Skip to content

Firewall Configuration

Default Ports

By default, your HylaFAX servers are listening to the following ports: 

TCP 22             SSH access
TCP 25             Email to FAX submission
TCP 80             Web interface
TCP 4559           Fax job submission (see below) and fax status
TCP 27000 & 27059  HylaFSP Site License server
UDP 5060           SIP traffic
UDP 56000-57000    RTP/UDPTL media

HylaFAX uses an FTP-style protocol on port 4559. HylaFSP uses PASV (passive) transfers when transferring data to the HylaFAX server. As such, simply port-forwarding/tunneling port 4559 will not be sufficient. If you are not using normal IP connectivity between HylaFSP and HylaFAX, your firewall/border/tunneler has to do FTP fixups (or connection tracing/NAT) on the port it’s forwarding. If you have Cisco PIX firewall, you need FTP fixups on port 4559.

Allow HTTPS

If you have installed an SSL certificate, you must open the firewall for HTTPS using the following commands:

firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --reload

Allow SIP only from certain addresses

This can help keep your server from accepting SIP connections from anywhere else. 

firewall-cmd --zone=public --permanent --remove-service=sip
firewall-cmd --zone=public --permanent --remove-port=5060/udp
firewall-cmd --zone=public --permanent --remove-port=5080/udp

firewall-cmd --zone=public --permanent --add-rich-rule='
  rule family="ipv4"
  source address="123.456.789.0123/32"
  port protocol="udp" port="5060" accept'

firewall-cmd --zone=public --permanent --add-rich-rule='
  rule family="ipv4"
  source address="456.789.012.3456/32"
  port protocol="udp" port="5060" accept'

firewall-cmd --reload