# Firewall

The **Firewall** in MikoPBX is an interface for configuring the system's firewall. Here, administrators can create and manage network traffic filtering rules, controlling access to MikoPBX and protecting it from unauthorized access and network threats. Configuring the firewall ensures the security of the telephone system, preventing potential attacks and ensuring stable operation in the organization's network infrastructure.

In MikoPBX, all local subnets can be described in the "**Network and Firewall**" → "**Firewall**" section. The firewall is designed to restrict access to the station by traffic type and subnets.

<figure><img src="/files/sBcAd4S09fMUJevwBrRJ" alt=""><figcaption><p>Section "Network and Firewall" -> "Firewall" in MikoPBX</p></figcaption></figure>

To add a new rule, you need to click on the button:

<figure><img src="/files/XvlYU9IEan9GNuTz5yEl" alt=""><figcaption><p>Button for creating a new rule</p></figcaption></figure>

## General settings

You can give the rule any custom name. To the right of the subnet address, there is a field for Subnet Mask in CIDR format.

<figure><img src="/files/YxIqwLo7yBNhQzYyDxuc" alt=""><figcaption><p>Rule parameters</p></figcaption></figure>

## Available services

* **SIP\&RTP** - registration of phones and voice traffic. Session Initiation Protocol is used for establishing connections between VoIP phones.
* **WEB** - access to the administrative interface for configuring the PBX. SSH - root access to the system.
* **SSH** (Secure Shell) allows accessing the MikoPBX console.
* **AMI** - access to Asterisk Manager API via telnet. Asterisk Manager Interface (AMI) provides access to Asterisk via TCP/IP protocol.
* **AJAM** - access to Asterisk Manager API via HTTP or HTTPS.
* **ICMP** - communication check using the 'ping' command.
* **CTICLIENT** - connection of the telephony panel 2 for 1C.

<figure><img src="/files/oflbM1M6YcQxn7mdhLmB" alt=""><figcaption><p>"Available service" section</p></figcaption></figure>

## Advanced Options

* Each subnet has a flag 'Is it a VPN or a local network'. When this flag is set, MikoPBX will present itself as a local IP to all local subnets instead of external ones.
* The flag 'Never block addresses from this network' should be enabled only for trusted subnets. If this flag is enabled, intrusion prevention rules will not apply to this subnet

<figure><img src="/files/vD0NQ9ZT5KxvwtiGCOcI" alt=""><figcaption><p>"Advanced options" section</p></figcaption></figure>

## Behaviour in Docker containers

In Docker bridge mode the MikoPBX built-in firewall and fail2ban **do not protect the web interface**: the container cannot manage host iptables, and HTTP clients arrive from the `docker0` gateway. SIP protection continues to work (UDP DNAT preserves the source IP).

To protect the web interface in Docker, choose one of:

* `network_mode: host` for the container (when the host is dedicated to the PBX);
* An external CrowdSec-compatible bouncer in front of the MikoPBX API — see [External firewall for Docker](/mikopbx/english/setup/docker/external-firewall-enforcement.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.mikopbx.com/mikopbx/english/manual/connectivity/firewall.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.