Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

sipXecs 4.6 manages the local iptables firewall on the server it's installed on. You can control some settings, or switch to Unmanaged mode, through the web interface (System -> Firewall).

Custom Rules with cfengine

If you want to have custom rules AND have sipxecs manage your firewall then you can use a cfengine plugin to write the custom rules.  This solution survives upgrades and the sending of profiles.  This works for the example below but make sure you test on a non-production system.  

Edit the rules under the "insert_lines:"

Add file: 

Code Block
title/usr/share/sipxecs/cfinputs/plugin.d/firewall_custom.cf
bundle agent firewall_custom {
  files:
    "/etc/sysconfig/iptables"
      comment => "Allow custom firewall in  $(this.promiser)",
      create => "false",
      edit_line => custom_iptables_config,
      classes => if_repaired("iptables_edited");
  commands:
    iptables_edited::
      "/sbin/service iptables restart"
        comment => "Restarting iptables to load new config";
}
bundle edit_line custom_iptables_config {
        insert_lines:
"-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -m comment --comment 'apacheHttp' -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -m comment --comment 'apacheHttps' -j ACCEPT"
                location => before_the_accept_established_tcp_conns_rule;
}
body location before_the_accept_established_tcp_conns_rule
{
        before_after => "before";
        first_last => "first";
        select_line_matching => "^-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED.*";
}

Adding Custom Rules to the Firewall Configuration

...