The PBX has an integrated firewall which helps you limit access to the platform. We strongly advice to use this function, as it improves the security level of the platform and avoids fraudulent actions from unwanted parties.
Do not use ‘Allow All’ 0.0.0.0/0 for all services in a production environment as this will allow all traffic to access the server and essentially disables the firewall.
To add a new firewall rule, complete all fields as follows:
Choose ‘allow’ to give the IP subnet access, or choose the default disallow option to block it.
The ‘IP Address’ shows the IP address or range. For example, to allow an IP subnet: 184.108.40.206/24
Specify the service of the connection to be allowed. It is always recommended to be as specific as possible
Specify the port that will be permitted / blocked. Leave it as ANY for all ports.
You can specify the protocol that will be permitted / blocked. Leave it as ANY for all protocols.
Add descriptive comments for your own administration.
Use the apply firewall button to write the table. To save it permanently you need to apply the change and save the changes as well.
The subnet mask can be found using the following overview:
New vs established connections explained
There are three things to keep in mind when using the pbx firewall:
The firewall affects only new connections.
Phones that are already registered will still be able to communicate SIP level, no media) with the PBX after being blocked by the firewall rules.
Even if a phone is not registered it will be able to communicate with the PBX some time after being blocked by the firewall rules, but this can be stopped by a PBX reboot.
The Axeos pbx firewall is statefull – instead of checking each and every network packets against our firewall rules, it only checks the first packet of any connection/flow and accepts any packets belonging to connections which are already established.
SIP is running over UDP by default and UDP is connection-less, so a firewall flow is not an individual connection (TCP), but any traffic between two address-port pairs. SIP phones usually connect from their port 5060 to the PBX on port 5060. After the first two packets are exchanged the flow is established and will only expire after some long time.
The PBX remembers registered phones over reboot (so they are reachable immediately after the reboot) and sends ‘qualify’ (keep alive) packets periodically to the phones. As the PBX initiated communication, this is always accepted and starts an established flow.