How to configure vicibox10 firewall with dynamic ip list

    In this article you are going to learn how to configure the firewall in vicibox10 with dynamic portal. If you are using vicibox 10 and dynamic IP's are not white listed by the default firewall then this article is for you. Here I have provided solutions to solve the firewall issue in vicibox 10 in which the IP' added via dynamic portal are not added in the dynamic white list rule.

vicibox 10 dynamic portal configuration with dynamic ip list

Vicibox 10 and Firewall Issue

    The Recent release of Vicibox10 (ViciBox_v10.x86_64-10.0.0.iso ), have some bugs  with respect to dynamic portal for dynamic ip list and public zone. which has been resolved in the next version 10.0.1. if you still use the major release of vicibox 10 follow this article to resolve the firewall white listing issue.

Vicibox 10 BUG's/Issues

1. Dynamic IP's getting added in blackips IPSET list.

2. IPSet Public Zone missing the rules for all List like whiteips,whitenets,dynamic clist for the services like asterisk,apache2,apache2-ssl

Solution For vicidial10 firewall

In this blog i will be covering both the bug fix and configuration steps for the  vicibox 10 dynamic portal with whitelist ,dynamic ip list.

VICIbox Server is the official installation CD for the VICIDIAL Call Center Suite. It is based off of OpenSuSE server, and will properly install the VICIDIAL Call Center Suite with relative ease.

The ViciBox-Firewall is an integration of the underlying firewall in the OS, various features of ViciDial, and some add-on ViciBox features. This allows for the relatively easy administration of all network access to the various features of ViciDial. The firewall integration itself supports a Black list, a White list, a Dynamic List with a user authentication portal

Firewalld/IPSET/Nftable

Vicibox 10 Dynamic Portal use three major components

1. IPSET

2. nftables

3. Firewalld

ipset is a companion application for the iptables Linux firewall. It allows you to setup rules to quickly and easily block a set of IP addresses, among other things.

nftables is a Linux packet classification framework that replaces the Netfilter infrastructure behind iptables, ip6tables, arptables, and ebtables ,

firewalld is a zone-based firewall. Zone-based firewalls are network security systems that monitor traffic and take actions based on a set of defined rules applied against incoming/outgoing packets.

it is better to have knowledge in these components ,which helps in troubleshooting and understand how vicibox dynamic portal works, Check out my youtube video on Vicibox 10 firewall Video tutorial

STEP 1: Bug fix the VB-firewall code.

SSH to the server,  Edit the VB-firewall and replace IPBLACK to IPDYNAMIC at line no 763

vi +763 /usr/bin/VB-firewall

doipnetslist(\@dynamicips, $IPBLACK, "X", "DynamicList");

to

doipnetslist(\@dynamicips, $IPDYNAMIC, "X", "DynamicList");

or run the below command to replace the word IPBLACK to IPDYNAMIC

cd /usr/bin/

sed -i '763s/IPBLACK/IPDYNAMIC/' VB-firewall

STEP 2: Fix the Public Zone missing Rules.

<rule family="ipv4">

    <source ipset="whiteips"/>

    <service name="apache2"/>

    <accept/>

  </rule>

  <rule family="ipv4">

    <source ipset="whitenets"/>

    <service name="apache2"/>

    <accept/>

  </rule>

  <rule family="ipv4">

    <source ipset="dynamiclist"/>

    <service name="apache2"/>

    <accept/>

  </rule>

  <rule family="ipv4">

    <source ipset="whiteips"/>

    <service name="apache2-ssl"/>

    <accept/>

  </rule>

  <rule family="ipv4">

    <source ipset="whitenets"/>

    <service name="apache2-ssl"/>

    <accept/>

  </rule>

  <rule family="ipv4">

    <source ipset="dynamiclist"/>

    <service name="apache2-ssl"/>

    <accept/>

  </rule>

  <rule family="ipv4">

    <source ipset="whiteips"/>

    <service name="asterisk"/>

    <accept/>

  </rule>

  <rule family="ipv4">

    <source ipset="whitenets"/>

    <service name="asterisk"/>

    <accept/>

  </rule>

  <rule family="ipv4">

    <source ipset="dynamiclist"/>

    <service name="asterisk"/>

    <accept/>

  </rule>

</zone>

STEP 3: Activate IP list Admin

STEP 4: Attach the Public Zone to the Interface.

STEP 5: Removing the default services from Public zone and add viciportal, viciportal-ssl service

Finally Select Accept or press ALT+A to save the changes.

STEP 6: Add the VB-firewall in crontab

type crontab -e and at the last line and delete below entries

@reboot /usr/bin/VB-firewall --voipbl --noblack --quiet

0 */6 * * * /usr/bin/VB-firewall --voipbl --noblack --flush --quiet

Then add the below entries

@reboot /usr/bin/VB-firewall --white --dynamic --quiet

* * * * * /usr/bin/VB-firewall --white --dynamic --quiet

Finaly give reboot to the server 

type reboot. 

STEP 7: Test the dynamic Portal

Access the Vicibox dynamic portal and authenticate to add your ip in dynamic whitelist

for http type

http://vicibox-ip:81/valid8.php

for https type

https://vicibox-ip:446/valid8.php

STEP :8 , Commands to test the Firewall,ipset,nftables

ipset --list  -- check your IP is listed in respective IP set name

firewall-cmd --list-all  - to check services and rules in public zone




nft list table inet firewalld - list the nftables rules.

Conclusion: