sipXecs 4.6 manages the local iptables firewall on the server it's installed on. You can control some settings, or switch to Unmanaged mode, through the web interface (System -> Firewall).
Custom Rules with cfengine
If you want to have custom rules AND have sipxecs manage your firewall then you can use a cfengine plugin to write the custom rules. This solution survives upgrades and the sending of profiles. This works for the example below but make sure you test on a non-production system.
Edit the rules under the "insert_lines:"
Add file:
| Code Block | ||
|---|---|---|
| ||
bundle agent firewall_custom {
files:
"/etc/sysconfig/iptables"
comment => "Allow custom firewall in $(this.promiser)",
create => "false",
edit_line => custom_iptables_config,
classes => if_repaired("iptables_edited");
commands:
iptables_edited::
"/sbin/service iptables restart"
comment => "Restarting iptables to load new config";
}
bundle edit_line custom_iptables_config {
insert_lines:
"-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -m comment --comment 'apacheHttp' -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -m comment --comment 'apacheHttps' -j ACCEPT"
location => before_the_accept_established_tcp_conns_rule;
}
body location before_the_accept_established_tcp_conns_rule
{
before_after => "before";
first_last => "first";
select_line_matching => "^-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED.*";
} |
Adding Custom Rules to the Firewall Configuration
...
Here is a hint of how the latter might be accomplished- http://list.sipfoundry.org/archive/sipx-dev/msg27891.html
Here is an example of commands you can run (as root) to add a custom rule to the running config. This will not survive if/when sipXecs decides to rewrite the firewall configuration:
# allows any traffic from a certain subnet
iptables -A INPUT -s 10.1.2.3/24 -p tcp -j ACCEPT
/etc/init.d/iptables save
Disabling the Firewall (Redhat-based systems)
...