FreePBX Firewall is a tightly integrated, low level firewall, that removes the complexity of configuring a firewall on your VoIP server.

This project was started due to the lack of a common, comprehensive, firewall, in the VoIP server community.  Various attempts had been made previously, but they all suffered from a lack of understanding of the challenges involved, or a lack of flexibility which caused most users to disable IPtables on the PBX.  

FreePBX Firewall was designed and written by security professionals, with a thorough understanding of the issues and limitations of trying to secure a VoIP service but still leave it open enough to keep users from disabling the Firewall. 

Its aim is to provide a simple way to secure the 'average' VoIP server installation, the 95%.  In more complex setups, it is always wise to discuss your security requirements with someone with experience in this arena.

Firewall is under active development, and community engagement is strongly encouraged!  Please read and comment on the forum thread, with feature requests, or questions!



Firewall is only compatible with FreePBX 13 and higher.

Operating System Requirements

Firewall requires a Linux machine, and requires iptables 1.4.7 or higher, and the ipt_recent, or xt_recent kernel modules (if you wish to enable the Responsive Firewall component).

Package Requirements


This is a RPM package that allows secure privilege escalation in limited circumstances. Firewall requires this to alter the system iptables rules.  This RPM is installed on most modern RPM-based distros. Currently there is no method for privilege escalation without this package.  Support for non-rpm-based operating systems is on hold until this issue is resolved.


The Firewall module is a 100% Free Open Source Module, licenced under the AGPL v3.  The code is hosted on with a mirror on GitHub for your convenience.  Pull requests are welcome!

Getting Started

When you enable the module, no firewall rules are enabled. Please read the Getting Started Guide for more information on how to do a simple setup.




All network connections coming in to your VoIP server are deemed to be part of a zone.  Every network interface has a default Zone, and data arriving at that interface is treated as belonging to that Zone, unless it is a known network, which overrides the default Zone.  Services are individually granted to each Zone.  The default zones are:

Network Overrides

You can define an endpoint in 'Networks' (which aren't just networks), which allows you to override traffic arriving at your machine.  This can be a single host (, a network definition (, a hostname (, or a DDNS client (  Each entry is then assigned to a zone, and traffic arriving from that endpoint is treated as being from that Zone.