[bug]: Firewall - Interfaces

[Andsup]

FreePBX Version

FreePBX 17

Issue Description

On a fresh freepbx 17 beta install, I added some trusted IP and networks in the firewall configuration. Responsive Firewall is active. No way to move the only one interface (ns3) to “Internet (default firewall)”

After “update interfaces”, status is back to “trusted”.

Another issue with the firewall: the wireguard ‘wg0’ interface is not listed on the interfaces screen. Visible on the dashboard but not in the firewall.

Operating Environment

Debian 12.5 freepbx 17 - edge mode fully updated FreePBX 17.0.15.13 System Firewall 17.0.1.14

Relevant log output

No response

[nobe80]

can agree

[kguptasangoma]

firewall v17.0.1.16 sysadmin v17.0.1.57

[Andsup]

Just run:

• fwconsole ma upgradeall
• firewall ==> 17.0.1.16
• sysadmin ==> 17.0.1.57
• fwconsole restart

FreePBX 17.0.15.14

but still same the issue on the interfaces screen.

[kguptasangoma]

thanks a lot @Andsup for the quick response, will check this early next week.

[prashobkarimbil]

HI @Andsup

Can you share the structure of /etc/network/interfaces.d/ directory? Also, if there is a file named ens3 within this directory, please share it's content.

[Andsup]

HI,

The requested info :

root@pbx:~# ll -R /etc/network/ /etc/network/: total 16 drwxr-xr-x 2 root root 4096 Apr 8 16:01 if-down.d drwxr-xr-x 2 root root 4096 Apr 8 15:59 if-post-down.d drwxr-xr-x 2 root root 4096 Jan 2 05:43 if-pre-up.d drwxr-xr-x 2 root root 4096 Apr 8 16:01 if-up.d

/etc/network/if-down.d: total 8 -rwxr-xr-x 1 root root 372 Nov 11 23:21 openvpn -rwxr-xr-x 1 root root 802 Jan 27 00:44 postfix

/etc/network/if-post-down.d: total 4 -rwxr-xr-x 1 root root 145 May 8 2023 chrony

/etc/network/if-pre-up.d: total 4 -rwxr-xr-x 1 root root 344 Dec 20 2022 ethtool

/etc/network/if-up.d: total 16 -rwxr-xr-x 1 root root 145 May 8 2023 chrony -rwxr-xr-x 1 root root 1685 Dec 20 2022 ethtool -rwxr-xr-x 1 root root 385 Nov 11 23:21 openvpn -rwxr-xr-x 1 root root 1185 Jan 27 00:44 postfix drwxr-xr-x 2 root root 4096 Apr 8 16:01 if-up.d

@.***:~# uname -a Linux xxxxxx 6.1.0-20-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.85-1 (2024-04-11) x86_64 GNU/Linux

@.***:~# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether fa:xx:xx:xx:xx:25 brd ff:ff:ff:ff:ff:ff altname enp0s3 inet xx.xx.xx.xx/32 metric 100 scope global dynamic ens3 valid_lft 82457sec preferred_lft 82457sec inet6 fe80::f816:3eff:fe3a:dc25/64 scope link valid_lft forever preferred_lft forever 13: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN group default qlen 1000 link/none inet 192.168.y.y/32 scope global wg0 valid_lft forever preferred_lft forever

Best regards, A. Léonard

[kguptasangoma]

Hi @Andsup How did you configured your network interfaces? Is it via systemd network utility?

We are using /etc/network/interfaces.d/ but looks like you might be using systemd due to which interfaces are not working properly.

could you please quickly try to disable systemd network and let us know the behavior - systemctl stop systemd-networkd systemctl disable systemd-networkd systemctl stop systemd-networkd.socket systemctl disable systemd-networkd.socket

Ref - https://forums.debian.net/viewtopic.php?t=155463

[Andsup]

This is a VPS with the standard Debian 12 image from the provider (OVH).

So no physical access, only via the network : quite risky to modify the IP setup...

Currently I activated firewalld, doing correctly the job, except that sometimes your code disable it. Avoiding that service stop, could be a workaround.

Moving away from a full home distro, is quite challenging. Thanks for your effort on it.

[kguptasangoma]

thanks @Andsup I can understand playing with network settings might not be good for you. Can you please confirm if you are using systemd.networkd to configure your networks and config files are present in as explained in https://wiki.archlinux.org/title/systemd-networkd#Configuration_files path ?

[Andsup]

HI,

Indeed systemd-networkd, systemd-resolved, systemd-networkd-wait-online … are active. Via cloud-init network-config

@.***:~# systemctl | grep network sys-devices-pci0000:00-0000:00:03.0-virtio0-net-ens3.device loaded active plugged Virtio network device sys-subsystem-net-devices-ens3.device loaded active plugged Virtio network device cloud-init-local.service loaded active exited Initial cloud-init job (pre-networking) systemd-network-generator.service loaded active exited Generate network units from Kernel command line systemd-networkd-wait-online.service loaded active exited Wait for Network to be Configured systemd-networkd.service loaded active running Network Configuration systemd-networkd.socket loaded active running Network Service Netlink Socket network-online.target loaded active active Network is Online network-pre.target loaded active active Preparation for Network network.target loaded active active Network

@.***:~# systemctl status systemd-networkd.service ● systemd-networkd.service - Network Configuration Loaded: loaded (/lib/systemd/system/systemd-networkd.service; enabled; preset: enabled) Active: active (running) since Thu 2024-04-18 19:00:30 CEST; 3 days ago TriggeredBy: ● systemd-networkd.socket Docs: man:systemd-networkd.service(8) man:org.freedesktop.network1(5) Main PID: 433 (systemd-network) Status: "Processing requests..." Tasks: 1 (limit: 2295) Memory: 2.2M CPU: 326ms CGroup: /system.slice/systemd-networkd.service └─433 /lib/systemd/systemd-networkd

Apr 19 18:45:23 pbx.wiseavocats.be systemd-networkd[433]: wg0: Link UP Apr 19 18:45:23 pbx.wiseavocats.be systemd-networkd[433]: wg0: Gained carrier Apr 19 18:48:13 pbx.wiseavocats.be systemd-networkd[433]: wg0: Link DOWN Apr 19 18:48:13 pbx.wiseavocats.be systemd-networkd[433]: wg0: Lost carrier Apr 19 18:48:23 pbx.wiseavocats.be systemd-networkd[433]: wg0: Link UP Apr 19 18:48:23 pbx.wiseavocats.be systemd-networkd[433]: wg0: Gained carrier Apr 19 19:06:13 pbx.wiseavocats.be systemd-networkd[433]: wg0: Link DOWN Apr 19 19:06:13 pbx.wiseavocats.be systemd-networkd[433]: wg0: Lost carrier Apr 19 19:06:23 pbx.wiseavocats.be systemd-networkd[433]: wg0: Link UP Apr 19 19:06:23 pbx.wiseavocats.be systemd-networkd[433]: wg0: Gained carrier

[kguptasangoma]

Thanks @Andsup for the prompt reply so this explains why you are seeing different behavior.

currently Freepbx is depending on /etc/network/interfaces.d/ , so we need to see how we can optimize to use either networkd or stop networkd and force users to use "/etc/network/interfaces.d/".

[nobe80]

@kguptasangoma dont know if that helps. We also use a debian 12 vm from a provider. systemd is also inactive:

root@bitpbx:~# systemctl status systemd-networkd.service ○ systemd-networkd.service - Network Configuration Loaded: loaded (/lib/systemd/system/systemd-networkd.service; disabled; preset: enabled) Active: inactive (dead) TriggeredBy: ○ systemd-networkd.socket Docs: man:systemd-networkd.service(8) man:org.freedesktop.network1(5)

[kguptasangoma]

hi @nobe80 Are you also facing the same issue?

[nobe80]

hi @kguptasangoma

yes we faced also with the same issue but we dont want to use the freepbx firewall. For us it is enough to rely on fail2ban. To use the firewall is in our case unsuitable because the client ip change every day. Freepbx runs remotely.

[dolesec]

@nobe80 wrt to that IP changing everyday you could always add the fqdn as name in the networks and it will resolve to whatever the active IP address is on that day and allow access... combined with responsive firewall features and fail2ban sync it may get you where you want to be

[nobe80]

@dolesec no that is to complicate because you have to set a DNS too for every customer. We dont need the firewall, fail2ban is enough for us. With fail2ban and good passwords bruteforce attacks becomes useless.

[dolesec]

understood , just wanted to be sure you knew that was available... many firewalls such as Meraki assign a DDNS address to the active wan interface for the firewall - I use this name in my network definitions as a trusted network... its worked well thus far

[nobe80]

thanks @dolesec :) We mostly have freepbx remotly in our datacenter and the customers all at another location. All phones connect via https and with fail2ban + good passwords it is more than enough. Unfortunately we cannot create Lets encrypt certificate at current.

[chopsywa]

I loaded up the beta on a fresh Debian 12 today (Azure canned instance) and I have the same issue. There is no /etc/network/interfaces.d directory.

The system is running systemd-networkd

I masked and disabled systemd-networkd and systemd-networkd.socket services and created an interfaces file in /etc/network. The server now boots on its config files. That is several hours of my life I will never get back, but hopefully it is useful feedback. I think it is safe to say that on Debian 12 stock installs, the firewall is not going to work properly in its current format.

[BrandonAtACOM]

Same issue here. Installed FreePBX17 via install script on Debian 12 using DigitalOcean. I moved the config for the internet facing interface/subinterface to a config file in interface.d to resolve:

1. Copied eth0 (and eth0:1) config lines from /etc/network/interfaces, then commented them
2. Created /etc/network/interfaces.d/eth0 and pasted those config lines
3. Rebooted

[RadicalLinux]

This issue also exists on AWS Debian 12 AMI. We are unable to modify the network settings also, due to it being in the cloud.

● systemd-networkd.service - Network Configuration Loaded: loaded (/lib/systemd/system/systemd-networkd.service; enabled; pre> Active: active (running) since Tue 2024-04-30 20:51:32 CDT; 40min ago TriggeredBy: ● systemd-networkd.socket Docs: man:systemd-networkd.service(8) man:org.freedesktop.network1(5) Main PID: 418 (systemd-network) Status: "Processing requests..." Tasks: 1 (limit: 4687) Memory: 3.1M CPU: 47ms CGroup: /system.slice/systemd-networkd.service └─418 /lib/systemd/systemd-networkd

[kguptasangoma]

Please refer to https://github.com/FreePBX/issue-tracker/issues/127 where if the system is NOT using "networkd" then Freepbx can be used to configure the networks otherwise let user to manage the network configurations via networkd utility.

Thanks

[ramarajan222]

This issue is not fixed properly. The UI issue has been fixed on the latest firewall version 17.0.1.21 but it introduced the new issue https://github.com/FreePBX/issue-tracker/issues/171

[ramarajan222]

The firewall interface setting issue has been fixed with the latest firewall module (17.0.1.24), please give it a try after updating to the latest version. thanks.

[Andsup]

My config : network via netplan and systemd-network

• network management via system admin : not available ==> OK (my choice to let the default image setup ).
• firewall : interface ens3 is now correctly manage in the "Interfaces" tab. Could be set to "Internet (default firewall)"
• at a first check, freepbx firewall is doing the job

[sdwru]

I am still getting the following error in FreePBX GUI with all the latest modules installed.

Unable to configure networking service: systemd-networkd conflict

Was this supposed to be fixed to eliminate that error or am I supposed to disable that systemd service? I believe it is enabled by default on a new server install from most VPS providers.