by Kumba » Wed Aug 25, 2021 5:32 am
So the new VB-firewall is ready to test. It's missing the geoblock portion but that's a pretty low priority compared to the rest.
You can do a zypper ref and zypper up to pull in the new version, but you will proably have to re-do some of the firewall config files.
Here's what you need to do
delete /etc/firewalld/direct.xml (unless you've made custom changes to this)
look in /etc/firewalld/zones for any files that end with "rpmnew". You'll probably need to copy these over the XML files but without the "rpmnew" extension. I.E. cp external.xml.rpmnew external.xml
That should more or less get the new firewall setup in place.
So the way it works is the 'external' zone is what the whitelist and dynamic list are tied to. So the 'public' zone is default zone. You would remove everything from the public zone you don't want the general internet having access to. If you're using the dynamic portal you'll want 'viciportal' and 'viciportal-ssl' in the 'public' zone.
In the External zone you should see asterisk, apache, rtp, etc, listed there. These are the services that the whitelist and dynamic list will have available.
And finally, the blacklist and voipbl.org list are now tied to the drop zone. This means the server will look like a literal black hole if they're on those lists.
I'll have to do documentation soon, but this makes it all a lot easier to deal with and manage.