Suggestion: CSF Firewall

Support forum for the ViciBox ISO Server Install and ISO LiveCD Demo

Moderators: enjay, williamconley, Staydog, mflorell, MJCoate, mcargile, Kumba

Suggestion: CSF Firewall

Postby Acidshock » Thu Jan 20, 2022 9:51 pm

Ok I am going to make a suggestion. It may be unpopular but I have tested it out in several installs and its working great. I would like to suggest that we replace the existing vicibox firewall solution with CSF firewall. It has been used for almost 17 years. It is very easy to integrate into the distro. Simply change the iptables default location. It can use ipset, automatically download and use blacklists, geoip location, etc. In addition, IP's can easily be added into a temporary and/or permanent whitelist or blacklist via command line. Because of this a cron job can be made to add vicidial whitelist/blacklist ips. In addition if people absolutely need a UI because they are not very command line savvy they can use a built in web UI. Furthermore it also has login failure detection, etc. Overall I think it just offers a more tried and true method without us needing to fiddle with the current setup or refine the wheel.

The main reason I bring this up is I have literally had several people come to me to fix their firewall issues in vicibox 10.

Here is their page:
https://www.configserver.com/cp/csf.html
VERSION: 2.14-698a | BUILD: 190207-2301 | Asterisk:13.24.1-vici | Vicibox 8.1.2
Acidshock
 
Posts: 416
Joined: Wed Mar 03, 2010 3:19 pm

Re: Suggestion: CSF Firewall

Postby carpenox » Wed Jan 26, 2022 12:34 pm

I agree this would be a great addition, the firewall on V10 is a nightmare, something needs to be fixed or changed for sure.
Alma Linux 8.5 | Version: 2.14-858a | BUILD: 220513-0819 | SVN Version: 3602 | DB Schema Version: 1661 | Asterisk 16.17.0-vici
www.CyburDial.net -:- 725-22-CYBUR -:- My Blog: http://vicidial.blog -:- Whatsapp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 1801
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: Suggestion: CSF Firewall

Postby dspaan » Tue May 03, 2022 8:18 am

Yeah, i'm also a fan of CSF, on each new Linux install i use it as my main firewall. Could it also work with the vicidial dynamic portal?
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1360
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: Suggestion: CSF Firewall

Postby Kumba » Mon May 09, 2022 3:42 pm

I'll take a look at it for ViciBox 11 which will be OpenSuSE with Asterisk 16. The primary reason I am somewhat stuck with firewalld is because yast is integrated with it. It's much easier to talk someone remotely over how to make changes in yast then it is to edit config files.
Kumba
 
Posts: 920
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: Suggestion: CSF Firewall

Postby dspaan » Tue May 10, 2022 1:02 pm

I believe you will find these config files super easy. Also, in the latest yast firewall on OpenSuSE you can't add IP adresses to give them access for specific ports, zones or protocols. You have to do that through command line while you can just do nano /etc/csf/csf.allow and add your IP's to give admins SSH access.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1360
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: Suggestion: CSF Firewall

Postby carpenox » Tue May 10, 2022 3:35 pm

u can do it on command line for firewalld or yast as well just go to /etc/firewalld/zones and edit the files like below:

<zone target="ACCEPT">
<short>Trusted</short>
<description>All network connections are accepted.</description>
<source address="3.216.197.4"/>
<source address="34.196.59.250"/>
<source address="34.200.206.65"/>
<source address="13.56.51.225"/>
<source address="54.151.113.200"/>
<source address="54.193.203.218"/>
<source address="74.208.245.123"/>
<service name="apache2"/>
<service name="apache2-ssl"/>
<service name="sip"/>
<service name="mysql"/>
<port port="8089" protocol="tcp"/>
<port port="10000-20000" protocol="udp"/>
</zone>
Alma Linux 8.5 | Version: 2.14-858a | BUILD: 220513-0819 | SVN Version: 3602 | DB Schema Version: 1661 | Asterisk 16.17.0-vici
www.CyburDial.net -:- 725-22-CYBUR -:- My Blog: http://vicidial.blog -:- Whatsapp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 1801
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: Suggestion: CSF Firewall

Postby Kumba » Tue May 10, 2022 4:36 pm

It's not so much the difficulty in editing a text file, it's more about the target audience's comfort with Linux. My general goal is to make every release of ViciBox easier to work with for the average IT guy. For me that's a guy whose primary experience is Windows desktop with limited networking/router knowledge and likely little to no Linux exposure let alone experience.

I'm not opposed to switching to anything that works better, but that is the lens I look at it through first. I'll put CSF on the list for ViciBox 11 feature consideration.
Kumba
 
Posts: 920
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: Suggestion: CSF Firewall

Postby williamconley » Wed May 11, 2022 9:53 am

In other words designing a web interface to edit that file OR creating a page in Vicidial and method of storage into that file is necessary for our End Users. While the DGG authorized IPs page was outside Vicidial, it was simplistic in nature and made it possible for anyone to add an IP for authorized access with Zero linux knowledge ... in fact, with no access to the linux interface required at all. So a secretary can be assigned that task by the owner.

Our method to limit access to the Authorized IPs page was a simple code in the URL. And that page updated a file used by the "xt_recent" iptables module.

This seems similar, just that the IP list represents a specifc section of an XML file. An interface to modify just that portion (keeping everything above and below it) or an interface to manage the entire file by allowing source addresses, service names and ports and port ranges could create a similar experience. Keeping it out of the Vicidial interface could reduce the likelihood that someone would jump onto a manager's workstation who has access to the page and add themselves. Plus "outside vici" means implementation could be instantaneous.

If it were modularized in some fashion, it could apply to "whatever" firewall is in use in that particular install (since we seem to be bouncing firewalls quite a bit, lol).
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 19810
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Suggestion: CSF Firewall

Postby dspaan » Wed May 11, 2022 10:18 am

It's also possible to use Webmin: https://webmin.com/

This is basically your webinterface which then allows you to give certain users limited access to certain files.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1360
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: Suggestion: CSF Firewall

Postby williamconley » Wed May 11, 2022 10:19 am

True: But webmin also allows FULL access to the OS and is arguably *not* a simple interface.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 19810
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)


Return to ViciBox Server Install and Demo

Who is online

Users browsing this forum: No registered users and 24 guests