ViciBox v.10 Beta 4 and MD image. 99% complete!

Support forum for the ViciBox ISO Server Install and ISO LiveCD Demo

Moderators: enjay, williamconley, Staydog, mflorell, MJCoate, mcargile, Kumba

Re: ViciBox v.10 Beta 3 with working SSL certs! Production r

Postby Kumba » Tue Aug 24, 2021 11:46 am

Apparently the problem is even if I tell firewall-cmd to use an ipset, if I modify the ipset directly using the actual ipset utility, it does nothing. Cause firewalld/nftables get their feelings hurt that I didn't use firewall-cmd to modify the ipset.

So yeah, doing 'firewall-cmd --permanent --zone=external --add-source=ipset:whiteips' and then trying to add an IP directly with ipset like 'ipset add whiteips 1.2.3.4' doesn't work. Why?!?!? No earthly idea. It's the most ridiculous thing I've ran into yet with firewalld. But doing 'firewall-cmd --ipset=whiteips --add-entry=1.2.3.4' does work. The real problem is that firewall-cmd doesn't have a flush or swap feature for ipsets. That means I either need to parse the output of --get-entries and individually add/remove IPs that need it, or I have to delete the ipset which is likely going to be intrusive and cause audio problems.

Wrapping VB-firewall around firewall-cmd is almost a complete re-write. The only parts I can really re-use is some of the CLI parsing and database connectivity portions. All the rest essentially gets thrown away as it's no longer viable.

Plan B is to use direct and just throw some sort of iptables hackery in there but that's more short-term as iptables is deprecated more an more.

Blah. Double and triple blah even.
Kumba
 
Posts: 911
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: ViciBox v.10 Beta 3 with working SSL certs! Production r

Postby carpenox » Tue Aug 24, 2021 1:32 pm

damn thats a mission and a half, what about removing firewalld and just using iptables?
Leap 15.3 | Version: 2.14-833a | BUILD: 211106-1500 | SVN Version: 3542 | DB Schema Version: 1648 | Asterisk 16.20.0-vici
www.CyburDial.net -:- 844-PC-SATA-2 -:- My Blog: http://vicidial.blog -:- Whatsapp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 1711
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: ViciBox v.10 Beta 3 with working SSL certs! Production r

Postby Kumba » Wed Aug 25, 2021 2:33 am

carpenox wrote:damn thats a mission and a half, what about removing firewalld and just using iptables?


I've already got the WhiteList, BlackList, and DynamicList functionality re-written in VB-Firewall. I just need to add the VoIPBL.org and geoblock to it. Since I'm wrapping everything completely around firewalld that does make some things a lot easier and cleaner. About the only feature I wish firewalld had in it was a way to flush an IPSet. As it stands now I have to either add/remove individual entries or delete and recreate the ipset. That's not too bad for most things until I get to VoIPBL.org and GeoBlocking. those are easier to just flush the ipset and reinsert everything but meh. I'll have to think of a good way to approach those.
Kumba
 
Posts: 911
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: ViciBox v.10 Beta 3 with working SSL certs! Production r

Postby Kumba » Wed Aug 25, 2021 5:32 am

So the new VB-firewall is ready to test. It's missing the geoblock portion but that's a pretty low priority compared to the rest.

You can do a zypper ref and zypper up to pull in the new version, but you will proably have to re-do some of the firewall config files.

Here's what you need to do
delete /etc/firewalld/direct.xml (unless you've made custom changes to this)

look in /etc/firewalld/zones for any files that end with "rpmnew". You'll probably need to copy these over the XML files but without the "rpmnew" extension. I.E. cp external.xml.rpmnew external.xml

That should more or less get the new firewall setup in place.

So the way it works is the 'external' zone is what the whitelist and dynamic list are tied to. So the 'public' zone is default zone. You would remove everything from the public zone you don't want the general internet having access to. If you're using the dynamic portal you'll want 'viciportal' and 'viciportal-ssl' in the 'public' zone.

In the External zone you should see asterisk, apache, rtp, etc, listed there. These are the services that the whitelist and dynamic list will have available.

And finally, the blacklist and voipbl.org list are now tied to the drop zone. This means the server will look like a literal black hole if they're on those lists.

I'll have to do documentation soon, but this makes it all a lot easier to deal with and manage.
Kumba
 
Posts: 911
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: ViciBox v.10 Beta 3 with working SSL certs! Production r

Postby carpenox » Wed Aug 25, 2021 9:00 am

cool, ill give it a test later on today and report back
Leap 15.3 | Version: 2.14-833a | BUILD: 211106-1500 | SVN Version: 3542 | DB Schema Version: 1648 | Asterisk 16.20.0-vici
www.CyburDial.net -:- 844-PC-SATA-2 -:- My Blog: http://vicidial.blog -:- Whatsapp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 1711
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: ViciBox v.10 Beta 4 and MD image. 99% complete!

Postby Kumba » Thu Aug 26, 2021 10:59 pm

Just dropped Beta4 which should have all the above goodies fixed in it. It's in the first post. Go ahead and do your testing. See if the dynamic portal and whitelist now work as you expect.
Kumba
 
Posts: 911
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: ViciBox v.10 Beta 4 and MD image. 99% complete!

Postby carpenox » Fri Aug 27, 2021 10:30 am

ok cool ill try it out tonight, did you finish the firewall-cmd rewrite?
Leap 15.3 | Version: 2.14-833a | BUILD: 211106-1500 | SVN Version: 3542 | DB Schema Version: 1648 | Asterisk 16.20.0-vici
www.CyburDial.net -:- 844-PC-SATA-2 -:- My Blog: http://vicidial.blog -:- Whatsapp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 1711
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: ViciBox v.10 Beta 4 and MD image. 99% complete!

Postby carpenox » Sat Aug 28, 2021 10:40 am

ok so ive installed v10 now on 3 production boxes last night, and this seems to be an error accross the board when manually adding IP's to the firewall:

firewall-cmd --add-source=54.xx.113.xx0 --zone=trusted --permanent
ERROR:dbus.proxies:Introspect error on :1.3:/org/fedoraproject/FirewallD1/config: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Leap 15.3 | Version: 2.14-833a | BUILD: 211106-1500 | SVN Version: 3542 | DB Schema Version: 1648 | Asterisk 16.20.0-vici
www.CyburDial.net -:- 844-PC-SATA-2 -:- My Blog: http://vicidial.blog -:- Whatsapp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 1711
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: ViciBox v.10 Beta 4 and MD image. 99% complete!

Postby Kumba » Mon Aug 30, 2021 1:36 am

No clue. I've never gotten that error. Is firewalld running?
Kumba
 
Posts: 911
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: ViciBox v.10 Beta 4 and MD image. 99% complete!

Postby carpenox » Mon Aug 30, 2021 7:03 am

Yes and it freezes the box when this happens
Leap 15.3 | Version: 2.14-833a | BUILD: 211106-1500 | SVN Version: 3542 | DB Schema Version: 1648 | Asterisk 16.20.0-vici
www.CyburDial.net -:- 844-PC-SATA-2 -:- My Blog: http://vicidial.blog -:- Whatsapp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 1711
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: ViciBox v.10 Beta 4 and MD image. 99% complete!

Postby Kumba » Tue Aug 31, 2021 2:11 am

No clue. I can't duplicate that issue. Below is where I ran the command just fine with a made up IP

Code: Select all
vicibox10:~ # firewall-cmd --permanent --zone=trusted --add-source=54.1.113.1
success
Kumba
 
Posts: 911
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: ViciBox v.10 Beta 4 and MD image. 99% complete!

Postby carpenox » Thu Sep 02, 2021 10:30 am

and if u try a --reload afterwards it doesnt freeze for you?
Leap 15.3 | Version: 2.14-833a | BUILD: 211106-1500 | SVN Version: 3542 | DB Schema Version: 1648 | Asterisk 16.20.0-vici
www.CyburDial.net -:- 844-PC-SATA-2 -:- My Blog: http://vicidial.blog -:- Whatsapp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 1711
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: ViciBox v.10 Beta 4 and MD image. 99% complete!

Postby Kumba » Fri Sep 03, 2021 5:13 am

I didn't know you were doing that. It looks like it gave you the error just by running the command. I'll try the reload later. I am guessing that since I can't duplicate your initial issue, I'll likely not have an issue doing the --reload either.

carpenox wrote:and if u try a --reload afterwards it doesnt freeze for you?
Kumba
 
Posts: 911
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Previous

Return to ViciBox Server Install and Demo

Who is online

Users browsing this forum: No registered users and 18 guests