@bitcall/webrtc-sip-gateway 0.2.4 → 0.2.6

package/README.md

@@ -5,7 +5,7 @@ Linux-only CLI to install and operate the Bitcall WebRTC-to-SIP gateway.
 ## Install
 
 ```bash
-sudo npm i -g @bitcall/webrtc-sip-gateway@0.2.4
+sudo npm i -g @bitcall/webrtc-sip-gateway@0.2.6
 ```
 
 ## Main workflow
@@ -14,10 +14,13 @@ sudo npm i -g @bitcall/webrtc-sip-gateway@0.2.4
 sudo bitcall-gateway init
 sudo bitcall-gateway status
 sudo bitcall-gateway logs -f
+sudo bitcall-gateway media status
 ```
 
-Default media policy is IPv4-only candidates (`MEDIA_IPV6=0`). Set
-`MEDIA_IPV6=1` in `/opt/bitcall-gateway/.env` only if you want IPv6 candidates.
+Default media policy is IPv4-only via IPv6 media firewall drops on RTP/TURN
+ports only. Host IPv6 remains enabled for signaling and non-media traffic.
+Backend selection prefers nftables on non-UFW hosts and uses ip6tables when UFW
+is active.
 
 ## Commands
 
@@ -31,6 +34,9 @@ Default media policy is IPv4-only candidates (`MEDIA_IPV6=0`). Set
 - `sudo bitcall-gateway cert renew`
 - `sudo bitcall-gateway cert install --cert /path/cert.pem --key /path/key.pem`
 - `sudo bitcall-gateway update`
+- `sudo bitcall-gateway media status`
+- `sudo bitcall-gateway media ipv4-only on`
+- `sudo bitcall-gateway media ipv4-only off`
 - `sudo bitcall-gateway uninstall`
 
 ## Files created by init

package/lib/constants.js

@@ -14,7 +14,7 @@ module.exports = {
   SSL_DIR: path.join(GATEWAY_DIR, "ssl"),
   ENV_PATH: path.join(GATEWAY_DIR, ".env"),
   COMPOSE_PATH: path.join(GATEWAY_DIR, "docker-compose.yml"),
-  DEFAULT_GATEWAY_IMAGE: "ghcr.io/bitcallio/webrtc-sip-gateway:0.2.4",
+  DEFAULT_GATEWAY_IMAGE: "ghcr.io/bitcallio/webrtc-sip-gateway:0.2.6",
   DEFAULT_PROVIDER_HOST: "sip.example.com",
   DEFAULT_WEBPHONE_ORIGIN: "*",
   RENEW_HOOK_PATH: "/etc/letsencrypt/renewal-hooks/deploy/bitcall-gateway.sh",

package/lib/firewall.js

@@ -0,0 +1,357 @@
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+
+const { run, runShell, output, commandExists } = require("./shell");
+
+const MARKER = "bitcall-gateway media ipv6 block";
+const NFT_TABLE = "bitcall_gateway_media_ipv6";
+const NFT_RULE_FILE = "/etc/nftables.d/bitcall-gateway.nft";
+const NFT_MAIN_CONF = "/etc/nftables.conf";
+const NFT_INCLUDE_LINE = `include "${NFT_RULE_FILE}"`;
+
+function withDeps(deps = {}) {
+  return {
+    fs,
+    run,
+    runShell,
+    output,
+    commandExists,
+    ...deps,
+  };
+}
+
+function toInt(value, fallback) {
+  const parsed = Number.parseInt(String(value), 10);
+  return Number.isFinite(parsed) ? parsed : fallback;
+}
+
+function normalizeOptions(options = {}) {
+  const rtpMin = toInt(options.rtpMin, 10000);
+  const rtpMax = toInt(options.rtpMax, 20000);
+  const turnEnabled = Boolean(options.turnEnabled);
+  const turnUdpPort = toInt(options.turnUdpPort, 3478);
+  const turnsTcpPort = toInt(options.turnsTcpPort, 5349);
+  const turnRelayMin = toInt(options.turnRelayMin, 49152);
+  const turnRelayMax = toInt(options.turnRelayMax, 49252);
+
+  return {
+    rtpMin,
+    rtpMax,
+    turnEnabled,
+    turnUdpPort,
+    turnsTcpPort,
+    turnRelayMin,
+    turnRelayMax,
+  };
+}
+
+function detectFirewallBackend(deps = {}) {
+  const d = withDeps(deps);
+  let ufwActive = false;
+  if (d.commandExists("ufw")) {
+    const ufwStatus = d.run("ufw", ["status"], { check: false, stdio: "pipe" });
+    ufwActive = ufwStatus.status === 0 && ((ufwStatus.stdout || "").toLowerCase().includes("status: active"));
+  }
+
+  if (ufwActive && d.commandExists("ip6tables")) {
+    return "ip6tables";
+  }
+
+  if (d.commandExists("nft")) {
+    return "nft";
+  }
+  if (d.commandExists("ip6tables")) {
+    return "ip6tables";
+  }
+  throw new Error(
+    "No IPv6 firewall backend found. Install nftables or ip6tables/netfilter-persistent."
+  );
+}
+
+function buildIp6tablesRules(options = {}) {
+  const cfg = normalizeOptions(options);
+  const rules = [
+    { proto: "udp", dport: `${cfg.rtpMin}:${cfg.rtpMax}` },
+  ];
+
+  if (cfg.turnEnabled) {
+    rules.push({ proto: "udp", dport: String(cfg.turnUdpPort) });
+    rules.push({ proto: "tcp", dport: String(cfg.turnsTcpPort) });
+    rules.push({ proto: "udp", dport: `${cfg.turnRelayMin}:${cfg.turnRelayMax}` });
+  }
+
+  return rules;
+}
+
+function buildNftRuleset(options = {}) {
+  const rules = buildIp6tablesRules(options);
+  const lines = [
+    `table inet ${NFT_TABLE} {`,
+    "  chain input {",
+    "    type filter hook input priority 0; policy accept;",
+  ];
+
+  for (const rule of rules) {
+    lines.push(
+      `    meta nfproto ipv6 ${rule.proto} dport ${rule.dport} comment \"${MARKER}\" drop`
+    );
+  }
+
+  lines.push("  }");
+  lines.push("}");
+  lines.push("");
+
+  return lines.join("\n");
+}
+
+function persistIp6tables(d) {
+  if (!d.commandExists("netfilter-persistent")) {
+    d.run("apt-get", ["update"], { stdio: "inherit" });
+    d.run("apt-get", ["install", "-y", "netfilter-persistent", "iptables-persistent"], {
+      check: false,
+      stdio: "inherit",
+    });
+  }
+
+  if (!d.commandExists("netfilter-persistent")) {
+    throw new Error("Unable to persist ip6tables rules: netfilter-persistent not available.");
+  }
+
+  const saved = d.run("netfilter-persistent", ["save"], {
+    check: false,
+    stdio: "inherit",
+  });
+  if (saved.status !== 0) {
+    throw new Error("Failed to persist ip6tables rules with netfilter-persistent save.");
+  }
+}
+
+function ensureNftInclude(d) {
+  let content = "";
+  if (d.fs.existsSync(NFT_MAIN_CONF)) {
+    content = d.fs.readFileSync(NFT_MAIN_CONF, "utf8");
+  } else {
+    content = "#!/usr/sbin/nft -f\n\n";
+  }
+
+  if (!content.includes(NFT_INCLUDE_LINE)) {
+    const suffix = content.endsWith("\n") ? "" : "\n";
+    content = `${content}${suffix}${NFT_INCLUDE_LINE}\n`;
+    d.fs.writeFileSync(NFT_MAIN_CONF, content, { mode: 0o644 });
+    d.fs.chmodSync(NFT_MAIN_CONF, 0o644);
+  }
+}
+
+function removeNftInclude(d) {
+  if (!d.fs.existsSync(NFT_MAIN_CONF)) {
+    return;
+  }
+
+  const content = d.fs.readFileSync(NFT_MAIN_CONF, "utf8");
+  const lines = content.split("\n").filter((line) => line.trim() !== NFT_INCLUDE_LINE);
+  const next = `${lines.join("\n").replace(/\n+$/g, "")}\n`;
+  d.fs.writeFileSync(NFT_MAIN_CONF, next, { mode: 0o644 });
+  d.fs.chmodSync(NFT_MAIN_CONF, 0o644);
+}
+
+function applyNftRules(options, d) {
+  d.fs.mkdirSync(path.dirname(NFT_RULE_FILE), { recursive: true, mode: 0o755 });
+  d.fs.writeFileSync(NFT_RULE_FILE, buildNftRuleset(options), { mode: 0o644 });
+  d.fs.chmodSync(NFT_RULE_FILE, 0o644);
+
+  d.run("nft", ["delete", "table", "inet", NFT_TABLE], {
+    check: false,
+    stdio: "ignore",
+  });
+  d.run("nft", ["-f", NFT_RULE_FILE], { stdio: "inherit" });
+
+  ensureNftInclude(d);
+
+  const enabled = d.run("systemctl", ["enable", "--now", "nftables"], {
+    check: false,
+    stdio: "inherit",
+  });
+  if (enabled.status !== 0) {
+    throw new Error("Failed to enable nftables service for persistent IPv6 media block rules.");
+  }
+}
+
+function removeNftRules(d) {
+  d.run("nft", ["delete", "table", "inet", NFT_TABLE], {
+    check: false,
+    stdio: "ignore",
+  });
+
+  if (d.fs.existsSync(NFT_RULE_FILE)) {
+    d.fs.rmSync(NFT_RULE_FILE, { force: true });
+  }
+  removeNftInclude(d);
+
+  d.run("systemctl", ["reload", "nftables"], {
+    check: false,
+    stdio: "ignore",
+  });
+}
+
+function ip6tableRuleArgs(rule) {
+  return [
+    "-p",
+    rule.proto,
+    "--dport",
+    rule.dport,
+    "-m",
+    "comment",
+    "--comment",
+    MARKER,
+    "-j",
+    "DROP",
+  ];
+}
+
+function applyIp6tablesRules(options, d) {
+  const rules = buildIp6tablesRules(options);
+
+  for (const rule of rules) {
+    const args = ip6tableRuleArgs(rule);
+    const exists = d.run("ip6tables", ["-C", "INPUT", ...args], {
+      check: false,
+      stdio: "ignore",
+    }).status === 0;
+
+    if (!exists) {
+      d.run("ip6tables", ["-I", "INPUT", "1", ...args], {
+        stdio: "inherit",
+      });
+    }
+  }
+
+  persistIp6tables(d);
+}
+
+function removeIp6tablesRules(options, d) {
+  const rules = buildIp6tablesRules(options);
+
+  for (const rule of rules) {
+    const args = ip6tableRuleArgs(rule);
+    for (;;) {
+      const exists = d.run("ip6tables", ["-C", "INPUT", ...args], {
+        check: false,
+        stdio: "ignore",
+      }).status === 0;
+
+      if (!exists) {
+        break;
+      }
+
+      d.run("ip6tables", ["-D", "INPUT", ...args], {
+        stdio: "inherit",
+      });
+    }
+  }
+
+  persistIp6tables(d);
+}
+
+function isNftPresent(d) {
+  const res = d.run("nft", ["list", "table", "inet", NFT_TABLE], {
+    check: false,
+    stdio: "pipe",
+  });
+  if (res.status !== 0) {
+    return false;
+  }
+  return (res.stdout || "").includes(MARKER);
+}
+
+function isIp6tablesPresent(d) {
+  const rules = d.output("sh", ["-lc", "ip6tables-save 2>/dev/null || true"]);
+  return rules.includes(MARKER);
+}
+
+function applyMediaIpv4OnlyRules(options = {}, runtime = {}) {
+  const d = withDeps(runtime.deps);
+  const backend = runtime.backend || detectFirewallBackend(d);
+
+  if (backend === "nft") {
+    applyNftRules(options, d);
+    return { backend };
+  }
+
+  if (backend === "ip6tables") {
+    applyIp6tablesRules(options, d);
+    return { backend };
+  }
+
+  throw new Error(`Unsupported firewall backend: ${backend}`);
+}
+
+function removeMediaIpv4OnlyRules(options = {}, runtime = {}) {
+  const d = withDeps(runtime.deps);
+  const backend = runtime.backend || detectFirewallBackend(d);
+
+  if (backend === "nft") {
+    removeNftRules(d);
+    return { backend };
+  }
+
+  if (backend === "ip6tables") {
+    removeIp6tablesRules(options, d);
+    return { backend };
+  }
+
+  throw new Error(`Unsupported firewall backend: ${backend}`);
+}
+
+function isMediaIpv4OnlyRulesPresent(runtime = {}) {
+  const d = withDeps(runtime.deps);
+  let backend = runtime.backend;
+
+  try {
+    backend = backend || detectFirewallBackend(d);
+  } catch (error) {
+    return {
+      enabled: false,
+      backend: null,
+      error: error.message,
+    };
+  }
+
+  if (backend === "nft") {
+    return {
+      enabled: isNftPresent(d),
+      backend,
+      marker: MARKER,
+    };
+  }
+
+  if (backend === "ip6tables") {
+    return {
+      enabled: isIp6tablesPresent(d),
+      backend,
+      marker: MARKER,
+    };
+  }
+
+  return {
+    enabled: false,
+    backend,
+    marker: MARKER,
+  };
+}
+
+module.exports = {
+  MARKER,
+  NFT_TABLE,
+  NFT_RULE_FILE,
+  NFT_MAIN_CONF,
+  NFT_INCLUDE_LINE,
+  normalizeOptions,
+  detectFirewallBackend,
+  buildIp6tablesRules,
+  buildNftRuleset,
+  applyMediaIpv4OnlyRules,
+  removeMediaIpv4OnlyRules,
+  isMediaIpv4OnlyRulesPresent,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bitcall/webrtc-sip-gateway",
-  "version": "0.2.4",
+  "version": "0.2.6",
   "description": "Linux CLI for bootstrapping and managing the Bitcall WebRTC-to-SIP Gateway",
   "repository": {
     "type": "git",
@@ -22,7 +22,7 @@
   },
   "scripts": {
     "lint": "node --check src/index.js && node --check bin/bitcall-gateway.js && for f in lib/*.js; do node --check \"$f\"; done",
-    "test": "node test/smoke.test.js",
+    "test": "node test/smoke.test.js && node test/firewall.test.js",
     "pack:dry": "npm pack --dry-run"
   },
   "dependencies": {

package/src/index.js

@@ -33,8 +33,14 @@ const {
   ensureComposePlugin,
 } = require("../lib/system");
 const { readTemplate, renderTemplate } = require("../lib/template");
+const {
+  detectFirewallBackend,
+  applyMediaIpv4OnlyRules,
+  removeMediaIpv4OnlyRules,
+  isMediaIpv4OnlyRulesPresent,
+} = require("../lib/firewall");
 
-const PACKAGE_VERSION = "0.2.4";
+const PACKAGE_VERSION = "0.2.6";
 
 function detectComposeCommand() {
   if (run("docker", ["compose", "version"], { check: false }).status === 0) {
@@ -81,9 +87,11 @@ function envOrder() {
   return [
     "GATEWAY_VERSION",
     "BITCALL_GATEWAY_IMAGE",
+    "BITCALL_ENV",
     "DOMAIN",
     "PUBLIC_IP",
     "DEPLOY_MODE",
+    "ROUTING_MODE",
     "SIP_PROVIDER_URI",
     "SIP_UPSTREAM_TRANSPORT",
     "SIP_UPSTREAM_PORT",
@@ -103,7 +111,11 @@ function envOrder() {
     "WSS_LISTEN_PORT",
     "INTERNAL_WSS_PORT",
     "INTERNAL_WS_PORT",
-    "MEDIA_IPV6",
+    "MEDIA_IPV4_ONLY",
+    "TURN_UDP_PORT",
+    "TURNS_TCP_PORT",
+    "TURN_RELAY_MIN_PORT",
+    "TURN_RELAY_MAX_PORT",
     "RTPENGINE_MIN_PORT",
     "RTPENGINE_MAX_PORT",
     "WITH_REVERSE_PROXY",
@@ -201,6 +213,52 @@ function configureFirewall(config) {
   run("ufw", ["reload"], { check: false, stdio: "ignore" });
 }
 
+function countAllowedDomains(raw) {
+  if (!raw) {
+    return 0;
+  }
+  return raw
+    .split(",")
+    .map((item) => item.trim())
+    .filter(Boolean).length;
+}
+
+function mediaFirewallOptionsFromConfig(config) {
+  return {
+    rtpMin: Number.parseInt(config.rtpMin || "10000", 10),
+    rtpMax: Number.parseInt(config.rtpMax || "20000", 10),
+    turnEnabled: config.turnMode === "coturn",
+    turnUdpPort: Number.parseInt(config.turnUdpPort || "3478", 10),
+    turnsTcpPort: Number.parseInt(config.turnsTcpPort || "5349", 10),
+    turnRelayMin: Number.parseInt(config.turnRelayMinPort || "49152", 10),
+    turnRelayMax: Number.parseInt(config.turnRelayMaxPort || "49252", 10),
+  };
+}
+
+function mediaFirewallOptionsFromEnv(envMap) {
+  return {
+    rtpMin: Number.parseInt(envMap.RTPENGINE_MIN_PORT || "10000", 10),
+    rtpMax: Number.parseInt(envMap.RTPENGINE_MAX_PORT || "20000", 10),
+    turnEnabled: (envMap.TURN_MODE || "none") === "coturn",
+    turnUdpPort: Number.parseInt(envMap.TURN_UDP_PORT || "3478", 10),
+    turnsTcpPort: Number.parseInt(envMap.TURNS_TCP_PORT || "5349", 10),
+    turnRelayMin: Number.parseInt(envMap.TURN_RELAY_MIN_PORT || "49152", 10),
+    turnRelayMax: Number.parseInt(envMap.TURN_RELAY_MAX_PORT || "49252", 10),
+  };
+}
+
+async function confirmContinueWithoutMediaBlock() {
+  const prompt = new Prompter();
+  try {
+    return await prompt.askYesNo(
+      "Continue without IPv6 media block (may cause no-audio on some networks)?",
+      false
+    );
+  } finally {
+    prompt.close();
+  }
+}
+
 function generateSelfSigned(certPath, keyPath, domain, days = 1) {
   ensureDir(path.dirname(certPath), 0o700);
   run(
@@ -345,136 +403,179 @@ async function runWizard(existing = {}, preflight = {}) {
   try {
     const detectedIp = detectPublicIp();
     const domain = await prompt.askText("Gateway domain", existing.DOMAIN || "", { required: true });
-    const publicIp = await prompt.askText("Public IP", existing.PUBLIC_IP || detectedIp, {
-      required: true,
-    });
+    let publicIp = existing.PUBLIC_IP || detectedIp || "";
+    if (!publicIp) {
+      publicIp = await prompt.askText("Public IPv4 (auto-detect failed)", "", { required: true });
+    }
 
     const resolved = resolveDomainIpv4(domain);
     if (resolved.length > 0 && !resolved.includes(publicIp)) {
       console.log(`Warning: DNS for ${domain} resolves to ${resolved.join(", ")}, not ${publicIp}.`);
     }
 
-    const conflictModeDefault =
+    const autoDeployMode =
       (preflight.p80 && preflight.p80.inUse) || (preflight.p443 && preflight.p443.inUse)
-        ? 1
-        : 0;
-    const deployMode = await prompt.askChoice(
-      "Deployment mode",
-      ["standalone", "reverse-proxy"],
-      conflictModeDefault
-    );
+        ? "reverse-proxy"
+        : "standalone";
 
-    if (deployMode === "reverse-proxy") {
-      console.log("Note: forward /turn-credentials and websocket upgrade to 127.0.0.1:8443, and ACME path to 127.0.0.1:8080.");
-    }
-
-    const tlsMode = await prompt.askChoice(
-      "TLS certificate mode",
-      ["letsencrypt", "custom", "dev-self-signed"],
-      0
-    );
+    const advanced = await prompt.askYesNo("Advanced setup", false);
 
+    let deployMode = autoDeployMode;
+    let tlsMode = "letsencrypt";
     let acmeEmail = existing.ACME_EMAIL || "";
     let customCertPath = "";
     let customKeyPath = "";
+    let bitcallEnv = existing.BITCALL_ENV || "production";
+    let routingMode = existing.ROUTING_MODE || "universal";
+    let sipProviderHost = DEFAULT_PROVIDER_HOST;
+    let sipTransport = "udp";
+    let sipPort = "5060";
+    let sipProviderUri = "";
+    let allowedDomains = existing.ALLOWED_SIP_DOMAINS || "";
+    let sipTrustedIps = existing.SIP_TRUSTED_IPS || "";
+    let turnMode = await prompt.askYesNo("Enable built-in TURN (coturn)?", true) ? "coturn" : "none";
+    let turnSecret = "";
+    let turnTtl = existing.TURN_TTL || "86400";
+    let turnApiToken = existing.TURN_API_TOKEN || "";
+    let turnExternalUrls = "";
+    let turnExternalUsername = "";
+    let turnExternalCredential = "";
+    let webphoneOrigin = existing.WEBPHONE_ORIGIN || DEFAULT_WEBPHONE_ORIGIN;
+    let configureUfw = true;
+    let mediaIpv4Only = existing.MEDIA_IPV4_ONLY ? existing.MEDIA_IPV4_ONLY === "1" : true;
 
-    if (tlsMode === "letsencrypt") {
-      acmeEmail = await prompt.askText("Let's Encrypt email", acmeEmail, { required: true });
-    } else if (tlsMode === "custom") {
-      customCertPath = await prompt.askText("Path to TLS certificate (PEM)", existing.TLS_CERT || "", {
-        required: true,
-      });
-      customKeyPath = await prompt.askText("Path to TLS private key (PEM)", existing.TLS_KEY || "", {
-        required: true,
-      });
+    if (turnMode === "coturn") {
+      turnSecret = crypto.randomBytes(32).toString("hex");
     }
 
-    const sipProviderHost = await prompt.askText(
-      "SIP provider host",
-      existing.SIP_PROVIDER_URI
-        ? existing.SIP_PROVIDER_URI.replace(/^sip:/, "").split(":")[0]
-        : DEFAULT_PROVIDER_HOST,
-      { required: true }
-    );
-
-    const sipTransportChoice = await prompt.askChoice(
-      "SIP provider transport",
-      ["udp", "tcp", "tls", "custom"],
-      0
-    );
+    if (advanced) {
+      deployMode = await prompt.askChoice(
+        "Deployment mode",
+        ["standalone", "reverse-proxy"],
+        autoDeployMode === "reverse-proxy" ? 1 : 0
+      );
 
-    let sipTransport = sipTransportChoice;
-    let sipPort = "5060";
+      tlsMode = await prompt.askChoice(
+        "TLS certificate mode",
+        ["letsencrypt", "custom", "dev-self-signed"],
+        0
+      );
 
-    if (sipTransportChoice === "tcp" || sipTransportChoice === "udp") {
-      sipPort = "5060";
-    } else if (sipTransportChoice === "tls") {
-      sipPort = "5061";
-    } else {
-      sipTransport = await prompt.askChoice("Custom transport", ["udp", "tcp", "tls"], 0);
-      const defaultPort = sipTransport === "tls" ? "5061" : "5060";
-      sipPort = await prompt.askText("Custom SIP port", defaultPort, { required: true });
-    }
+      if (tlsMode === "custom") {
+        customCertPath = await prompt.askText("Path to TLS certificate (PEM)", existing.TLS_CERT || "", {
+          required: true,
+        });
+        customKeyPath = await prompt.askText("Path to TLS private key (PEM)", existing.TLS_KEY || "", {
+          required: true,
+        });
+      }
 
-    const sipProviderUri = `sip:${sipProviderHost}:${sipPort};transport=${sipTransport}`;
+      if (tlsMode === "letsencrypt") {
+        acmeEmail = await prompt.askText("Let's Encrypt email", acmeEmail, { required: true });
+      } else {
+        acmeEmail = "";
+      }
 
-    const allowedDomains = await prompt.askText(
-      "Allowed SIP domains (comma-separated; blank enables dev mode)",
-      existing.ALLOWED_SIP_DOMAINS || sipProviderHost
-    );
+      bitcallEnv = await prompt.askChoice("Environment", ["production", "dev"], bitcallEnv === "dev" ? 1 : 0);
+      allowedDomains = await prompt.askText(
+        "Allowed SIP domains (comma-separated; required in production)",
+        allowedDomains
+      );
 
-    if (!allowedDomains.trim()) {
-      console.log("Warning: ALLOWED_SIP_DOMAINS is empty (dev mode, open relay risk).");
-    }
+      routingMode = await prompt.askChoice(
+        "Routing mode",
+        ["universal", "single-provider"],
+        routingMode === "single-provider" ? 1 : 0
+      );
 
-    const sipTrustedIps = await prompt.askText(
-      "Trusted SIP source IPs (optional, comma-separated)",
-      existing.SIP_TRUSTED_IPS || ""
-    );
+      if (routingMode === "single-provider") {
+        sipProviderHost = await prompt.askText(
+          "SIP provider host",
+          existing.SIP_PROVIDER_URI
+            ? existing.SIP_PROVIDER_URI.replace(/^sip:/, "").split(":")[0]
+            : DEFAULT_PROVIDER_HOST,
+          { required: true }
+        );
+
+        const sipTransportChoice = await prompt.askChoice(
+          "SIP provider transport",
+          ["udp", "tcp", "tls", "custom"],
+          0
+        );
+
+        sipTransport = sipTransportChoice;
+        if (sipTransportChoice === "tcp" || sipTransportChoice === "udp") {
+          sipPort = "5060";
+        } else if (sipTransportChoice === "tls") {
+          sipPort = "5061";
+        } else {
+          sipTransport = await prompt.askChoice("Custom transport", ["udp", "tcp", "tls"], 0);
+          sipPort = await prompt.askText(
+            "Custom SIP port",
+            sipTransport === "tls" ? "5061" : "5060",
+            { required: true }
+          );
+        }
+
+        sipProviderUri = `sip:${sipProviderHost}:${sipPort};transport=${sipTransport}`;
+      }
 
-    const turnMode = await prompt.askChoice("TURN mode", ["none", "external", "coturn"], 0);
+      sipTrustedIps = await prompt.askText(
+        "Trusted SIP source IPs (optional, comma-separated)",
+        sipTrustedIps
+      );
 
-    let turnSecret = existing.TURN_SECRET || "";
-    let turnTtl = existing.TURN_TTL || "86400";
-    let turnApiToken = existing.TURN_API_TOKEN || "";
-    let turnExternalUrls = "";
-    let turnExternalUsername = "";
-    let turnExternalCredential = "";
+      const turnDefaultIndex = turnMode === "external" ? 2 : turnMode === "coturn" ? 1 : 0;
+      turnMode = await prompt.askChoice("TURN mode", ["none", "coturn", "external"], turnDefaultIndex);
+      if (turnMode === "coturn") {
+        turnSecret = crypto.randomBytes(32).toString("hex");
+        turnTtl = await prompt.askText("TURN credential TTL seconds", turnTtl, { required: true });
+        turnApiToken = await prompt.askText("TURN API token (optional)", turnApiToken);
+      } else if (turnMode === "external") {
+        turnSecret = "";
+        turnApiToken = "";
+        turnExternalUrls = await prompt.askText("External TURN urls", existing.TURN_EXTERNAL_URLS || "", {
+          required: true,
+        });
+        turnExternalUsername = await prompt.askText(
+          "External TURN username",
+          existing.TURN_EXTERNAL_USERNAME || ""
+        );
+        turnExternalCredential = await prompt.askText(
+          "External TURN credential",
+          existing.TURN_EXTERNAL_CREDENTIAL || ""
+        );
+      } else {
+        turnSecret = "";
+        turnApiToken = "";
+      }
 
-    if (turnMode === "external") {
-      turnExternalUrls = await prompt.askText("External TURN urls", existing.TURN_EXTERNAL_URLS || "", {
-        required: true,
-      });
-      turnExternalUsername = await prompt.askText(
-        "External TURN username",
-        existing.TURN_EXTERNAL_USERNAME || ""
+      webphoneOrigin = await prompt.askText(
+        "Allowed webphone origin (* for any)",
+        webphoneOrigin
       );
-      turnExternalCredential = await prompt.askText(
-        "External TURN credential",
-        existing.TURN_EXTERNAL_CREDENTIAL || ""
+
+      mediaIpv4Only = await prompt.askYesNo(
+        "Media IPv4-only mode (block IPv6 RTP/TURN on host firewall)",
+        mediaIpv4Only
       );
-    }
 
-    if (turnMode === "coturn") {
-      turnSecret = crypto.randomBytes(32).toString("hex");
-      turnTtl = await prompt.askText("TURN credential TTL seconds", turnTtl, { required: true });
-      turnApiToken = await prompt.askText("TURN API token (optional)", turnApiToken);
+      configureUfw = await prompt.askYesNo("Configure ufw firewall rules now", true);
     } else {
-      turnSecret = "";
-      turnApiToken = "";
+      acmeEmail = await prompt.askText("Let's Encrypt email", acmeEmail, { required: true });
     }
 
-    const webphoneOrigin = await prompt.askText(
-      "Allowed webphone origin (* for any)",
-      existing.WEBPHONE_ORIGIN || DEFAULT_WEBPHONE_ORIGIN
-    );
-
-    const mediaIpv6Enabled = await prompt.askYesNo(
-      "Enable IPv6 media candidates? (default: No)",
-      existing.MEDIA_IPV6 === "1"
-    );
+    if (bitcallEnv === "production" && !allowedDomains.trim()) {
+      throw new Error(
+        "Production mode requires ALLOWED_SIP_DOMAINS. Re-run init with Advanced=Yes and provide allowlisted SIP domains, or switch Environment to dev."
+      );
+    }
 
-    const configureUfw = await prompt.askYesNo("Configure ufw firewall rules now", true);
+    if (deployMode === "reverse-proxy") {
+      console.log(
+        "Note: forward /turn-credentials and websocket upgrade to 127.0.0.1:8443, and ACME path to 127.0.0.1:8080."
+      );
+    }
 
     const config = {
       domain,
@@ -484,6 +585,8 @@ async function runWizard(existing = {}, preflight = {}) {
       acmeEmail,
       customCertPath,
       customKeyPath,
+      bitcallEnv,
+      routingMode,
       sipProviderHost,
       sipTransport,
       sipPort,
@@ -498,9 +601,13 @@ async function runWizard(existing = {}, preflight = {}) {
       turnExternalUsername,
       turnExternalCredential,
       webphoneOrigin,
-      mediaIpv6: mediaIpv6Enabled ? "1" : "0",
-      rtpMin: "10000",
-      rtpMax: "20000",
+      mediaIpv4Only: mediaIpv4Only ? "1" : "0",
+      rtpMin: existing.RTPENGINE_MIN_PORT || "10000",
+      rtpMax: existing.RTPENGINE_MAX_PORT || "20000",
+      turnUdpPort: existing.TURN_UDP_PORT || "3478",
+      turnsTcpPort: existing.TURNS_TCP_PORT || "5349",
+      turnRelayMinPort: existing.TURN_RELAY_MIN_PORT || "49152",
+      turnRelayMaxPort: existing.TURN_RELAY_MAX_PORT || "49252",
       acmeListenPort: deployMode === "reverse-proxy" ? "8080" : "80",
       wssListenPort: deployMode === "reverse-proxy" ? "8443" : "443",
       internalWssPort: "8443",
@@ -508,15 +615,19 @@ async function runWizard(existing = {}, preflight = {}) {
       configureUfw,
     };
 
+    const allowedCount = countAllowedDomains(config.allowedDomains);
     console.log("\nSummary:");
     console.log(`  Domain: ${config.domain}`);
     console.log(`  Public IP: ${config.publicIp}`);
-    console.log(`  Deploy mode: ${config.deployMode}`);
-    console.log(`  TLS mode: ${config.tlsMode}`);
-    console.log(`  SIP provider URI: ${config.sipProviderUri}`);
-    console.log(`  Allowed SIP domains: ${config.allowedDomains || "(empty/dev-mode)"}`);
-    console.log(`  TURN mode: ${config.turnMode}`);
-    console.log(`  IPv6 media candidates: ${config.mediaIpv6 === "1" ? "enabled" : "disabled (IPv4-only)"}`);
+    console.log(`  TLS: ${config.tlsMode === "letsencrypt" ? "Let's Encrypt" : config.tlsMode}`);
+    console.log(`  Deploy mode: ${config.deployMode}${advanced ? "" : " (auto)"}`);
+    console.log(`  TURN: ${config.turnMode}`);
+    console.log(
+      `  Media: ${config.mediaIpv4Only === "1" ? "IPv4-only (IPv6 signaling allowed; IPv6 media blocked)" : "dual-stack"}`
+    );
+    console.log(
+      `  Security: Allowed SIP domains ${allowedCount > 0 ? `${allowedCount} entries` : "not set"}`
+    );
 
     const proceed = await prompt.askYesNo("Proceed with provisioning", true);
     if (!proceed) {
@@ -543,9 +654,11 @@ function renderEnvContent(config, tlsCert, tlsKey) {
   const content = renderTemplate(".env.template", {
     GATEWAY_VERSION: PACKAGE_VERSION,
     BITCALL_GATEWAY_IMAGE: DEFAULT_GATEWAY_IMAGE,
+    BITCALL_ENV: config.bitcallEnv,
     DOMAIN: config.domain,
     PUBLIC_IP: config.publicIp,
     DEPLOY_MODE: config.deployMode,
+    ROUTING_MODE: config.routingMode,
     SIP_PROVIDER_URI: config.sipProviderUri,
     SIP_UPSTREAM_TRANSPORT: config.sipTransport,
     SIP_UPSTREAM_PORT: config.sipPort,
@@ -565,7 +678,11 @@ function renderEnvContent(config, tlsCert, tlsKey) {
     WSS_LISTEN_PORT: config.wssListenPort,
     INTERNAL_WSS_PORT: config.internalWssPort,
     INTERNAL_WS_PORT: config.internalWsPort,
-    MEDIA_IPV6: config.mediaIpv6,
+    MEDIA_IPV4_ONLY: config.mediaIpv4Only,
+    TURN_UDP_PORT: config.turnUdpPort,
+    TURNS_TCP_PORT: config.turnsTcpPort,
+    TURN_RELAY_MIN_PORT: config.turnRelayMinPort,
+    TURN_RELAY_MAX_PORT: config.turnRelayMaxPort,
   });
 
   let extra = "";
@@ -685,6 +802,22 @@ async function initCommand() {
     configureFirewall(config);
   }
 
+  if (config.mediaIpv4Only === "1") {
+    try {
+      const applied = applyMediaIpv4OnlyRules(mediaFirewallOptionsFromConfig(config));
+      console.log(`Applied IPv6 media block rules (${applied.backend}).`);
+    } catch (error) {
+      console.error(`IPv6 media block setup failed: ${error.message}`);
+      const proceed = await confirmContinueWithoutMediaBlock();
+      if (!proceed) {
+        throw new Error("Initialization stopped because media IPv4-only firewall rules were not applied.");
+      }
+      updateGatewayEnv({ MEDIA_IPV4_ONLY: "0" });
+      config.mediaIpv4Only = "0";
+      console.log("Continuing without IPv6 media block rules.");
+    }
+  }
+
   startGatewayStack();
 
   if (config.tlsMode === "letsencrypt") {
@@ -772,6 +905,8 @@ function statusCommand() {
       }).status === 0;
   }
 
+  const mediaStatus = isMediaIpv4OnlyRulesPresent();
+
   console.log("Bitcall Gateway Status\n");
   console.log(`Gateway service: ${formatMark(active)} ${active ? "running" : "stopped"}`);
   console.log(`Auto-start: ${formatMark(enabled)} ${enabled ? "enabled" : "disabled"}`);
@@ -781,7 +916,17 @@ function statusCommand() {
   console.log(`Port ${envMap.WSS_LISTEN_PORT || "443"}: ${formatMark(p443.inUse)} listening`);
   console.log(`Port 5060: ${formatMark(p5060.inUse)} listening`);
   console.log(`rtpengine control: ${formatMark(rtpReady)} reachable`);
-  console.log(`IPv6 media candidates: ${(envMap.MEDIA_IPV6 || "0") === "1" ? "enabled" : "disabled (IPv4-only)"}`);
+  if (mediaStatus.backend) {
+    console.log(`Media IPv4-only: ${mediaStatus.enabled ? "enabled" : "disabled"}`);
+    console.log(`Media firewall backend: ${mediaStatus.backend}`);
+  } else {
+    console.log(`Media IPv4-only: disabled (backend unavailable)`);
+  }
+  if (!mediaStatus.enabled) {
+    console.log(
+      "Warning: IPv6 media may cause no-audio on some clients; enable via `bitcall-gateway media ipv4-only on`"
+    );
+  }
   if (envMap.TURN_MODE && envMap.TURN_MODE !== "none") {
     console.log(`/turn-credentials: ${formatMark(turnReady)} reachable`);
   }
@@ -795,11 +940,13 @@ function statusCommand() {
 
   console.log("\nConfig summary:");
   console.log(`DOMAIN=${envMap.DOMAIN || ""}`);
+  console.log(`BITCALL_ENV=${envMap.BITCALL_ENV || "production"}`);
+  console.log(`ROUTING_MODE=${envMap.ROUTING_MODE || "universal"}`);
   console.log(`SIP_PROVIDER_URI=${envMap.SIP_PROVIDER_URI || ""}`);
   console.log(`DEPLOY_MODE=${envMap.DEPLOY_MODE || ""}`);
   console.log(`ALLOWED_SIP_DOMAINS=${envMap.ALLOWED_SIP_DOMAINS || ""}`);
   console.log(`TURN_MODE=${envMap.TURN_MODE || "none"}`);
-  console.log(`MEDIA_IPV6=${envMap.MEDIA_IPV6 || "0"}`);
+  console.log(`MEDIA_IPV4_ONLY=${envMap.MEDIA_IPV4_ONLY || "1"}`);
 }
 
 function certStatusCommand() {
@@ -877,6 +1024,42 @@ function updateCommand() {
   runSystemctl(["reload", SERVICE_NAME], ["up", "-d", "--remove-orphans"]);
 }
 
+function mediaStatusCommand() {
+  ensureInitialized();
+  const envMap = loadEnvFile(ENV_PATH);
+  const desired = (envMap.MEDIA_IPV4_ONLY || "1") === "1";
+  const state = isMediaIpv4OnlyRulesPresent();
+
+  console.log("Media firewall status\n");
+  console.log(`Configured mode: ${desired ? "IPv4-only" : "dual-stack"}`);
+  if (!state.backend) {
+    console.log(`Backend: unavailable (${state.error || "not detected"})`);
+    console.log("Rules active: no");
+    return;
+  }
+
+  console.log(`Backend: ${state.backend}`);
+  console.log(`Rules active: ${state.enabled ? "yes" : "no"}`);
+}
+
+function mediaIpv4OnlyOnCommand() {
+  ensureInitialized();
+  const envMap = loadEnvFile(ENV_PATH);
+  const options = mediaFirewallOptionsFromEnv(envMap);
+  const applied = applyMediaIpv4OnlyRules(options);
+  updateGatewayEnv({ MEDIA_IPV4_ONLY: "1" });
+  console.log(`Enabled IPv6 media block rules (${applied.backend}).`);
+}
+
+function mediaIpv4OnlyOffCommand() {
+  ensureInitialized();
+  const envMap = loadEnvFile(ENV_PATH);
+  const options = mediaFirewallOptionsFromEnv(envMap);
+  const removed = removeMediaIpv4OnlyRules(options);
+  updateGatewayEnv({ MEDIA_IPV4_ONLY: "0" });
+  console.log(`Disabled IPv6 media block rules (${removed.backend}).`);
+}
+
 async function uninstallCommand(options) {
   if (!options.yes) {
     const prompt = new Prompter();
@@ -890,6 +1073,18 @@ async function uninstallCommand(options) {
     }
   }
 
+  let uninstallEnv = {};
+  if (fs.existsSync(ENV_PATH)) {
+    uninstallEnv = loadEnvFile(ENV_PATH);
+  }
+
+  try {
+    const backend = detectFirewallBackend();
+    removeMediaIpv4OnlyRules(mediaFirewallOptionsFromEnv(uninstallEnv), { backend });
+  } catch (error) {
+    console.log(`Warning: failed to remove IPv6 media firewall rules automatically: ${error.message}`);
+  }
+
   run("systemctl", ["stop", SERVICE_NAME], { check: false, stdio: "inherit" });
   run("systemctl", ["disable", SERVICE_NAME], { check: false, stdio: "inherit" });
 
@@ -961,6 +1156,13 @@ function buildProgram() {
 
   program.command("update").description("Pull latest image and restart service").action(updateCommand);
   program.command("config").description("Print active configuration (secrets hidden)").action(configCommand);
+
+  const media = program.command("media").description("Media firewall operations");
+  media.command("status").description("Show media IPv4-only firewall state").action(mediaStatusCommand);
+  const mediaIpv4Only = media.command("ipv4-only").description("Toggle IPv6 media block");
+  mediaIpv4Only.command("on").description("Enable IPv4-only media mode").action(mediaIpv4OnlyOnCommand);
+  mediaIpv4Only.command("off").description("Disable IPv4-only media mode").action(mediaIpv4OnlyOffCommand);
+
   program
     .command("uninstall")
     .description("Remove gateway service and files")

package/templates/.env.template

@@ -1,9 +1,11 @@
 # Generated by bitcall-gateway init
 GATEWAY_VERSION=__GATEWAY_VERSION__
 BITCALL_GATEWAY_IMAGE=__BITCALL_GATEWAY_IMAGE__
+BITCALL_ENV=__BITCALL_ENV__
 DOMAIN=__DOMAIN__
 PUBLIC_IP=__PUBLIC_IP__
 DEPLOY_MODE=__DEPLOY_MODE__
+ROUTING_MODE=__ROUTING_MODE__
 SIP_PROVIDER_URI=__SIP_PROVIDER_URI__
 SIP_UPSTREAM_TRANSPORT=__SIP_UPSTREAM_TRANSPORT__
 SIP_UPSTREAM_PORT=__SIP_UPSTREAM_PORT__
@@ -23,4 +25,8 @@ ACME_LISTEN_PORT=__ACME_LISTEN_PORT__
 WSS_LISTEN_PORT=__WSS_LISTEN_PORT__
 INTERNAL_WSS_PORT=__INTERNAL_WSS_PORT__
 INTERNAL_WS_PORT=__INTERNAL_WS_PORT__
-MEDIA_IPV6=__MEDIA_IPV6__
+MEDIA_IPV4_ONLY=__MEDIA_IPV4_ONLY__
+TURN_UDP_PORT=__TURN_UDP_PORT__
+TURNS_TCP_PORT=__TURNS_TCP_PORT__
+TURN_RELAY_MIN_PORT=__TURN_RELAY_MIN_PORT__
+TURN_RELAY_MAX_PORT=__TURN_RELAY_MAX_PORT__

package/templates/docker-compose.yml.template

@@ -10,8 +10,6 @@ services:
     security_opt:
       - no-new-privileges:true
     env_file: .env
-    environment:
-      - MEDIA_IPV6=${MEDIA_IPV6:-0}
     volumes:
       - ${TLS_CERT}:/etc/ssl/cert.pem:ro
       - ${TLS_KEY}:/etc/ssl/key.pem:ro