anyone deployed on AWS Lightsail

[s2svoip]

I had the same issue when I used a bare IP address in the whitelist, changing it to CIDR format resolved that (add a /32 to the end of the ip address)


The nftables.conf is pretty restrictive (the internet is a bad neighborhood), you'd need to modify it to be more permissive according to your needs.

Humm, I tried adding /32 disabled and reenabled nftables and rebooting, but I still get the server 500 error. I could try and redo from the start


So on a bigger picture question here, the main issue here is deploying on anything that dosent have a direct external address, if your behind NAT in anyway then we run into these issues with nftables, I wonder if an option in the installer to either detect an internal address or yes/no to modify the nftables rules accordingly might be worth wile? for my fusion deployments I have the EC2 / lightsail firewall infront of the box with just required ports exposed - this is assuming that some may wish to deploy in this scenario and is worth catering too?

 

[s2svoip]

Humm, I tried adding /32 disabled and reenabled nftables and rebooting, but I still get the server 500 error. I could try and redo from the start


So on a bigger picture question here, the main issue here is deploying on anything that dosent have a direct external address, if your behind NAT in anyway then we run into these issues with nftables, I wonder if an option in the installer to either detect an internal address or yes/no to modify the nftables rules accordingly might be worth wile? for my fusion deployments I have the EC2 / lightsail firewall infront of the box with just required ports exposed - this is assuming that some may wish to deploy in this scenario and is worth catering too?

yep re-did it from the start with /32 in there and the firewall pages work

 

[s2svoip]

yep re-did it from the start with /32 in there and the firewall pages work

so i think there is more issues with nftables with this deployment type, i got an extension registered no issue, but if I reboot the box, and it clears the SIP Customer list, the T43U does not re-register, it just sits at registering - if I add my external IP to the SIP customer list, then the endpoint registers right away

I see in the general log some entries for WARNING Unauthorized: /provision/device_config/ but these were there before when the device was provisioning and registering with no issue

 

[ardyhash]

Humm, I tried adding /32 disabled and reenabled nftables and rebooting, but I still get the server 500 error. I could try and redo from the start


So on a bigger picture question here, the main issue here is deploying on anything that dosent have a direct external address, if your behind NAT in anyway then we run into these issues with nftables, I wonder if an option in the installer to either detect an internal address or yes/no to modify the nftables rules accordingly might be worth wile? for my fusion deployments I have the EC2 / lightsail firewall infront of the box with just required ports exposed - this is assuming that some may wish to deploy in this scenario and is worth catering too?

You're right, it looks like it was designed to run on an internet facing host but AWS instances aren't exposed to the internet directly by default. Given that you're handling security before passing the traffic you may consider if a host based firewall is even needed in your use case. I still haven't gotten to the point of actually playing with it, my latest installation somehow failed to build freeswitch but I'm glad that you're now further along.

 

[s2svoip]

You're right, it looks like it was designed to run on an internet facing host but AWS instances aren't exposed to the internet directly by default. Given that you're handling security before passing the traffic you may consider if a host based firewall is even needed in your use case. I still haven't gotten to the point of actually playing with it, my latest installation somehow failed to build freeswitch but I'm glad that you're now further along.

The versatility of the nftables would always lead me to want to run it, that with the fact it’s as the system was designed. Right now I run my fusion instance with very strict firewalls and static IPs on all my clients - while I love this piece of mind I would rarther have the 20 packet white list going !

 

[Adrian Fretwell]

The system is designed to be run on an internet facing machine, I've even got it running on a Raspberry Pi connected directly to the internet.

There is no reason why you can't use the nftables firewall behind a NAT, all you need do is comment out the whole section:
# Drop IPv4s not in internet (RFC 1918, RFC 5735 etc.)

That should be sufficient to get you working.

TIP:
You can trace packets through nftables, this helps in debugging a complex firewall. You have to add a trace chain, but you can delete it afterwards, change the 1.2.3.4 for the IP you are interested in:

root~:# nft add chain inet filter trace_chain { type filter hook prerouting priority -501\; }
root~:# nft add rule inet filter trace_chain ip saddr 1.2.3.4 meta nftrace set 1
root~:# nft monitor trace

 

[ardyhash]

The system is designed to be run on an internet facing machine, I've even got it running on a Raspberry Pi connected directly to the internet.

There is no reason why you can't use the nftables firewall behind a NAT, all you need do is comment out the whole section:
# Drop IPv4s not in internet (RFC 1918, RFC 5735 etc.)

That should be sufficient to get you working.

TIP:
You can trace packets through nftables, this helps in debugging a complex firewall. You have to add a trace chain, but you can delete it afterwards, change the 1.2.3.4 for the IP you are interested in:

root~:# nft add chain inet filter trace_chain { type filter hook prerouting priority -501\; }
root~:# nft add rule inet filter trace_chain ip saddr 1.2.3.4 meta nftrace set 1
root~:# nft monitor trace

Thanks for the tip about nftables tracing, I've never encountered/used nftables before but it looks pretty powerful.

Regarding the rpi running djangopbx and freeswitch, was it just an experiment or would you actually trust one to run your own phones? I had a pipe dream some time ago about a distributed system where customers would have a mini system like a raspberry pi on premise that would sync with the mothership for its settings and phones within a location would register locally to it instead of the internet. Customers would log into the portal on my servers to make changes, and those changes would propagate to their on premise mini pbxs, and if there's a network outage or something locally calls would be handled by the servers in the datacenter. Haven't really ironed out the details, seemed overly complex given their endpoints can just connect directly to my servers but thought I'd share the concept and get your thoughts. Feel free to rip it apart as I welcome criticism and my feelings aren't easily hurt.

 

[s2svoip]

The system is designed to be run on an internet facing machine, I've even got it running on a Raspberry Pi connected directly to the internet.

There is no reason why you can't use the nftables firewall behind a NAT, all you need do is comment out the whole section:
# Drop IPv4s not in internet (RFC 1918, RFC 5735 etc.)

That should be sufficient to get you working.

TIP:
You can trace packets through nftables, this helps in debugging a complex firewall. You have to add a trace chain, but you can delete it afterwards, change the 1.2.3.4 for the IP you are interested in:

root~:# nft add chain inet filter trace_chain { type filter hook prerouting priority -501\; }
root~:# nft add rule inet filter trace_chain ip saddr 1.2.3.4 meta nftrace set 1
root~:# nft monitor trace

thanks that helped, how do you delete that chain, i am trying nft delete chain filter trace_chain

 

[Adrian Fretwell]

how do you delete that chain, i am trying nft delete chain filter trace_chain

nft delete chain inet filter trace_chain
That should do it.

 

[s2svoip]

so i did another deployment on Azure this time and documented my steps, following everything I am getting a server error 500 for nftables - i put my IP in with /32 but still no dice - so I am not locked out of the deployment, but nftables it not running

root@django1:~# /usr/sbin/nft list set netdev filter ipv4_block_list
Error: No such file or directory
list set netdev filter ipv4_block_list
^^^^^^

is there a way to fix this insted of doing a new install ?

 

[s2svoip]

so i did another deployment on Azure this time and documented my steps, following everything I am getting a server error 500 for nftables - i put my IP in with /32 but still no dice - so I am not locked out of the deployment, but nftables it not running

root@django1:~# /usr/sbin/nft list set netdev filter ipv4_block_list
Error: No such file or directory
list set netdev filter ipv4_block_list
^^^^^^

is there a way to fix this insted of doing a new install ?

ok I think I got it sorted, I did not purge ip tables before my install so I think that caused an issue, but here is how I fixed nftables

apt purge nftables
apt-get install -y nftables
cp /home/django-pbx/pbx/pbx/resources/etc/nftables.conf /etc/nftables.conf
chmod 755 /etc/nftables.conf

edit nftables.conf as you did in install then enable and reboot