr-x 2 root root 4096 Apr 8 16:01 if-down.d
drwxr-xr-x 2 root root 4096 Apr 8 15:59 if-post-down.d
drwxr-xr-x 2 root root 4096 Jan 2 05:43 if-pre-up.d
drwxr-xr-x 2 root root 4096 Apr 8 16:01 if-up.d
/etc/network/if-down.d:
total 8
-rwxr-xr-x 1 root root 372 Nov 11 23:21 openvpn
-rwxr-xr-x 1 root root 802 Jan 27 00:44 postfix
/etc/network/if-post-down.d:
total 4
-rwxr-xr-x 1 root root 145 May 8 2023 chrony
/etc/network/if-pre-up.d:
total 4
-rwxr-xr-x 1 root root 344 Dec 20 2022 ethtool
/etc/network/if-up.d:
total 16
-rwxr-xr-x 1 root root 145 May 8 2023 chrony
-rwxr-xr-x 1 root root 1685 Dec 20 2022 ethtool
-rwxr-xr-x 1 root root 385 Nov 11 23:21 openvpn
-rwxr-xr-x 1 root root 1185 Jan 27 00:44 postfix
drwxr-xr-x 2 root root 4096 Apr 8 16:01 if-up.d
***@***.***:~# uname -a
Linux xxxxxx 6.1.0-20-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.85-1 (2024-04-11) x86_64 GNU/Linux
***@***.***:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether fa:xx:xx:xx:xx:25 brd ff:ff:ff:ff:ff:ff
altname enp0s3
inet xx.xx.xx.xx/32 metric 100 scope global dynamic ens3
valid_lft 82457sec preferred_lft 82457sec
inet6 fe80::f816:3eff:fe3a:dc25/64 scope link
valid_lft forever preferred_lft forever
13: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 192.168.y.y/32 scope global wg0
valid_lft forever preferred_lft forever
Best regards,
A. Léonard
|
Hi @Andsup How did you configured your network interfaces? Is it via systemd network utility? We are using /etc/network/interfaces.d/ but looks like you might be using systemd due to which interfaces are not working properly. could you please quickly try to disable systemd network and let us know the behavior - |
This is a VPS with the standard Debian 12 image from the provider (OVH). So no physical access, only via the network : quite risky to modify the IP setup... Currently I activated firewalld, doing correctly the job, except that sometimes your code disable it. Moving away from a full home distro, is quite challenging. |
thanks @Andsup I can understand playing with network settings might not be good for you. |
HI,
Indeed systemd-networkd, systemd-resolved, systemd-networkd-wait-online … are active.
Via cloud-init network-config
***@***.***:~# systemctl | grep network
sys-devices-pci0000:00-0000:00:03.0-virtio0-net-ens3.device loaded active plugged Virtio network device
sys-subsystem-net-devices-ens3.device loaded active plugged Virtio network device
cloud-init-local.service loaded active exited Initial cloud-init job (pre-networking)
systemd-network-generator.service loaded active exited Generate network units from Kernel command line
systemd-networkd-wait-online.service loaded active exited Wait for Network to be Configured
systemd-networkd.service loaded active running Network Configuration
systemd-networkd.socket loaded active running Network Service Netlink Socket
network-online.target loaded active active Network is Online
network-pre.target loaded active active Preparation for Network
network.target loaded active active Network
***@***.***:~# systemctl status systemd-networkd.service
● systemd-networkd.service - Network Configuration
Loaded: loaded (/lib/systemd/system/systemd-networkd.service; enabled; preset: enabled)
Active: active (running) since Thu 2024-04-18 19:00:30 CEST; 3 days ago
TriggeredBy: ● systemd-networkd.socket
Docs: man:systemd-networkd.service(8)
man:org.freedesktop.network1(5)
Main PID: 433 (systemd-network)
Status: "Processing requests..."
Tasks: 1 (limit: 2295)
Memory: 2.2M
CPU: 326ms
CGroup: /system.slice/systemd-networkd.service
└─433 /lib/systemd/systemd-networkd
Apr 19 18:45:23 pbx.wiseavocats.be systemd-networkd[433]: wg0: Link UP
Apr 19 18:45:23 pbx.wiseavocats.be systemd-networkd[433]: wg0: Gained carrier
Apr 19 18:48:13 pbx.wiseavocats.be systemd-networkd[433]: wg0: Link DOWN
Apr 19 18:48:13 pbx.wiseavocats.be systemd-networkd[433]: wg0: Lost carrier
Apr 19 18:48:23 pbx.wiseavocats.be systemd-networkd[433]: wg0: Link UP
Apr 19 18:48:23 pbx.wiseavocats.be systemd-networkd[433]: wg0: Gained carrier
Apr 19 19:06:13 pbx.wiseavocats.be systemd-networkd[433]: wg0: Link DOWN
Apr 19 19:06:13 pbx.wiseavocats.be systemd-networkd[433]: wg0: Lost carrier
Apr 19 19:06:23 pbx.wiseavocats.be systemd-networkd[433]: wg0: Link UP
Apr 19 19:06:23 pbx.wiseavocats.be systemd-networkd[433]: wg0: Gained carrier
|
Thanks @Andsup for the prompt reply so this explains why you are seeing different behavior. currently Freepbx is depending on /etc/network/interfaces.d/ , so we need to see how we can optimize to use either networkd or stop networkd and force users to use "/etc/network/interfaces.d/". |
@kguptasangoma dont know if that helps. We also use a debian 12 vm from a provider. systemd is also inactive: root@bitpbx:~# systemctl status systemd-networkd.service |
hi @nobe80 Are you also facing the same issue? |
yes we faced also with the same issue but we dont want to use the freepbx firewall. For us it is enough to rely on fail2ban. |
@nobe80 wrt to that IP changing everyday you could always add the fqdn as name in the networks and it will resolve to whatever the active IP address is on that day and allow access... combined with responsive firewall features and fail2ban sync it may get you where you want to be |
@dolesec no that is to complicate because you have to set a DNS too for every customer. We dont need the firewall, fail2ban is enough for us. With fail2ban and good passwords bruteforce attacks becomes useless. |
understood , just wanted to be sure you knew that was available... many firewalls such as Meraki assign a DDNS address to the active wan interface for the firewall - I use this name in my network definitions as a trusted network... its worked well thus far |
thanks @dolesec :) |
I loaded up the beta on a fresh Debian 12 today (Azure canned instance) and I have the same issue. There is no /etc/network/interfaces.d directory. The system is running systemd-networkd I masked and disabled systemd-networkd and systemd-networkd.socket services and created an interfaces file in /etc/network. |
Same issue here. Installed FreePBX17 via install script on Debian 12 using DigitalOcean. I moved the config for the internet facing interface/subinterface to a config file in interface.d to resolve:
|
This issue also exists on AWS Debian 12 AMI. We are unable to modify the network settings also, due to it being in the cloud. ● systemd-networkd.service - Network Configuration |
Please refer to #127 where if the system is NOT using "networkd" then Freepbx can be used to configure the networks otherwise let user to manage the network configurations via networkd utility. Thanks |
FreePBX Version
FreePBX 17
Issue Description
On a fresh freepbx 17 beta install, I added some trusted IP and networks in the firewall configuration.
Responsive Firewall is active.
No way to move the only one interface (ns3) to “Internet (default firewall)”
After “update interfaces”, status is back to “trusted”.
Another issue with the firewall: the wireguard ‘wg0’ interface is not listed on the interfaces screen.
Visible on the dashboard but not in the firewall.
Operating Environment
Debian 12.5
freepbx 17 - edge mode fully updated
FreePBX 17.0.15.13
System Firewall 17.0.1.14
Relevant log output
No response
The text was updated successfully, but these errors were encountered: