VitalPBX Firewall/Fail2Ban discussion

Hi everyone,

Here I would like to discuss an improvement to the firewall to be able to make use of the firewall while still maintaining a whitelist of trusted IPs.

The current situation:

You have the firewall which seems to modify iptables and then you have fail2ban which monitors and successfully bans IPs that have to many bad attempts.
Then, you have the whitelist, which allows you to whitelist an IP, that basically allows any traffic from whitelisted IPs.

The problem:

If you whitelist a client’s IP, any rule you create in the firewall will NOT affect this IP.
So for example, if you only want to expose the ARI port or any other custom ports only from specific IPs, all IPs in the whitelist will still be able to access these ports.
There are many more examples…

The suggested solution:

In iptables, give the firewall rules a higher priority than the whitelist.
Meaning, let’s say we try to register an endpoint:

  • IP tries to register.
  • Check iptable rules if the firewall has any rules to prevent this IP/port from being accessed.
    • Found prevent: drop
    • Did not found: continue
  • Allow IP to register.
  • If many failed attempts happen, let fail2ban decide
    • If IP is whitelisted: Allow further attempts.
    • If IP is NOT whitelisted: block the IP.

Important Note: An IP that was banned by fail2ban should still be as the top priority, as we do not want them to be able to process anything.

This solution prevents trusted/whitelisted IPs from getting banned, immediately drops traffic from all banned IPs while in the same time it also gives you the ability via the firewall to control traffic for literally everything kind of incoming request.

Some people suggested, that perhaps this should be a toggle to enable/disable giving priority to the firewall rules.

Thank you


Vital V2 had the two whitelists, one for the firewall and another whitelist for the intrusion detection. I believe it was changed in Vital V3 due to the fact most people wanted their whitelisted ips to be also whitelisted in fail2ban. Guessing this caused a lot people to get banned by fail2ban as they could have easily forget the two different whitelists.

I guess, there could be a toggle that enables manual control of the fail2ban whitelist when activated instead of copying the values of the firewall whitelist into fail2ban.

“If you whitelist a client’s IP, any rule you create in the firewall will NOT affect this IP.”

You state this as a problem. But it is exactly the purpose of a whitelist, to ensure that no other rule can block something there.

If you do anything else, it is no longer a whitelist. Why would you whitelist (e.g. tell the system to never block under any circumstance) and then hope to block it? If you don’t want it whitelisted, just don’t list it.

That would make it something quite different from a whitelist, then. This would be, at best, confusing. And, at worst, make us unable to whitelist which is a pretty important feature.

Nothing should be banned if it is in the whitelist. The point of having whitelisted something is, for example, to ensure that Fail2Ban cannot block it. That’s what the whitelist is for. Otherwise you can use Fail2Ban as a DoS attack from any IP. It would be a huge problem.

I think what you want is simply a more granular firewall rule set. It’s important to understand that the changes you want, aren’t bad, they are simply not a whitelist. If you do what you describe, it is not whitelisting anymore. Nothing wrong with that. But that’s the fundamental confusion. Whitelist is a very specific thing and if you start making exceptions, it’s stops being a whitelist.

I’d love to have greater firewall control, definitely. But I can’t have something called a whitelist that is no longer a whitelist. You can imagine the kind of confusion that would ensure when people have explicitly set something to be always open no matter what and then finding out that the firewall disregarded the whitelist and blocked it anyway. People will shut off their firewalls as being broken.

I respectfully disagree. The fail2ban whitelist is intended to prevent good IPs from getting banned.

I’ll explain. What if you want to block SSH from said client? Or the opposite… Only allow SSH from said client. How can you do that right now? It is impossible.
See? In such scenario, I don’t want the client’s IP to get banned, so I will whitelist them, but I also don’t want them to be able to access SSH…

Not true. By default, VitalPBX allows the “standard” ports from anywhere, so unless you manually create a firewall rule to block specific traffic, it will continue to function and allow traffic like it is right now.

This is a bit contradicting.
You are right that the point of a whitelist is to avoid getting BANNED, but again, it does NOT mean that it should force you into ‘EVRYTHING should be allowed from a whitelisted IP’, there should still be a way of for example, to block a custom port or SSH even from a whitelisted IP.

Again and again and again. fail2ban’s job is to ban IPs that are doing something wrong. You can whitelist an IP in fail2ban to prevent it from getting blocked. That will continue to work like it is right now.

When you add a trusted IP to the whitelist, it means that you don’t want that IP to fail to register or get banned from any service/port that you want them to access. It does NOT mean that you need to lose control on everything they can access.

Important clarification: The firewall/fail2ban will continue to work like it is working right now. The only difference will be, that if you manually go to the firewall and add some sort of block rule, it will have priority over the fail2ban whitelist. That’s all.

This is an important topic that needs to get sorted.
I understand PitzKey better now.

Interested to know what the VitalPBX-Devs will say. Thanks