Please back up the configurations on "Backup and Restore" page before you go ahead. In the case that you lock the device, you can reset to factory default and restore the previous configurations.
The basic logic to configure firewall is " to allow all trusted IP addresses and then enable Drop All”.
Step1. Enable firewall on firewall page of MyPBX.
Path: System--Security Settings--Firewall Rules--General Settings
Step2. Add common rules to accept local network access.
Create a common rule to allow all the IP addresses of the local phones to access MyPBX server. For example, the local IP range is 192.168.5.1-192.168.5.254, the configuration could be as below:
IP: 192.168.5.0/255.255.255.0, the format must be “IP/net mask”
Step3. Add common rules to allow remote administrators, extensions or devices.
For example the public IP is 126.96.36.199; we can allow all ports for this trusted IP.
Note: static public IP range needs to be configured here, if it’s dynamic IP address that doesn’t belong to a range, there is no need to configure it, but the “Drop All” in the next step should not be ticked. The IP blacklist rules will help to protect MyPBX. We recommend getting public static IP for security purpose.
Step4. Add common rules to accept the static public IP range of VoIP provider.
The ports used to contact the SIP provider is 5060 and 10000-12000 by default, if you have changed this port range, you can input it here by yourself.
For example, the IP address is 188.8.131.52, the configurations should be two parts, one is for 5060, and the second is for RTP port: 10000-12000.
Allow registry port: 5060.
Allow RTP port range:
Note: If the media server of SIP provider is dynamic, and we cannot collect the IP range. We can allow the RTP range for the whole IP addresss like this:
In this case, MyPBX can get rid of one-way volume issue.
Step5. Block the web connection of the other IP address that are not added into accept list.
Note: Many attacks are caused by the Web access, it’s highly recommended to drop the untrusted connection via web interface.
Step6. Add common rules to accept the static public IP range of NTP, SMTP, and POP server.
We recommend opening all ports for NTP, SMTP, and POP server in MyPBX’s firewall, and the IP address should be a static one or belong to a range. If it’s Dyndns, there is no need to configure this rule, but the IP blacklist should be kept, and “Drop All” should not be ticked.
For example, the SMTP server is 184.108.40.206.
Step 7. Configure auto blacklist rules
Auto blacklist rules: the Server would add the IP address to the blacklist automatically if the number of the packets it sends exceeds the rule you configured.
Note: the following 2 rules are created by MyPBX by default, we recommend keeping the default rules instead of modifying the value there.
1)Two auto blacklist rules for port: 5060.
IP Packets: 120
Time Interval: 60 seconds
2)An auto blacklist rule for Port:8022
IP Packets: 5
Time Interval: 60 seconds
Step 8. Enable “Drop all” (If this feature is enabled, all the packets and connection that do not match the rules would be dropped.)
Warning: before enabling this feature, please create a rule to accept the local network access, or the server might not be accessed.
1. After enabling “Drop All”, the rules of auto defense and IP blacklist will not take effect. It means except for the IPs and packets which are defined in the accept rules, the other connection or packets will be dropped.
2. If “Drop All” is not enabled, please don’t remove the IP blacklist rules in case the system security hole exists.
Step 9. The configuration of firewall settings is complete. See the figure below.