Managing Firewall Rules

Sadly, firewalls are quite complex, but we've done a lot of work to make them as easy to manage as possible.  The good news is, almost everyone won't need to change anything! M3 does a lot of work behind the scenes to lock down access to only hosts that should be contacting your machine. But, sometimes it's too hard for the machine to figure out by itself, so you may need to give it a helping hand.

But first, before you change anything - is it broken? If it's not broken, don't change things just because you think you have to. Try it first! This is a smart firewall, and tries to figure out what you want to do, by the way you've set the machine up.

Overview of Zones

The Smart Firewall has three Zones. 'Other', 'Trusted' and 'Full'. You can add networks and servers to the various zones in the 'Network Definitions' tab.

Other

Any entities that fall into this zone are denied access to the machine, if the 'Deny by Default' setting is on (you should leave this on). Otherwise they will most likely be allowed access to the machine, if another firewall rule (for example, fail2ban) doesn't block it.

Trusted

Any entities that are in this zone are granted limited access to the client machine. You can add and remove services that trusted entities can use in the 'Extra Services' and 'Other Services' tabs. Note that hosts, trunks, extensions and devices registered to each FreePBX server (per machine) are automatically added to this zone.

Full/Whitelist

Any entities in this zone are granted full and unrestricted access to the FreePBX server.  This should rarely be used, but is there for situations that can't be resolved any other way. It's also important to notice that this is the very first check in the firewall table. If your FreePBX machine will be continually doing large amounts of traffic to another machine, it may be worthwhile to add that machine to Full using the 'Whitelist' tab.