[Freeswitch-users] Enabling extensions with passwords and limiting network access via acls (Was: Confusing SIP auth failure logging message?)

[Simon J Mudd]

Hi Brian,

brian at freeswitch.org (Brian West) writes:

> So while you can buy a gun and bullets who's fault is it when you
> get shot in the foot?  Same thing really.

I'm not sure I like examples with guns as there are often very
opposing points of view on topics like that. However, it is true that
with all software you can configure it incorrectly and cause yourself
problems. Ideally that's something you want to avoid if possible.

> Our dialplan is rather secure since I designed it and I fully
> understand how our security model works.

So you understand how to _avoid_ mistakes and what _not_ to do. The
issue I've been having is that for me it's not so obivous when I'm 
making those obvious mistakes and doing things that are not sensible.
I have tried to read the documentation. I believe that if it can happen
to me others will have similar difficulties. Thus the learning curve
even to setup something "simple" is exremely steep.

> Our default is just an example of how to use FreeSWITCH.

Of course. The software is flexible so giving people a starting point
is helpful. Providing pointers (if that's possible about the good
things to do and the things to avoid) aids us even more.

> I could do a service and just delete it all and leave
> it up to you to figure it all out but I feel learning by example is
> a great way to see how to use the software.

Yes, and I for one appreciate the example configuration.

Having said that the page
http://wiki.freeswitch.org/wiki/SIP_Provider_Examples seems to imply
that if I add external gateways they should be added under conf/sip_profiles/external/provider.xml

external.xml says:

<profile name="external">
  <!-- http://wiki.freeswitch.org/wiki/Sofia_Configuration_Files --> 
  <!-- This profile is only for outbound registrations to providers -->
  <gateways>
    <X-PRE-PROCESS cmd="include" data="external/*.xml"/>
  </gateways>
...

which seems to confirm this idea, yet

internal.xml says:

<profile name="internal">
...
  <!-- Outbound Registrations -->
  <gateways>
    <X-PRE-PROCESS cmd="include" data="internal/*.xml"/>
  </gateways>
...

It's not clear to me where the providers should go. I've added them
under external/ but I think that's wrong. Understand why I'm confused?

Also I see from: http://wiki.freeswitch.org/wiki/Getting_Started_Guide#Configuring_FreeSWITCH
comments about:

Some common extensions for testing

1000, 1001, ..., 1019 - Generic SIP extensions 

No mention here that these extensions are "reachable from
outside". While there's nothing specifically bad about them being
reachable from outside if that's not the behaviour you want and you
think they are internal extensions only you may have a surprise.

I'm reluctant to go editing the wiki because I don't fully understand
things but perhaps a "(also reachable from outside)" comment would be
useful and perhaps a similar comment in the configuration files.

The files directory/default/10XX.xml "seem" to be internal, and
there's no indication that this might not be the case. Yes, I've
_finally_ figure out that this because of the configuration in
dialplan/public.xml. It's really hard to put this all together unless
you understand the meaning and usage of all the configuration files.

I can:
* suggest patches to the config files to add comments if that would
help.
* edit the wiki if I'm _sure_ that the changes I make are correct

but I'm rather reluctant to jump in when I'm not the one who really
understands and others do much better. I'm silly trying to point
out _I_ I'm having trouble, why I'm having trouble and hoping
that this will aid in the end to improving the documentation so 
that more people can use this software.

Regards,

Simon