[Freeswitch-users] How to stop SPAM calls?
Malay Thakershi
mthakershi at gmail.com
Mon Aug 23 17:01:08 PDT 2010
Thank you. Could you please share your configuration section from the two
files?
I tried what you suggested. I put another IP as my ACL (which should be
rejected) but it goes through. So 41.XXX is not the IP I am calling from but
it connects me anyway.
acl.conf.xml
-----------------
<configuration name="acl.conf" description="Network Lists">
<network-lists>
<!--
These ACL's are automatically created on startup.
-->
<list name="lan" default="allow">
<node type="deny" cidr="192.168.42.0/24"/>
<node type="allow" cidr="192.168.42.42/32"/>
</list>
<!-- 08232010
Allow only inbound from vitelity IP
-->
<list name="localnet.auto" default="allow">
<node type="allow" cidr="41.XXX.XXX.XXX/29"/>
</list>
<!--
This will traverse the directory adding all users
with the cidr= tag to this ACL, when this ACL matches
the users variables and params apply as if they
digest authenticated.
-->
<list name="domains" default="deny">
<node type="allow" domain="$${domain}"/>
</list>
</network-lists>
</configuration>
-------------
Base_Settings.xml file under sip_profiles folder:
<include>
<profile name="sipinterface_1">
<domains>
<domain name="all" alias="true" parse="true"/>
</domains>
<settings>
<param name="rtp-ip" value="XY.XY.XY.XY"/>
<param name="sip-ip" value="XY.XY.XY.XY"/>
<param name="ext-rtp-ip" value="XY.XY.XY.XY"/>
<param name="ext-sip-ip" value="XY.XY.XY.XY"/>
<param name="sip-port" value="5060"/>
<param name="auth-calls" value="false"/>
<param name="context" value="inbound"/>
<!-- 08232010
Allow only inbound from vitelity IP
-->
<param name="local-network-acl" value="localnet.auto"/>
<param name="apply-inbound-acl" value="localnet.auto"/>
</settings>
</profile>
</include>
-----------------
Please let me know what am I doing wrong or missing?
Thank you.
On Mon, Aug 23, 2010 at 6:00 PM, Victor Chukalovskiy
<Victor at isptelecom.net>wrote:
> Malay,
>
> I use apply-inbound-acl="providers" in my sip profile. Then I define my
> providers IP addresses in ACL "providers" (within acl.conf.xml)
> This way all other IPs are forced to authorize in order to place calls
> through.
> Why bother with firewall if freeswitch has built-in ACL functionality?
>
> Regards,
> Victor
>
>
> On -10/01/37 02:59 PM, David Ponzone wrote:
>
> You should do that in your firewall.
> The quicker you filter, the better.
>
> I would not care much about the RTP traffic.
> So you need to filter SIP.
> And I would really don't think Vitelity is going to change the IP of their
> softswitch/SBC very often, and if they do, they should tell you.
>
> If Vitelity's IP is X and your SIP port is 5060, what you should do as
> filters is:
> allow UDP from X to yourIP:5060 (this will match SIP packets coming from
> Vitelity)
> deny UDP from all to yourIP:5060 (this will match malicious SIP packets)
> allow UDP from all to all (this will match the RTP traffic and other UDP
> traffic)
> and then add your other usual filters
>
> David Ponzone Direction Technique
> email: david.ponzone at ipeva.fr
> tel: 01 74 03 18 97
> gsm: 06 66 98 76 34
>
> Service Client IPeva
> tel: 0811 46 26 26
> www.ipeva.fr - www.ipeva-studio.com
>
> *Ce message et toutes les pièces jointes sont confidentiels et établis à
> l'intention exclusive de ses destinataires. Toute utilisation ou diffusion
> non autorisée est interdite. Tout message électronique est susceptible
> d'altération. **IPeva** décline toute responsabilité au titre de ce
> message s'il a été altéré, déformé ou falsifié. Si vous n'êtes pas
> destinataire de ce message, merci de le détruire immédiatement et d'avertir
> l'expéditeur.*
> *
> *
>
>
>
> Le 23/08/2010 à 23:11, Malay Thakershi a écrit :
>
> That is true. So do I block all other IP in my firewall? Or do I configure
> that in FreeSwitch? Also, How can be sure my provider's IP to remain same?
> (I use vitelity)
>
> Please let me know.
>
> On Mon, Aug 23, 2010 at 3:03 PM, David Ponzone <david.ponzone at ipeva.fr>wrote:
>
>> If I understand correctly, you expect calls form PSTN, so only from the
>> known IPs of your provider ?
>> You can then filter all other IPs going to your port X (5060, 5080, your
>> mileage may vary).
>>
>> Also, a call coming to a port you don't use (so not opened) should not
>> have ANY impact.
>> It should not even hit the dialplan.
>> it should be rejected with ICMP port unreachable by the Windows TCP/IP
>> stack.
>>
>> David Ponzone Direction Technique
>> email: david.ponzone at ipeva.fr
>> tel: 01 74 03 18 97
>> gsm: 06 66 98 76 34
>>
>> Service Client IPeva
>> tel: 0811 46 26 26
>> www.ipeva.fr - www.ipeva-studio.com
>>
>> *Ce message et toutes les pièces jointes sont confidentiels et établis
>> à l'intention exclusive de ses destinataires. Toute utilisation ou diffusion
>> non autorisée est interdite. Tout message électronique est susceptible
>> d'altération. **IPeva** décline toute responsabilité au titre de ce
>> message s'il a été altéré, déformé ou falsifié. Si vous n'êtes pas
>> destinataire de ce message, merci de le détruire immédiatement et d'avertir
>> l'expéditeur.*
>> *
>> *
>>
>>
>>
>> Le 23/08/2010 à 21:47, Malay Thakershi a écrit :
>>
>> I am going through documentation but seems iptables can eliminate calls
>> being made on ports other than required ones.
>>
>> But my server is Windows. How do I run iptables command?
>>
>> Also, could you tell me if I block all incoming ports other than 5060
>> and 5061, will my regular inbound calls work?
>>
>> Thank you.
>>
>>
>>
>> 2010/8/23 Brian West <brian at freeswitch.org>
>>
>>> David,
>>> No Clue, Never Used It, Can't Say...
>>>
>>> /b
>>>
>>> On Aug 23, 2010, at 2:32 PM, David Ponzone wrote:
>>>
>>> > Brian
>>> >
>>> > he can't add an ACL with FreePBX ?
>>> >
>>> > David Ponzone Direction Technique
>>> > email: david.ponzone at ipeva.fr
>>> > tel: 01 74 03 18 97
>>> > gsm: 06 66 98 76 34
>>> >
>>> > Service Client IPeva
>>> > tel: 0811 46 26 26
>>> > www.ipeva.fr - www.ipeva-studio.com
>>> >
>>> > Ce message et toutes les pièces jointes sont confidentiels et établis à
>>> l'intention exclusive de ses destinataires. Toute utilisation ou diffusion
>>> non autorisée est interdite. Tout message électronique est susceptible
>>> d'altération. IPeva décline toute responsabilité au titre de ce message s'il
>>> a été altéré, déformé ou falsifié. Si vous n'êtes pas destinataire de ce
>>> message, merci de le détruire immédiatement et d'avertir l'expéditeur.
>>> >
>>> >
>>> >
>>> >
>>> > Le 23/08/2010 à 21:26, Brian West a écrit :
>>> >
>>> >> Well you're using FreePBX right? The only corse of action you have is
>>> to find out why its crashing and reporting the issue on our Jira. Without
>>> any more info to go on you're SOL.
>>> >>
>>> >>
>>> http://www.google.com/search?hl=en&client=safari&rls=en&defl=en&q=define:Vishing&sa=X&ei=RstyTO24JI_Znge7-6yNCw&ved=0CBIQkAE
>>> >>
>>> >> /b
>>>
>>>
>>> _______________________________________________
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>>
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20100823/84802ec9/attachment-0001.html
More information about the FreeSWITCH-users
mailing list