Firewall Technical Details

Order of Precedence

The Firewall processes directives in this order:

Always Permitted:

• Well known traffic, such as 'Already Established', or 'Related to a previously existing connection' are allowed

• Management and Diagnostic traffic (Multicast, Broadcast, and ICMP) is allowed

• RTP Traffic (as defined in FreePBX Settings)

If the packet has reached this point, it needs to be investigated further. It is checked to see if it is a known endpoint (such as a trunk, or a registered extension)

Pre-Classification

• If the traffic is from a known network, as defined in the Network Settings page, jump directly to that zone

• If the traffic is from a known trunk or peer, mark the traffic as acceptable for the protocol of that trunk or peer

• If the traffic is from a known registered endpoint, accept signalling for the protocol the endpoint is using
  
  

  • Additional Check: if a known registered endpoint is requesting access to UCP, access is automatically granted. This will be expanded to allow more fine grained control in the future. Note that there can be up to a 60 second delay between registration of the endpoint and UCP being granted access from that IP address.

• Check if the packet is from a known blacklist, and if it matches, reject it immediately. Do not proceed with any further checks

• Check the default zone of the network interface the packet arrives on, and assign it to that zone

• If the network interface is unknown, the packet is treated as a member of the trusted zone. This is a feature to ensure that NIC replacements, or VM Migrations/Cloning do not inadvertently lock users out of the machine.

Zone Checks

• Services are permitted or denied as per the zone definition

• If responsive firewall is enabled, send it there.