Firewall Technical Details
Order of Precedence
The Firewall processes directives in this order:
Always Permitted:
Well known traffic, such as 'Already Established', or 'Related to a previously existing connection' are allowed
Management and Diagnostic traffic (Multicast, Broadcast, and ICMP) is allowed
RTP Traffic (as defined in FreePBX Settings)
If the packet has reached this point, it needs to be investigated further. It is checked to see if it is a known endpoint (such as a trunk, or a registered extension)
Pre-Classification
If the traffic is from a known network, as defined in the Network Settings page, jump directly to that zone
If the traffic is from a known trunk or peer, mark the traffic as acceptable for the protocol of that trunk or peer
If the traffic is from a known registered endpoint, accept signalling for the protocol the endpoint is using
Additional Check: if a known registered endpoint is requesting access to UCP, access is automatically granted. This will be expanded to allow more fine grained control in the future. Note that there can be up to a 60 second delay between registration of the endpoint and UCP being granted access from that IP address.
Check if the packet is from a known blacklist, and if it matches, reject it immediately. Do not proceed with any further checks
Check the default zone of the network interface the packet arrives on, and assign it to that zone
If the network interface is unknown, the packet is treated as a member of the trusted zone. This is a feature to ensure that NIC replacements, or VM Migrations/Cloning do not inadvertently lock users out of the machine.
Zone Checks
Services are permitted or denied as per the zone definition
If responsive firewall is enabled, send it there.