Managing your dialer's firewall from the portal

The firewall portal lets you decide which IP addresses can reach your dialer's SIP and web ports. You manage the allowlist from a branded page in the dashboard, with no SSH session required.

Why an allowlist matters

A dialer exposed to the whole internet gets scanned constantly. Bots probe for open SIP (Session Initiation Protocol) ports and try to register so they can place fraudulent calls on your dime. The simplest defense is to only accept traffic from addresses you trust — your office, your agents' home IPs, and your carrier.

Locking down by IP pairs well with IP authentication from your Carrier. When the dialer only listens to known addresses, the noise of failed registration attempts drops sharply and your logs become readable again.

How the portal works

You add an IP or a CIDR range, give it a label, and save. The change is applied to the firewall on your box, so the rules live on the same server as your dialer. You can edit or remove an entry at any time, which is handy when an agent's home connection changes.

1. Open the firewall portal in your dashboard.
2. Add the IP or range you want to allow, with a label so you remember what it is.
3. Save — the rule applies to your box's firewall right away.

Because the rules live on your own dedicated VPS, there is no shared appliance to coordinate with and no support ticket to file. You own the box, so you own the allowlist. The portal just gives you a friendly way to edit it without logging in over SSH and hand-editing firewall rules, which is where most lockout accidents come from.

What to allow

A practical allowlist usually covers a handful of sources. Start with your office and any static agent IPs, then add your carrier so signaling can flow both ways. If your agents work from home on changing connections, a Softphone over SIP over TLS plus a tight allowlist keeps things both reachable and locked down.

• Your office and any fixed admin IPs.
• Your carrier's signaling and media addresses.
• Static agent or VPN exit IPs where you have them.

Keeping the list short is the point. Every address you remove from the open internet is one fewer door for a scanner to rattle, and your Asterisk logs get quieter as a result.

What happens to an inbound packet

Every inbound connection is checked against your allowlist before it reaches VICIdial. If the source IP is on the list, it passes through to the SIP or web service. If it is not, the firewall drops it before Asterisk ever sees it.

flowchart TD
  A[Inbound packet] --> B{Source IP on allowlist?}
  B -->|Yes| C{Port allowed?}
  C -->|Yes| D[Reach SIP/web]
  C -->|No| E[Dropped]
  B -->|No| E
  D --> F[VICIdial handles request]

Because the portal is branded, you can also reach it at firewall.<your-domain> as a custom hostname. Your team sees your name, not ours, when they manage the rules.

Where VICIfast fits

The firewall portal is one layer of the hardening we ship on every box — see security hardening for the rest, and what VICIfast adds to VICIdial for the bigger picture. To run a dialer that is locked down from the first minute, see our pricing.