To enable the Firewall module on your FreePBX Install, browse to Connectivity, Firewall and simply click the 'Enable Firewall' button.
This will take you to the 'Main' page, 'Settings' tab:
The first thing you should notice is that the server is warning you that the machine you're currently using the firewall service from is not a member of the trusted zone. Additionally, the server tells you what IP address you're coming from, so you can be sure that nothing's intercepting your traffic. You should, at this point, click on the 'You can add the host automatically here' link, which will take you to the 'Advanced' page, 'Preconfigured' tab, and click on the 'Add Network' or 'Add Host' button. Note, it is strongly discouraged to only use 'Add Host' if you're using IPv6, as your PCs Host IP address may change without warning (this is expected, and is part of the IPv6 Security Extensions)
After you have added the Network (or host, or both) the button will change to 'Added'
You can now browse the Firewall pages and the warning will be gone, and the network (or host) will have been added to the Trusted zone, which you can verify by browsing to the 'Main' page, 'Networks' tab. You should also add any other known networks here, and assign them to the 'Internal' or 'Local' zone as appropriate, both of which have reasonable defaults for trusted networks.
Now you can go to the 'Main' page, 'Interfaces' tab, and change the default zone of your interface(s) from 'Trusted' (which is the default for all new interfaces discovered) to the correct zone, which is usually 'Internet'. Select the appropriate zone from the drop down menu then click 'Update Interfaces' to save and immediately apply your changes. (Please be aware that the defaults for 'External' does not allow SIP connections, ensure that you have added your known networks above).
Leaving any interface as a member of the Trusted zone is a misconfiguration, and FreePBX Dashboard will alert this as a critical system error.
Note that you do not have to add configuration for trunks, as they are automatically configured and require no additional setup.
If you have roaming clients, you can now enable the Responsive Firewall, and you can alter the permissions granted to zones in the Services page.