Here I would like to discuss an improvement to the firewall to be able to make use of the firewall while still maintaining a whitelist of trusted IPs.
The current situation:
You have the firewall which seems to modify iptables and then you have fail2ban which monitors and successfully bans IPs that have to many bad attempts.
Then, you have the whitelist, which allows you to whitelist an IP, that basically allows any traffic from whitelisted IPs.
The problem:
If you whitelist a clientâs IP, any rule you create in the firewall will NOT affect this IP.
So for example, if you only want to expose the ARI port or any other custom ports only from specific IPs, all IPs in the whitelist will still be able to access these ports.
There are many more examplesâŚ
The suggested solution:
In iptables, give the firewall rules a higher priority than the whitelist.
Meaning, letâs say we try to register an endpoint:
IP tries to register.
Check iptable rules if the firewall has any rules to prevent this IP/port from being accessed.
Found prevent: drop
Did not found: continue
Allow IP to register.
If many failed attempts happen, let fail2ban decide
If IP is whitelisted: Allow further attempts.
If IP is NOT whitelisted: block the IP.
Important Note: An IP that was banned by fail2ban should still be as the top priority, as we do not want them to be able to process anything.
This solution prevents trusted/whitelisted IPs from getting banned, immediately drops traffic from all banned IPs while in the same time it also gives you the ability via the firewall to control traffic for literally everything kind of incoming request.
Some people suggested, that perhaps this should be a toggle to enable/disable giving priority to the firewall rules.
Vital V2 had the two whitelists, one for the firewall and another whitelist for the intrusion detection. I believe it was changed in Vital V3 due to the fact most people wanted their whitelisted ips to be also whitelisted in fail2ban. Guessing this caused a lot people to get banned by fail2ban as they could have easily forget the two different whitelists.
I guess, there could be a toggle that enables manual control of the fail2ban whitelist when activated instead of copying the values of the firewall whitelist into fail2ban.
âIf you whitelist a clientâs IP, any rule you create in the firewall will NOT affect this IP.â
You state this as a problem. But it is exactly the purpose of a whitelist, to ensure that no other rule can block something there.
If you do anything else, it is no longer a whitelist. Why would you whitelist (e.g. tell the system to never block under any circumstance) and then hope to block it? If you donât want it whitelisted, just donât list it.
That would make it something quite different from a whitelist, then. This would be, at best, confusing. And, at worst, make us unable to whitelist which is a pretty important feature.
Nothing should be banned if it is in the whitelist. The point of having whitelisted something is, for example, to ensure that Fail2Ban cannot block it. Thatâs what the whitelist is for. Otherwise you can use Fail2Ban as a DoS attack from any IP. It would be a huge problem.
I think what you want is simply a more granular firewall rule set. Itâs important to understand that the changes you want, arenât bad, they are simply not a whitelist. If you do what you describe, it is not whitelisting anymore. Nothing wrong with that. But thatâs the fundamental confusion. Whitelist is a very specific thing and if you start making exceptions, itâs stops being a whitelist.
Iâd love to have greater firewall control, definitely. But I canât have something called a whitelist that is no longer a whitelist. You can imagine the kind of confusion that would ensure when people have explicitly set something to be always open no matter what and then finding out that the firewall disregarded the whitelist and blocked it anyway. People will shut off their firewalls as being broken.
I respectfully disagree. The fail2ban whitelist is intended to prevent good IPs from getting banned.
Iâll explain. What if you want to block SSH from said client? Or the opposite⌠Only allow SSH from said client. How can you do that right now? It is impossible.
See? In such scenario, I donât want the clientâs IP to get banned, so I will whitelist them, but I also donât want them to be able to access SSHâŚ
Not true. By default, VitalPBX allows the âstandardâ ports from anywhere, so unless you manually create a firewall rule to block specific traffic, it will continue to function and allow traffic like it is right now.
This is a bit contradicting.
You are right that the point of a whitelist is to avoid getting BANNED, but again, it does NOT mean that it should force you into âEVRYTHING should be allowed from a whitelisted IPâ, there should still be a way of for example, to block a custom port or SSH even from a whitelisted IP.
Again and again and again. fail2banâs job is to ban IPs that are doing something wrong. You can whitelist an IP in fail2ban to prevent it from getting blocked. That will continue to work like it is right now.
When you add a trusted IP to the whitelist, it means that you donât want that IP to fail to register or get banned from any service/port that you want them to access. It does NOT mean that you need to lose control on everything they can access.
Important clarification: The firewall/fail2ban will continue to work like it is working right now. The only difference will be, that if you manually go to the firewall and add some sort of block rule, it will have priority over the fail2ban whitelist. Thatâs all.