CSF causing calls to drop

[Andyd358]

Hi

Came acrossa strange one today a previous Fusion installation was having issuesd with delayed calls. while checking it it seems as though CSF had not been installed. I updated Fusion and then installed CSF. I added the SBC ip address to the acces control list and also to the allow list in CSF

Now when i call in it makes the connection but drops after its connects looking at the active calls it rings the rign group then drops. If i disable CSF it works a treat. Has anybody seen thsi behaviour before?

Any help would be very welcome.

 

[Andyd358]

no one? thanks for the help not

 

[JamesBorne]

Na, don't feel like it.

 

[Andyd358]

Sorry if my reply seemed a little short just out of ideas why this is happening and getting frustrated.

 

[DigitalDaz]

No idea what cfs is so can't help

 

[Andyd358]

No idea what cfs is so can't help

Hi its a firewall
https://www.configserver.com/cp/csf.html

 

[JamesBorne]

though CSF had not been installed. I updated Fusion and then installed CSF

CSF is not part of the FusionPBX installer. Why would you knee-jerk install it?
Dropped calls and not being able to answer calls is very much the calling card of misconfigured routers/firewalls.

 

[Andyd358]

CSF is not part of the FusionPBX installer. Why would you knee-jerk install it?
Dropped calls and not being able to answer calls is very much the calling card of misconfigured routers/firewalls.

We use CSF on all of our installations adds an extra layer of security we only allow the IP address of the SBC. This setup is the only one that I have a problem with. It started with a delay on the calls for example there can be a 5 second delay when speaking. Sometimes its ok and other times its got a delay.

 

[Andyd358]

Turns out the delay could be down to another reason seems that there is an intemittent speed fault on the broadband line we are getting that checked out first to see if its the issue.

 

[Adrian Fretwell]

I know nothing about CSF, but I'm pretty sure you don't need it from a fusionPBX point of view. The default Fusion install makes use of iptables which is part of the operating system and is very very flexible. In addition to this it further hardens the system by adding fail2ban.

You can see what is currently active with:

iptables -nL

You can see / edit the existing IPv4 firewall rules in /etc/iptables/rules.v4. I always add a few more rules myself like blocking NEW without SYN and fragments as well as invalid combinations of TCP flags like SYN,FIN and SYN,RST for example.

I also only allow only our SIP Trunk providers IP to access the external profile.

Once you have made changes execute the following commands:

service fail2ban stop
service netfilter-persistent reload
service fail2ban start

As I said earlier, I know nothing about CSF but from what I gather with a quick "Google" it appears to manipulate iptables - no surprise there! Be careful, you could run in to issues if CSF knows nothing about your fail2ban configuration.

 

[Andyd358]

I know nothing about CSF, but I'm pretty sure you don't need it from a fusionPBX point of view. The default Fusion install makes use of iptables which is part of the operating system and is very very flexible. In addition to this it further hardens the system by adding fail2ban.

You can see what is currently active with:

iptables -nL

You can see / edit the existing IPv4 firewall rules in /etc/iptables/rules.v4. I always add a few more rules myself like blocking NEW without SYN and fragments as well as invalid combinations of TCP flags like SYN,FIN and SYN,RST for example.

I also only allow only our SIP Trunk providers IP to access the external profile.

Once you have made changes execute the following commands:

service fail2ban stop
service netfilter-persistent reload
service fail2ban start

As I said earlier, I know nothing about CSF but from what I gather with a quick "Google" it appears to manipulate iptables - no surprise there! Be careful, you could run in to issues if CSF knows nothing about your fail2ban configuration.

Thanks for you help I will have a look at it when Im back to work.

 

[Davesworld]

I know this is an old thread but CSF on a PBX is like using a garden rake to comb your hair, leave it to Red Hat to come up with such a thing. It is called ConfigServer Security and Firewall. It is here: https://www.configserver.com/cp/csf.html This is gross overkill and interfering for a PBX hence my first statement. It does make use of IPTables as well as a plethora other programs, most of which have no place on a PBX. Since one only needs a small number of specific ports open and some can be limited to which IPs can even access them such as the external port 5080 for your providers to access so anything you need can easily be done by hand in minutes. I prefer Netfilter and NFTables over IPTables.

I have an installation that is dual stack and it is easy to have rules that work on either v4 or v6 with Netfilter and NFtables so I converted mine, tools are built in to convert IPtables ipv4 and ipv6, Arptables and Ebtables to Netfilter rules. Fail2ban works with either system.

I prefer Debian as a basis for a FusionPBX server. I'm not interested in an RPM based distro. The only one I like is OpenSuSE but would certainly not use it as a basis for a PBX, Redhat even less so.