[Freeswitch-users] ACL
Steven Ayre
steveayre at gmail.com
Wed Jun 8 11:51:18 MSD 2011
<list name="strict" *default="allow"*>
<node type="allow" cidr="195.225.XXX.XXX/32"/>
</list>
You want a default of 'deny'. The default is what to do with any IP not on
the list, what you've set allows every IP.
I would suggest you build your config off the default config by the way,
customising them to suit you and removing what you don't need. The directory
structure is there to help you manage things (what you've posted makes it
look like you might be using a flat file?). There's a lot of parameters
you've missed out setting.
For example:
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221 at 32000h,G7221 at 16000h
,G722,PCMU,PCMA,GSM"/>
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/>
These will have absolutely no effect. They set a global variable that you
can use elsewhere in your configuration, but you're not actually using them.
You should be setting the inbound & outbound codec preferences on the sofia
profile in a param, either using the global variable e.g.
$${outbound_codec_prefs} or by setting them explicitly there.
-Steve
On 8 June 2011 01:16, Cyril Zlachevsky <cyril.zlachevsky at gmail.com> wrote:
> Hi,
> Can't stand what should I do for ACL working.
>
> I'm forwarding a call from a particular static IP to number at voipprovider.
> I refused of using FS default configs because they are complicated and
> redundant for me.
>
> This is my configuration:
> <?xml version="1.0"?>
> <document type="freeswitch/xml">
>
> <X-PRE-PROCESS cmd="set" data="local_address=$${local_ip_v4}"/>
>
> <X-PRE-PROCESS cmd="set" data="sipnet_proxy=voiprovider.com"/>
> <X-PRE-PROCESS cmd="set" data="sipnet_login=echo"/>
> <X-PRE-PROCESS cmd="set" data="sipnet_password=echo"/>
>
> <X-PRE-PROCESS cmd="set" data="sound_prefix=$${sounds_dir}/en/us/callie"/>
>
> <section name="configuration">
>
> <configuration name="switch.conf">
> <settings>
> <param name="colorize-console" value="true"/>
> <param name="max-sessions" value="1000"/>
> <param name="sessions-per-second" value="30"/>
> <param name="loglevel" value="debug"/>
> </settings>
> </configuration>
>
> <configuration name="modules.conf">
> <modules>
> <load module="mod_console"/>
> <load module="mod_logfile"/>
> <load module="mod_sofia"/>
> <load module="mod_dialplan_xml"/>
> <load module="mod_dptools"/>
> <load module="mod_commands"/>
> <load module="mod_expr"/>
> <load module="mod_sndfile"/>
> </modules>
> </configuration>
>
> <X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221 at 32000h
> ,G7221 at 16000h,G722,PCMU,PCMA,GSM"/>
> <X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/>
>
> <configuration name="console.conf">
> <mappings>
> <map name="all"
> value="console,debug,info,notice,warning,err,crit,alert"/>
> </mappings>
> <settings>
> <param name="colorize" value="true"/>
> <param name="loglevel" value="info"/>
> </settings>
> </configuration>
>
> <configuration name="logfile.conf">
> <settings>
> <param name="rotate-on-hup" value="true"/>
> </settings>
> <profiles>
> <profile name="default">
> <settings>
> <param name="logfile" value="/var/log/freeswitch/freeswitch.log"/>
> <param name="rollover" value="10485760"/>
> </settings>
> <mappings>
> <map name="all" value="debug,info,notice,warning,err,crit,alert"/>
> </mappings>
> </profile>
> </profiles>
> </configuration>
>
> <configuration name="acl.conf" description="Network Lists">
> <network-lists>
> <list name="strict" default="allow">
> <node type="allow" cidr="195.225.XXX.XXX/32"/>
> </list>
> <list name="domains" default="deny">
> <node type="allow" domain="$${domain}"/>
> </list>
> </network-lists>
> </configuration>
>
> <configuration name="sofia.conf">
> <global_settings>
> <param name="log-level" value="0"/>
> <param name="debug-presence" value="0"/>
> </global_settings>
> <profiles>
> <profile name="local">
> <domains>
> <domain name="all" alias="true" parse="false"/>
> </domains>
> <settings>
> <param name="context" value="local"/>
> <param name="sip-port" value="5060"/>
> <param name="dialplan" value="XML"/>
> <param name="rtp-ip" value="$${local_address}"/>
> <param name="sip-ip" value="$${local_address}"/>
> </settings>
> </profile>
> <profile name="sipnet">
> <domains>
> <domain name="all" alias="false" parse="false"/>
> </domains>
> <settings>
> <param name="context" value="sipnet"/>
> <param name="sip-port" value="5080"/>
> <param name="dialplan" value="XML"/>
> <param name="rtp-ip" value="$${local_address}"/>
> <param name="sip-ip" value="$${local_address}"/>
> <!--param name="auth-calls" value="false"/-->
> <param name="auth-calls" value="true"/>
> <param name="apply-inbound-acl" value="strict"/>
> </settings>
> <gateways>
> <gateway name="sipnet">
> <param name="proxy" value="$${sipnet_proxy}"/>
> <param name="realm" value="asterisk"/>
> <param name="username" value="$${sipnet_login}"/>
> <param name="password" value="$${sipnet_password}"/>
> <param name="local-network-acl" value="strict"/>
> </gateway>
> </gateways>
> </profile>
> </profiles>
> </configuration>
> </section>
>
> <section name="dialplan">
> <context name="local">
> <extension name="local-accounts">
> <condition field="destination_number" expression="^(10[1-3])$">
> <action application="bridge" data="user/$1@$${local_address}"/>
> </condition>
> </extension>
> <extension name="sipnet">
> <condition field="destination_number" expression="^(\d+)$">
> <action application="set"
> data="effective_caller_id_number=$${sipnet_login}"/>
> <action application="bridge"
> data="{sip_invite_domain=$${sipnet_proxy}}sofia/sipnet/$1@
> $${sipnet_proxy}"/>
> </condition>
> </extension>
> </context>
> </section>
>
> <section name="directory">
> <domain name="$${local_address}">
> <params>
> <param name="dial-string"
> value="{presence_id=${dialed_user}@
> ${dialed_domain}}${sofia_contact(${dialed_user}@${dialed_domain})}"/>
> </params>
> <groups>
> <group name="local">
> <users>
> <user id="inboundtest"></user>
> <params>
> <param name="debug" value="yes"/>
> <param name="register" value="true"/>
> <param name="apply-inbound-acl" value="strict"/>
> <param name="apply-register-acl" value="strict"/>
> </params>
> </users>
> </group>
> </groups>
> </domain>
> </section>
> </document>
>
> When I start FS, I can't see my IP 195.225.XXX.XXX in freeswitch.log - only
> this:
> [NOTICE] switch_core.c:1088 Created ip list rfc1918.auto default (deny)
> [NOTICE] switch_utils.c:248 Adding 10.0.0.0/8 (allow) [] to list
> rfc1918.auto
> [NOTICE] switch_utils.c:248 Adding 172.16.0.0/12 (allow) [] to list
> rfc1918.auto
> [NOTICE] switch_utils.c:248 Adding 192.168.0.0/16 (allow) [] to list
> rfc1918.auto
> [NOTICE] switch_core.c:1096 Created ip list wan.auto default (allow)
> [NOTICE] switch_utils.c:248 Adding 10.0.0.0/8 (deny) [] to list wan.auto
> [NOTICE] switch_utils.c:248 Adding 172.16.0.0/12 (deny) [] to list
> wan.auto
> [NOTICE] switch_utils.c:248 Adding 192.168.0.0/16 (deny) [] to list
> wan.auto
> [NOTICE] switch_core.c:1104 Created ip list nat.auto default (deny)
> [NOTICE] switch_core.c:1106 Adding 88.198.XXX.XXX/255.255.255.255 (deny)
> to list nat.auto
> [NOTICE] switch_utils.c:248 Adding 10.0.0.0/8 (allow) [] to list nat.auto
> [NOTICE] switch_utils.c:248 Adding 172.16.0.0/12 (allow) [] to list
> nat.auto
> [NOTICE] switch_utils.c:248 Adding 192.168.0.0/16 (allow) [] to list
> nat.auto
> [NOTICE] switch_core.c:1115 Created ip list loopback.auto default (deny)
> [NOTICE] switch_utils.c:248 Adding 127.0.0.0/8 (allow) [] to list
> loopback.auto
> [NOTICE] switch_core.c:1121 Created ip list localnet.auto default (deny)
> [NOTICE] switch_core.c:1124 Adding 88.198.XXX.XXX/255.255.255.255 (allow)
> to list localnet.auto
>
> With my current configuration FS allow to register from any IP.
> Where is my error?
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20110608/b3f5883d/attachment.html
More information about the FreeSWITCH-users
mailing list