[Freeswitch-users] Confusing SIP auth failure logging message?

David Ponzone david.ponzone at ipeva.fr
Mon Feb 7 11:04:01 MSK 2011


Simon,

You can also add rate-limiting rules in iptables, to prevent SIP DoS (people sending you lots of INVITE).

On the other side, one reason not to use iptables for everything is to avoid sawing off the branch you are sitting on.

When both ACLs are possible, my personal rule would be:
-if changes are required everyday or by various people who are not iptables experts, use FreeSWITCH ACL
-if changes are done by an expert and/or are not frequent, go for iptables

David Ponzone  Direction Technique
email: david.ponzone at ipeva.fr
tel:      01 74 03 18 97
gsm:   06 66 98 76 34

Service Client IPeva
tel:      0811 46 26 26
www.ipeva.fr  -   www.ipeva-studio.com

Ce message et toutes les pièces jointes sont confidentiels et établis à l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. IPeva décline toute responsabilité au titre de ce message s'il a été altéré, déformé ou falsifié. Si vous n'êtes pas destinataire de ce message, merci de le détruire immédiatement et d'avertir l'expéditeur.




Le 07/02/2011 à 08:49, Steven Ayre a écrit :

> You can do so in freeswitch but sometimes it's better to do it in the firewall. For example it uses far fewer resources to block someone in the firewall. It's also easier to block scanners such as friendly-scanner in the firewall.
> 
> Steve on iPhone
> 
> On 7 Feb 2011, at 07:31, Simon J Mudd <sjmudd at pobox.com> wrote:
> 
>> On Mon, Feb 07, 2011 at 12:22:36AM +0100, Simon J Mudd wrote:
>>> I've been looking at trying to configure tighter controls for extensions that register.
>> 
>> Looking at http://wiki.freeswitch.org/wiki/Acl I see the comment lower down:
>> 
>> sip_profiles
>> 
>> ... Should you want to protect your FreeSWITCH installation from being contacted by some IP addresses, you will need to setup some firewall rules. To protect your installation, you can look at QoS.
>> 
>> I'm confused. I understand that a firewall can be configured to drop/allow certain packages but given that FreeSWITCH does have acls it seems unusual to me that you
>> can do this directly in FreeSWITCH.
>> 
>> That is I have an Asterisk configuration which I am trying to migrate from and can easily configure in sip.conf:
>> 
>> [1000]
>> username=1000
>> type=friend
>> secret=1234567890
>> context=xxxxxx
>> host=dynamic
>> registersip=yes
>> deny=0.0.0.0/0.0.0.0
>> permit=88.100.50.0/255.255.255.0  -- this is not a real network range but you get the idea.
>> nat=yes
>> call-limit=1
>> ...
>> 
>> This specifies a user for registration who:
>> (1) must provide a password
>> (2) can only register from the given network range
>> (3) is only allowed to make 1 call at a time
>> 
>> Basically I want to mimic this functionality.
>> 
>> I'm assuming that FreeSWITCH acls would be the way to do this. The
>> examples on the wiki don't seem to suggest this is possible.
>> Could someone help provide an example of if/how this would be done
>> in FreeSWITCH?
>> 
>> Thanks,
>> 
>> Simon
>> 
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
> 
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20110207/17b638a2/attachment.html 


More information about the FreeSWITCH-users mailing list