fbpx
Home » Blog » Asterisk/Vicidial » How to Use ViciDial Firewalld via command line

How to Use ViciDial Firewalld via command line

How to Use Vicidial Firewall via command line

How to Use ViciDial Firewalld via command line. With the widespread use of ViciDial firewall, it is important for today’s IT professionals to learn how to use the tool in a secure and efficient manner. This article will explain how to use ViciDial firewall via command line.

First of all, you will need to login to the ViciDial console and enter the commands that correspond to the firewall configuration. The most common command used to configure the firewall is called “firewalld”. This command has a series of options that allow you to configure the firewall with custom settings.

Once you have entered the firewalld command, you can begin to customize the firewall to your specifications. You can specify which domains and ports are allowed, as well as which services and applications can be accessed through the firewall. You can also create custom rules to block certain types of traffic or allow certain types of traffic.

Once the security measures have been implemented, the last step is to test the firewall. This can be accomplished by attempting to connect to it from an external source. If the connection is successful, then the firewall is working as expected.

Overall, using ViciDial Firewalld via command line is a straightforward process that can help IT professionals maintain a secure and efficient network. When configuring the firewall, it is important to be aware of the risks and to make sure that all security measures are implemented properly. With these tips, you can ensure the highest level of security and reliability.

How to Use ViciDial Dynportal Firewalld via command line. In this short post is just going to briefly go over the more common commands you need in order to manage firewalld and make sure you keep your servers safe. This firewall works in conjunction with the dynamic portal for ViciDial as well as the built in whitelist initially named ViciWhite in the IP list area in Admin.

Time needed: 5 minutes

Ho to Enable Vicidial firewalld and Dynportal Systemctl

  1. Enable firewalld

    This makes sure that firewalld will be started automatically with the server.

    systemctl enable firewalld

  2. Start firewalld

    After the firewalld service is enabled, you’ll need to start it manually the first time. This is how you would manually start firewalld if it were not already running.

    systemctl start firewalld

  3. Stop firewalld

    When troubleshooting rules and connection issues, you may need to stop the fireawlld service momentarily. You can stop the service with the following command.

    systemctl stop firewalld

  4. Restart firewalld

    If for some reason, you need to restart the service, you can do that with the systemctl restart command.

    systemctl restart firewalld

  5. Firewalld status

    Checking the status of the service gives us the most meaningful and informative output. Here you can see whether the service is enabled, running, failed, or anything else.

    systemctl status firewalld

    In this example output, you can see that the service is enabled, active, and running on the server. If it were not running or in a failed state, this would be displayed.

    [root@alma ~]# systemctl status firewalld
    ● firewalld.service - firewalld - dynamic firewall daemon
    Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
    Active: active (running) since Tue 2019-01-22 22:50:32 EST; 1h 0min ago
    Main PID: 808 (firewalld)
    CGroup: /system.slice/firewalld.service
    └─808 /usr/bin/python -Es /usr/sbin/firewalld u002du002dnofork u002du002dnopid

Managing Firewalld and Configuring Rules

Now that we have firewalld running, we can get down to set the configuration. We can open ports, allow services, whitelist IPs for access, and more.

In all of these examples, we include the –permanent flag. This is important to make sure a rule is saved even after you restart firewalld, or reboot the server. Once you’re done adding new rules, you need to reload the firewall to make the new rules active.

Add a Port for TCP or UDP

You do have to specify TCP or UDP and to open a port for both. You will need to add rules for each protocol.

firewall-cmd --permanent --add-port=22/TCP
firewall-cmd --permanent --add-port=53/UDP

Remove a Port for TCP or UDP

Using a slight variation on the above structure, you can remove a currently open port, effectively closing off that port.

firewall-cmd --permanent --remove-port=444/tcp

Add a Service

These services assume the default ports configured within the /etc/services configuration file; if you wish to use a service on a non-standard port, you will have to open the specific port, as in the example above.

firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http

Remove a Service

As above, you specify the remove-service option, and you can close off the port that is defined for that service.

firewall-cmd --permanent --remove-service=mysql

Whitelist an IP Address

To whitelist or allow access from an IP or range of IPs, you can tell the firewall to add a trusted source.

firewall-cmd --permanent --add-source=192.168.1.100

You can also allow a range of IPs using what is called CIDR notation. CIDR is outside the scope of this article but is a shorthand that can be used for noting ranges of IP addresses.

firewall-cmd --permanent --add-source=192.168.1.0/24

Remove a Whitelisted IP Address

To remove a whitelisted IP or IP range, you can use the –remove-source option.

firewall-cmd --permanent --remove-source=192.168.1.100

Block an IP Address

As the firewall-cmd tool is mostly used for opening or allowing access, rich rules are needed to block an IP. Rich rules are similar in form to the way iptables rules are written.

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"

You can again use CIDR notation also block a range of IP addresses.

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"

Whitelist an IP Address for a Specific Port (More Rich Rules)

We have to reach back to iptables and create another rich rule; however, we are using the accept statement at the end to allow the IP access, rather than reject its access.

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'
Removing a Rich Rule

To remove a rich rule, use the option —remove-rich-rule, but you have to fully specify which rule is being removed, so it is best to copy and paste the full rule, rather than try to type it all out from memory.

firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'

Saving Firewall Rules

After you have completed all the additions and subtraction of rules, you need to reload the firewall rules to make them active. To do this, you again use the firewall-cmd tool but using the option –reload.

firewall-cmd --reload

Viewing Firewall Rules

After reloading the rules, you can confirm if the new rules are in place correctly with the following.

firewall-cmd --list-all

Here is an example output from the –list-all option, you can see that this server has a number of ports, and services open in the firewall along with a rich rule (that forwards one port to another).

[root@alma ~]# firewall-cmd --list-all
public (default, active)
interfaces: enp1s0
sources: 192.168.1.0/24
services: dhcpv6-client dns http https mysql nfs samba smtp ssh
ports: 443/tcp 80/tcp 5900-5902/tcp 83/tcp 444/tcp 3260/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.1.0/24" forward-port port="5423" protocol="tcp" to-port="80"

Hopefully this will help a lot of you that end up just not using a firewall at all because it intimidates you not knowing how to use it correctly. Well, I’ve just eliminated that excuse, so now I want to see more of you securing your servers and dialer systems. Here is a few articles to get you started in the right direction.

That’s it for this article, hopefully you guys take this serious because hackers, especially ransomware thieves are targeting dialer servers in particular for their schemes, such as using the VoIP to call their victims to either trick them into downloading files or threatening them over the phone with blackmail or other means. BazarCall is one of the more well known tools thats being used by the ransomware group called Ryuk.

Scroll to Top