Configure the Firewall

The System Firewall module is UnifiedBX's wrapper around iptables — zone-based access control for SIP, web admin, AMI, SSH, etc. Keep it ON. The default config blocks public access to admin services and rate-limits SIP attempts.

Don't lock yourself out

Before editing zones, ensure your management IP is in Trusted zone. If you misconfigure and lose access, recovery requires console / SSH access.

Steps

Initial setup wizard

If first time:

1. Go to System Admin → Firewall.
2. The wizard prompts you through:
   • Trusted hosts — your office IP, your home IP, the IP of any management box. These have full access.
   • Local subnet — your LAN range, typically 10.0.0.0/24 or similar. Treated as Local zone.
   • Responsive Firewall — ON (recommended) — auto-allows SIP from registered endpoints, blocks others. Critical for fail2ban-style protection.
3. Click Save → Apply Config.

Add a Trusted IP

1. Firewall → Networks tab.
2. + Add → enter IP/CIDR (e.g. 203.0.113.45/32 for a single IP, 203.0.113.0/24 for an office subnet).
3. Pick Trusted zone.
4. Save → Apply Config.

Service per-zone access

Firewall → Services tab. Each service (Web Admin, AMI, SIP, RTP, SSH) lists which zones can reach it:

• Trusted — your safe IPs.
• Internal — registered SIP endpoints (Responsive Firewall).
• Other — public internet.
• Reject — denied entirely.

Common config:

• Web Admin (UCP & Admin GUI): Trusted only. Never expose admin GUI to the public internet.
• AMI: Trusted only.
• SIP: Trusted + Internal. NOT Other (Responsive handles registered users from anywhere).
• RTP: auto-managed by SIP zone.
• SSH: Trusted only.

Verify

# From a public network, try to reach the admin GUI:
curl -I https://<unifiedbx-fqdn>/
# Should hang or return connection refused if firewall is blocking.

# Inspect raw rules:
iptables -L -n -v

Common Issues

• Locked out of admin GUI. Your IP isn't in Trusted, OR your IP changed. SSH in (if SSH is in Trusted) and add: fwconsole firewall trust <ip>. Or via console.
• SIP phones from new home networks fail. Responsive Firewall hasn't seen them register yet. They need to register from the static-IP server side first; or add their network to Trusted.
• Brute force still happens. Even with firewall on, the rate-limit allows some attempts. Cross-reference with Reports → Weak Passwords — fraud succeeds against weak creds, not firewall holes.
• Calls dropping. RTP port range blocked by upstream firewall (10000-20000 default). Check.
• Firewall keeps disabling itself. A misconfigured custom rule or the module is buggy. Check /var/log/asterisk/firewall.log.

Related Pages

• Check for Weak Passwords
• Configure Email and DNS (Sysadmin)