Firewall Services

Owned by Nathaniel Halbrooks
Last updated: Jan 18, 2024
2 min read

Clicking the collapsible menu on the right and selecting 'Services' brings you to the Firewall Services page. It is this page that allows the admin fine control over which firewall zones have access to which PBX services:

Services Tab

  • SSH - Generally you do not allow untrusted access to this service

  • Web Management - Generally you do not allow untrusted access to this service

  • Web Management (Secure) - Ideally you would limit this service only to trusted traffic

  • UCP - User Control Panel - Ideally you would limit this service only to trusted traffic. 

  • SIP Protocol - The pjsip service, if you want to allow untrusted access, it's preferred to enable the responsive firewall instead of allowing Internet zone

  • CHAN_SIP Protocol - The chan_sip service, if you want to allow untrusted access, it's preferred to enable the responsive firewall instead of allowing Internet zone

  • IAX Protocol - Inter Asterisk eXchange service, if you want to allow untrusted access, it's preferred to enable the responsive firewall instead of allowing Internet zone

  • WebRTC - UCP browser sessions use this service. If you don't allow untrusted access to UCP, you probably don't need untrusted access to WebRTC

  • Lets Encrypt - Used in cases where the Lets Encrypt service is dedicated to port 80

Extra Services Tab

The extra services tab is where access to the provisioning services are configured.

Generally it's best to disallow untrusted access to provisioning services. If provisioning services must be exposed to the Internet Zone, it is CRITICALLY IMPORTANT to ensure the service is protected by credentials.

  • Zulu UC - Enable for Internet zone if your Zulu clients are not whitelisted

  • iSymphony - Generally you do not allow untrusted access to this service

  • HTTP Provisioning - You do not allow untrusted access to this service

  • HTTPS Provisioning - Can enable untrusted access to this service provided credentials are enabled

  • OpenVPN Server - Generally this service is enabled for the Internet zone

  • REST Apps (HTTP) - Generally you do not allow untrusted access to this service

  • REST Apps (HTTPS) - Generally you do not allow untrusted access to this service

  • XMPP - Used for text chat in UCP. If UCP is not enabled for Internet, you probably don't need it for this service

  • FTP - used for provisioning, protected with credentials

  • TFTP - used for provisioning. CRITICALLY IMPORTANT NEVER ALLOW UNTRUSTED ACCESS TO THE SERVICE. If you can, it's probably best to just disable the tftp service altogether

  • NFS and SMB/CIFS - Generally not used on a PBX

Custom Services Tab

Any local services running on the PBX that are not located on the previous two tabs can be added to this tab and zoned appropriately.

Blacklist Tab

See the Firewall Blacklist page

Return to Documentation Home I Return to Sangoma Support