New install, firewall or nginx trouble

C

chrismaster

New Member
Feb 4, 2025
4
0
1
80
Did a new install like the video @ DjangoPBX video on a rpi 4.

When I login into the portal, I can access the API and Admin from Admin Tools, there are no problems.
But if I try to access the OS Dashboard or everything else from the Portal, the firewall stops me from accessing the Portal. Also the Admin Tools with API and Admin are then blocked . I have to systemctl restart nftables.service to access the board again. Then same.... Admin Tools are ok, but when I click any other link, everything is blocked.
My IP is in ipv4_white_list in /etc/nftables.conf , but don't think this is the problem. Why should an access to the board blacklist my ip? (And it blocks only 443 and 80, I still can register my sip client from this IP)
If I systemctl stop nftables.service, the whole board works.....
Someone got an idea?
Thx
Chris

Version: 0.5.0
Git Commit: 8400e7d17459b85f97ef1b62c0367e5fd4817429
Git Origin: https://codeberg.org/DjangoPBX/DjangoPBX
 
Adrian Fretwell

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,524
442
83
Hi Chris,
I think the "protecting the web interface" mechanism can be a little over zealous at times, I think I may need to relax it a little.
If you log in via ssh, then as root or sudo from django-pbx, you can run the web block list shell script:
Code: 
fw-delete-ipv4-web-block-list.sh <IP ADDRESS>

You can stop yourself (or any trusted IP address) from getting banned by adding the IP to the "portal" "ignore_fail_address" setting. This is an array type variable so you can add many with the same category names. See screen shot below:

Screenshot from 2025-02-05 18-56-26.png
 
C

chrismaster

New Member
Feb 4, 2025
4
0
1
80
There is another one I don't get....
If my IP range is in 192.168.44.0/24 or 192.168.144.0/24 I know how to set the firewall rules...
Atm I know these three points. (Depends if it is a phone or only web access if I need to change all ore only some)
  1. ignore_fail_address in admin interface
  2. ipv4_sip_customers in nftables.conf
  3. ipv4_white_list in nftables.conf

But if it is e.g. in the range 10.0.0.0/24 I still have to disable the firewall to get access.
Do you have any clue, where to look at?

I only found chain ingress where 10.0.0.0/24 is in, but 192.168.44.0/24 or 192.168.144.0/24 not. But atm I don't understand nftables.conf at all, only used firewall-cmd.
Thx
chris
 
Adrian Fretwell

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,524
442
83
Generally speaking you should not need to modify nftables.conf.

ignore_fail_addresses is for access to the web portal only, nothing to do with SIP. It is designed to hold the IP addresses associated with superusers so they cannot lock themselves out.

ipv4_sip_customers and ipv4_white_list can both be manipulated from within the application.

ipv4_white_list is used to allow access for sysadmins to services like shh on port 22.

ipv4_sip_customers is populated following a successful registration, the system will only accept 20 SIP packets per hour from unregistered locations that are not gateways.

More information of the firewall operation can be found here:
https://www.djangopbx.com/static/documentation/architecture/firewall.html

The firewall is designed for operation with non RFC 1918, RFC 5735 etc. addresses, if this becomes an issue then simply comment out the IP ranges in the ingress chain and reload the firewall.

NOTE: you will lose any application added items in the ipv4_sip_customers list when you reload. There are many strategies to overcome this but the simplest is to use the reinstate function shown in the documentation above.

Kind regards, Adrian.
 
You must log in or register to reply here.
Top Bottom