MyPBX Security Configuration Guide(Part 2)--Firewall Configuration

Please back up the configurations on "Backup and Restore" page before you go ahead. In the case that you lock the device, you can reset to factory default and restore the previous configurations.


The basic logic to configure firewall is ‍" to allow all trusted IP addresses and then enable Drop All”.

Step1. Enable firewall on firewall page of MyPBX.

Path: System--Security Settings--Firewall Rules--General Settings


Step2. Add common rules to accept local network access.

Create a common rule to allow all the IP addresses of the local phones to access MyPBX server. For example, the local IP range is 192.168.5.1-192.168.5.254, the configuration could be as below:

Name: LocalNetwork
Protocol: BOTH
Port: 1:65535
IP: 192.168.5.0/255.255.255.0, the format must be ‍“IP/net mask”
Action: Accept


Step3. Add common rules to allow remote administrators, extensions or devices.
For example the public IP is 110.30.25.152; we can allow all ports for this trusted IP.

Name: Remote
Protocol: BOTH
Port: 1:65535
IP: 110.30.25.152/255.255.255.255
Action: Accept


Note: static public IP range needs to be configured here, if it’s dynamic IP address that doesn’t belong to a range, there is no need to configure it, but the ‍“Drop All” in the next step should not be ticked. The IP blacklist rules will help to protect MyPBX. We recommend getting public static IP for security purpose.

Step4. Add common rules to accept the static public IP range of VoIP provider.

The ports used to contact the SIP provider is 5060 and 10000-12000 by default, if you have changed this port range, you can input it here by yourself.
For example, the IP address is 110.111.132.6, the configurations should be two parts, one is for 5060, and the second is for RTP port: 10000-12000.

Allow registry port: 5060.
Name: SIP
Protocol: UDP
Port: 5060:5060
IP: 110.111.132.6/255.255.255.255
Action: Accept

Allow RTP port range:
Name: RTP
Protocol: UDP
Port: 10000:12000
IP: 110.111.132.6/255.255.255.255
Action: Accept

Note: If the media server of SIP provider is dynamic, and we cannot collect the IP range. We can allow the RTP range for the whole IP addresss like this:

Name: RTP_ALL
Protocol: UDP
Port: 10000:12000
IP: 0.0.0.0/0.0.0.0
Action: Accept

In this case, MyPBX can get rid of one-way volume issue.

Step5. Block the web connection of the other IP address that are not added into accept list.


Note: Many attacks are caused by the Web access, it’s highly recommended to drop the untrusted connection via web interface.

Step6. Add common rules to accept the static public IP range of NTP, SMTP, and POP server.

We recommend opening all ports for NTP, SMTP, and POP server in MyPBX’s firewall, and the IP address should be a static one or belong to a range. If it’s Dyndns, there is no need to configure this rule, but the IP blacklist should be kept, and ‍“Drop All” should not be ticked.
For example, the SMTP server is 110.30.1.123.

Name: Allow_SMTP
Protocol: BOTH
Port: 1:65535
IP: 110.30.1.123/255.255.255.255
Action: Accept


Step 7. Configure auto blacklist rules
Auto blacklist rules: the Server would add the IP address to the blacklist automatically if the number of the packets it sends exceeds the rule you configured.

Note: the following 2 rules are created by MyPBX by default, we recommend keeping the default rules instead of modifying the value there.

1)Two auto blacklist rules for port: 5060.
Rule No.1:
Port: 5060
Protocol: UDP
IP Packets: 120
Time Interval: 60 seconds


2)An auto blacklist rule for Port:8022
Rule No.2
Port: 8022
Protocol: TCP
IP Packets: 5
Time Interval: 60 seconds


Step 8. Enable “Drop all” (If this feature is enabled, all the packets and connection that do not match the rules would be dropped.)

Warning: before enabling this feature, please create a rule to accept the local network access, or the server might not be accessed.

Notes:
    1. After enabling ‍“Drop All”, the rules of auto defense and IP blacklist will not take effect. It means except for the IPs and packets which are defined in the accept rules, the other connection or packets will be dropped.
    2. If ‍“Drop All” is not enabled, please don’t remove the IP blacklist rules in case the system security hole exists.

Step 9. The configuration of firewall settings is complete. See the figure below.




Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.