[Freeswitch-users] ACL not working

Diego Viola diego.viola at gmail.com
Tue Apr 21 03:43:57 PDT 2009 

freeswitch at internal> acl
false


On Tue, Apr 21, 2009 at 5:08 AM, Diego Viola <diego.viola at gmail.com> wrote:

> Hey guys,
>
> I'm currently testing FS inside a LAN. FreeSWITCH is running on
> 192.168.0.101 and my softphone is on 192.168.0.100.
>
> I can register and make calls just fine, but I want to deny everything in
> order to learn how the ACL works.
>
> I have this on the internal profile:
>
>     <param name="apply-nat-acl" value="rfc1918"/>
>     <param name="apply-inbound-acl" value="domains"/>
>     <param name="apply-register-acl" value="domains"/>
>
> And this is how my acl.conf.xml looks, it's all set to deny:
>
> <configuration name="acl.conf" description="Network Lists">
>   <network-lists>
>
>     <list name="dl-candidates" default="deny">
>       <node type="deny" cidr="10.0.0.0/8"/>
>       <node type="deny" cidr="172.16.0.0/12"/>
>       <node type="deny" cidr="192.168.0.0/16"/>
>     </list>
>
>     <list name="rfc1918" default="deny">
>       <node type="deny" cidr="10.0.0.0/8"/>
>       <node type="deny" cidr="172.16.0.0/12"/>
>       <node type="deny" cidr="192.168.0.0/16"/>
>     </list>
>
>     <list name="lan" default="deny">
>       <node type="deny" cidr="192.168.42.0/24"/>
>       <node type="deny" cidr="192.168.42.42/32"/>
>     </list>
>
>     <list name="strict" default="deny">
>       <node type="deny" cidr="208.102.123.124/32"/>
>     </list>
>     <!--
>         This will traverse the directory adding all users
>         with the cidr= tag to this ACL, when this ACL matches
>         the users variables and params apply as if they
>         digest authenticated.
>     -->
>     <list name="domains" default="deny">
>       <node type="deny" domain="$${domain}"/>
>       <node type="deny" cidr="192.168.0.0/24"/>
>     </list>
>
>   </network-lists>
> </configuration>
>
> But I'm still allowed to register with the 1000 user and make calls, to the
> conference extension, etc... I can't understand this, if it's all to deny
> and the cidr is set to 192.168.0.0/24 on the "domains" context, which is
> what hte profile uses, shouldn't the registration/call be denied. I have
> tried many conbinations but whenever I change something it wont make any
> difference.
>
> Please help me.
>
> Thanks,
>
> Diego
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20090421/0a6952fb/attachment-0002.html

More information about the FreeSWITCH-users mailing list