Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Edit /etc/voipnow/local.conf and uncomment the TRUSTED_NET variable, replacing its value with your local network IP and netmask:

Shell
# Access from these networks is always allowed (eg: TRUSTED_NET 10.10.34.12/32 10.10.33.1/24) # TRUSTED_NET NETWORK/MASK

should be changed into something similar to:


Shell
# Access from these networks is always allowed (eg: TRUSTED_NET 10.10.34.12/32 10.10.33.1/24) TRUSTED_NET 172.16.100.1/24

This must be done on all VoipNow nodes in the infrastructure.

...

Execute the following command:

Shell

# /usr/local/voipnow/admin/sbin/voipnow_firewall

...

Starting VoipNow firewall configuration...
Your existing firewall has been saved in /tmp/iptables.20650
If everything is correct, please remove the cron job by running:

...

-o apply -t true
Testmode enabled. If everything is working ok, please apply the firewall with /usr/local/voipnow/admin/sbin/voipnow_firewall --operation=apply --testmode=false
Your previous firewall has been saved in /tmp/iptables.20463

The firewall installer will:

...

  • save your existing firewall rules into a temporary file ( /tmp/iptables.2065020463 in the above example)
  • inspect the VoipNow Cloud Management for roles assigned to this role
  • attempt to detect ports used by each role and apply the corresponding firewall rules
  • install a "safety netSafetyNet" consisting of a cron job which does a firewall flush after 10 3 minutes

You can see this safety net as a line in crontab:

Shell
*/

...

3 * * * * /sbin/iptables -P INPUT ACCEPT; /sbin/iptables -P FORWARD ACCEPT;/sbin/iptables -P OUTPUT ACCEPT;/sbin/iptables -F;/sbin/iptables -X


Apply firewall (final mode)

Assumiing Assuming that everything is ok, run the firewall script again with the ok parameter (this will remove the cron job and leave your newly generated firewall rules in place):

Shell

...

# /usr/local/voipnow/admin/sbin/voipnow_firewall

...

-o apply -t false


Private Network

The private network must be isolated. Only VoipNow nodes must be able to access it - it should not be shared with any other system. Furthermore, generic host level network firewalls must be configured to allow connection only on the ports that are opened on each role.

...

Requires public network access, as well as private network access for management and database traffic. Traffic can be encrypted (SRTP) as long as involved parties support the protocol otherwise traffic not encrypted; both private and public networks are required. Supports authentication and authorization methods.

Jabber

Requires public network access, as well private network access for management and database traffic. It is a good idea to implement on this service rate limitations based on source IP. Application layer firewall is available for XMPP protocol from independent vendors.

Infrastructure Management

...

Task scheduler that does not listen on any port but requires private network access to connect to other roles.

Queue

Requires private network access only. Traffic is not encrypted; connection is authenticated. It is not important to secure the traffic, but for superior protection it is a good idea to allow traffic only from the relevant roles (even in the private network).

Storage Layer

SQL

Traffic must be kept in the private network. Traffic is not encrypted; connection is made using authentication.

...

Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 4.0 International.