Webmin/Shorewall Help / Setup Guide

I did resolve it. In Webmin under Networking, go to Linux Firewall. Go all the way down, select 'Yes' for activate on Boot, and click the Activate on Boot button. You can now restart your server or click Apply Configuration and it will work.

I'm not sure why I had to do this, but it solved my problem :-)

Good Luck!
-Michael

Do you have nat=yes set for your Cisco phones? XLite uses STUN to avoid NAT problems, so this may be why they are working and your Cisco phone aren't.

Thanks, good suggestion - I do not have NAT set -- BUT -- All Cisco phones either have true public IP addresses, or have private IPs on the same network as the Trixbox. So they are really not NATed. Same goes for the XLite softphones. However, the trixbox server is NATed in respect to the external phones.

Is the NAT setting referring to the phones or the server? I will try the setting regardless and post the results if it works.

FYI - I setup the exact same rule set in the 'Linux Firewall', turned off Shorewall, and it works perfectly!!! I am fine with using the Webmin's 'Linux Firewall' tool for future one NIC installs, works great -- but if the machine has more than one NIC, Shorewall is needed to alleviate complexity.

I decided to use my crappy guide making skills to write out how I set up Shorewall. If anyone has anything else to add, please do so, so we can make this as useful as possible. Hopefully it helps you guys out. **For some reason, my formatting doesn't get posted in here, so you're probably better off copying and pasting this into a word processor.
My Setup:
• 2 NICs - 1 Internal (private IP, eth0) and 1 External (public IP, eth1)
o NOTE: Make sure to make your eth0 INTERNAL and your eth1 EXTERNAL. When Linux is booting up, it will configure eth0 first, and eth1 second. Since eth1 was the second eth to be configured by the system, when Trixbox needs to access the internet, it will access it through eth1.

Configuring Shorewall using Webmin:
1. Go to the "Network Zones" section
a. Add new zone: Zone ID: loc (leave all other settings default/blank)
b. Add new zone: Zone ID: net (leave all other settings default/blank)
c. Return to list of tables
2. Go to "Network Interface"
a. Add New Network Interface
i. Interface: eth0, Zone Name: loc (leave all other settings untouched)
ii. Click on Create
b. Add New Network Interface
i. Interface: eth1, Zone Name: net
ii. Check off the following: Enable anti-spoofing route filtering, Reject packets on blacklist, Check for illegal TCP flags
iii. Click on Create
c. Return to list of tables
3. Go to Default Policies and create the 3 following rules
a. Rule 1:
i. Source Zone: Any
ii. Destination Zone: Any
iii. Policy: DROP
iv. Syslog level: Logging disabled
v. Traffic Limit: None
b. Rule 2:
i. Source Zone: loc
ii. Destination Zone: net
iii. Policy: ACCEPT
iv. Syslog Level: Logging Disabled
v. Traffic Limit: None
c. Rule 3:
i. Source Zone:
ii. Destination Zone: net
iii. Policy: ACCEPT
iv. Syslog Level: Logging Disabled
v. Traffic Limit: None
4. Go to Firewall Rules and create the following rules at your discretion
a. Allowing SIP traffic
i. Action: ACCEPT
ii. Source Zone: net
iii. Destination zone or port:
iv. Protocol: UDP
v. Source Ports: Any
vi. Destination Ports: 5060:5082
vii. All fields that were omitted, leave as default
b. Accepting RTP traffic
i. Action: Accept
ii. Source Zone: net
iii. Destination zone or port:
iv. Protocol: UDP
v. Source Ports: Any
vi. Destination Ports: 10000:20000
vii. All fields that were omitted, leave as default
c. Allowing access to Webmin from external internet
i. Action: ACCEPT
ii. Source Zone: net
iii. Destination zone or port:
iv. Protocol: TCP
v. Source Ports: Any
vi. Destination Ports: 10000
vii. All fields that were omitted, leave as default
d. Accepting SSH
i. Action: ACCEPT
ii. Source Zone: net
iii. Destination zone or port:
iv. Protocol: TCP
v. Source Ports: Any
vi. Destination Ports: 22
vii. All fields that were omitted, leave as default
e. Disallowing access to Trixbox web interface from external internet
i. Action: DROP
ii. Source Zone: net
iii. Destination zone or port:
iv. Protocol: TCP
v. Source Ports: Any
vi. Destination Ports: 80
vii. All fields that were omitted, leave as default
f. Accepting traffic from a specific IP Address (this is useful if you want to allow yourself to access to Trixbox web interface without allowing everyone access)
i. Action: ACCEPT
ii. Source Zone: net
1. Check off “Only hosts in zone with addresses” and put your IP address in the box. Multiple IP addresses can be entered by putting a space between each IP address. Entering an IP address in this field will allow complete access to the box from that specific IP address.
iii. Destination zone or port: Any
iv. All fields that were omitted, leave as default
5. Go to “When Stopped”
a. In my instance, I wanted the firewall to completely allow everything in the event the firewall is stopped. Furthermore, if you make a mistake in your configuration, and Shorewall shuts down, you will not want to be locked out of your box.
b. Add a new stopped address
i. Interface: eth1
ii. Accessible addresses: All addresses
iii. Route Options (Check off the following): Accept traffic back to host, Allow from host to any destination, Allow to host from any source, Always allow traffic between firewall
iv. Click Create
c. Add a new stopped address
i. Interface: eth0
ii. Accessible addresses: All addresses
iii. Route Options (Check off the following): Accept traffic back to host, Allow from host to any destination, Allow to host from any source, Always allow traffic between firewall
iv. Click Create
6. Go to Master Configuration file
a. Check to see if “STARTUP_ENABLED” is set to Yes. By default, it is set to No, so you must change it.
7. From the list of tables, click on Check Firewall to make sure your settings don’t have conflicts.
8. Click Apply Configuration when you’re ready to start up your firewall and cross your fingers everything works ok!

Other 'guides' I have seen on this forum suggest to modify rtp.conf so the server will operate on ports 10001 to 20000... in my experience this should be avoided because termination providers do not allow you to change the ports that they operate on - that is why I suggested.

You are correct, leaving it as is should not cause a problem.. thanks.

Zion800, thanks for the detailed list. Not too crappy! I just loaded up Shorewall 4.0.12 and only ran into one issue. The Default Policies does not pass the Check Firewall stage. Assuming that the policies are executed in order, it appears they should be reversed. Any-Any-DROP is going to match and stop everything! Even if reversed, the Check Firewall still complains, as loc-net-ACCEPT is already allowed by Any-net-ACCEPT. Is this version 4 being better, or did you mean for something else to be covered?