[Freeswitch-users] ACL
Sidharth Kshatriya
sid.kshatriya at gmail.com
Wed Jun 15 09:43:37 MSD 2011
Have you tried typing
reloadacl reloadxml
from the freeswitch command line?
On Wed, Jun 15, 2011 at 3:43 AM, Cyril Zlachevsky <
cyril.zlachevsky at gmail.com> wrote:
> Yes, you are right - I'm prefer flat file because customizing the default
> config is nightmare for me.
> I changed "allow" to "deny" in my freeswitch.xml with absolutely no effect
> - anyone still register
> on my FS from any IP!
> I read http://wiki.freeswitch.org/wiki/Acl but can't stand how enable ACL
> for my SIP UA's.
>
>
> 08.06.2011 10:51, Steven Ayre пишет:
> > <list name="strict" *default="allow"*>
> > <node type="allow" cidr="195.225.XXX.XXX/32"/>
> > </list>
> >
> > You want a default of 'deny'. The default is what to do with any IP not
> on the list, what you've set
> > allows every IP.
> >
> > I would suggest you build your config off the default config by the way,
> customising them to suit
> > you and removing what you don't need. The directory structure is there to
> help you manage things
> > (what you've posted makes it look like you might be using a flat file?).
> There's a lot of parameters
> > you've missed out setting.
> >
> > For example:
> > <X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221 at 32000h
> ,G7221 at 16000h,G722,PCMU,PCMA,GSM"/>
> > <X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/>
> >
> > These will have absolutely no effect. They set a global variable that you
> can use elsewhere in your
> > configuration, but you're not actually using them. You should be setting
> the inbound & outbound
> > codec preferences on the sofia profile in a param, either using the
> global variable e.g.
> > $${outbound_codec_prefs} or by setting them explicitly there.
> >
> > -Steve
> >
> >
> > On 8 June 2011 01:16, Cyril Zlachevsky <cyril.zlachevsky at gmail.com
> > <mailto:cyril.zlachevsky at gmail.com>> wrote:
> >
> > Hi,
> > Can't stand what should I do for ACL working.
> >
> > I'm forwarding a call from a particular static IP to
> number at voipprovider.
> > I refused of using FS default configs because they are complicated
> and redundant for me.
> >
> > This is my configuration:
> > <?xml version="1.0"?>
> > <document type="freeswitch/xml">
> >
> > <X-PRE-PROCESS cmd="set" data="local_address=$${local_ip_v4}"/>
> >
> > <X-PRE-PROCESS cmd="set" data="sipnet_proxy=voiprovider.com <
> http://voiprovider.com>"/>
> > <X-PRE-PROCESS cmd="set" data="sipnet_login=echo"/>
> > <X-PRE-PROCESS cmd="set" data="sipnet_password=echo"/>
> >
> > <X-PRE-PROCESS cmd="set"
> data="sound_prefix=$${sounds_dir}/en/us/callie"/>
> >
> > <section name="configuration">
> >
> > <configuration name="switch.conf">
> > <settings>
> > <param name="colorize-console" value="true"/>
> > <param name="max-sessions" value="1000"/>
> > <param name="sessions-per-second" value="30"/>
> > <param name="loglevel" value="debug"/>
> > </settings>
> > </configuration>
> >
> > <configuration name="modules.conf">
> > <modules>
> > <load module="mod_console"/>
> > <load module="mod_logfile"/>
> > <load module="mod_sofia"/>
> > <load module="mod_dialplan_xml"/>
> > <load module="mod_dptools"/>
> > <load module="mod_commands"/>
> > <load module="mod_expr"/>
> > <load module="mod_sndfile"/>
> > </modules>
> > </configuration>
> >
> > <X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221 at 32000h
> ,G7221 at 16000h,G722,PCMU,PCMA,GSM"/>
> > <X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=PCMU,PCMA,GSM"/>
> >
> > <configuration name="console.conf">
> > <mappings>
> > <map name="all"
> value="console,debug,info,notice,warning,err,crit,alert"/>
> > </mappings>
> > <settings>
> > <param name="colorize" value="true"/>
> > <param name="loglevel" value="info"/>
> > </settings>
> > </configuration>
> >
> > <configuration name="logfile.conf">
> > <settings>
> > <param name="rotate-on-hup" value="true"/>
> > </settings>
> > <profiles>
> > <profile name="default">
> > <settings>
> > <param name="logfile" value="/var/log/freeswitch/freeswitch.log"/>
> > <param name="rollover" value="10485760"/>
> > </settings>
> > <mappings>
> > <map name="all" value="debug,info,notice,warning,err,crit,alert"/>
> > </mappings>
> > </profile>
> > </profiles>
> > </configuration>
> >
> > <configuration name="acl.conf" description="Network Lists">
> > <network-lists>
> > <list name="strict" default="allow">
> > <node type="allow" cidr="195.225.XXX.XXX/32"/>
> > </list>
> > <list name="domains" default="deny">
> > <node type="allow" domain="$${domain}"/>
> > </list>
> > </network-lists>
> > </configuration>
> >
> > <configuration name="sofia.conf">
> > <global_settings>
> > <param name="log-level" value="0"/>
> > <param name="debug-presence" value="0"/>
> > </global_settings>
> > <profiles>
> > <profile name="local">
> > <domains>
> > <domain name="all" alias="true" parse="false"/>
> > </domains>
> > <settings>
> > <param name="context" value="local"/>
> > <param name="sip-port" value="5060"/>
> > <param name="dialplan" value="XML"/>
> > <param name="rtp-ip" value="$${local_address}"/>
> > <param name="sip-ip" value="$${local_address}"/>
> > </settings>
> > </profile>
> > <profile name="sipnet">
> > <domains>
> > <domain name="all" alias="false" parse="false"/>
> > </domains>
> > <settings>
> > <param name="context" value="sipnet"/>
> > <param name="sip-port" value="5080"/>
> > <param name="dialplan" value="XML"/>
> > <param name="rtp-ip" value="$${local_address}"/>
> > <param name="sip-ip" value="$${local_address}"/>
> > <!--param name="auth-calls" value="false"/-->
> > <param name="auth-calls" value="true"/>
> > <param name="apply-inbound-acl" value="strict"/>
> > </settings>
> > <gateways>
> > <gateway name="sipnet">
> > <param name="proxy" value="$${sipnet_proxy}"/>
> > <param name="realm" value="asterisk"/>
> > <param name="username" value="$${sipnet_login}"/>
> > <param name="password" value="$${sipnet_password}"/>
> > <param name="local-network-acl" value="strict"/>
> > </gateway>
> > </gateways>
> > </profile>
> > </profiles>
> > </configuration>
> > </section>
> >
> > <section name="dialplan">
> > <context name="local">
> > <extension name="local-accounts">
> > <condition field="destination_number" expression="^(10[1-3])$">
> > <action application="bridge" data="user/$1@$${local_address}"/>
> > </condition>
> > </extension>
> > <extension name="sipnet">
> > <condition field="destination_number" expression="^(\d+)$">
> > <action application="set"
> data="effective_caller_id_number=$${sipnet_login}"/>
> > <action application="bridge"
> > data="{sip_invite_domain=$${sipnet_proxy}}sofia/sipnet/$1@
> $${sipnet_proxy}"/>
> > </condition>
> > </extension>
> > </context>
> > </section>
> >
> > <section name="directory">
> > <domain name="$${local_address}">
> > <params>
> > <param name="dial-string"
> > value="{presence_id=${dialed_user}@
> ${dialed_domain}}${sofia_contact(${dialed_user}@${dialed_domain})}"/>
> > </params>
> > <groups>
> > <group name="local">
> > <users>
> > <user id="inboundtest"></user>
> > <params>
> > <param name="debug" value="yes"/>
> > <param name="register" value="true"/>
> > <param name="apply-inbound-acl" value="strict"/>
> > <param name="apply-register-acl" value="strict"/>
> > </params>
> > </users>
> > </group>
> > </groups>
> > </domain>
> > </section>
> > </document>
> >
> > When I start FS, I can't see my IP 195.225.XXX.XXX in freeswitch.log
> - only this:
> > [NOTICE] switch_core.c:1088 Created ip list rfc1918.auto default
> (deny)
> > [NOTICE] switch_utils.c:248 Adding 10.0.0.0/8 <http://10.0.0.0/8>
> (allow) [] to list rfc1918.auto
> > [NOTICE] switch_utils.c:248 Adding 172.16.0.0/12 <
> http://172.16.0.0/12> (allow) [] to list
> > rfc1918.auto
> > [NOTICE] switch_utils.c:248 Adding 192.168.0.0/16 <
> http://192.168.0.0/16> (allow) [] to list
> > rfc1918.auto
> > [NOTICE] switch_core.c:1096 Created ip list wan.auto default (allow)
> > [NOTICE] switch_utils.c:248 Adding 10.0.0.0/8 <http://10.0.0.0/8>
> (deny) [] to list wan.auto
> > [NOTICE] switch_utils.c:248 Adding 172.16.0.0/12 <
> http://172.16.0.0/12> (deny) [] to list wan.auto
> > [NOTICE] switch_utils.c:248 Adding 192.168.0.0/16 <
> http://192.168.0.0/16> (deny) [] to list wan.auto
> > [NOTICE] switch_core.c:1104 Created ip list nat.auto default (deny)
> > [NOTICE] switch_core.c:1106 Adding 88.198.XXX.XXX/255.255.255.255 <
> http://255.255.255.255>
> > (deny) to list nat.auto
> > [NOTICE] switch_utils.c:248 Adding 10.0.0.0/8 <http://10.0.0.0/8>
> (allow) [] to list nat.auto
> > [NOTICE] switch_utils.c:248 Adding 172.16.0.0/12 <
> http://172.16.0.0/12> (allow) [] to list nat.auto
> > [NOTICE] switch_utils.c:248 Adding 192.168.0.0/16 <
> http://192.168.0.0/16> (allow) [] to list
> > nat.auto
> > [NOTICE] switch_core.c:1115 Created ip list loopback.auto default
> (deny)
> > [NOTICE] switch_utils.c:248 Adding 127.0.0.0/8 <http://127.0.0.0/8>
> (allow) [] to list loopback.auto
> > [NOTICE] switch_core.c:1121 Created ip list localnet.auto default
> (deny)
> > [NOTICE] switch_core.c:1124 Adding 88.198.XXX.XXX/255.255.255.255 <
> http://255.255.255.255>
> > (allow) to list localnet.auto
> >
> > With my current configuration FS allow to register from any IP.
> > Where is my error?
> >
> > _______________________________________________
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org <mailto:
> FreeSWITCH-users at lists.freeswitch.org>
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:
> http://lists.freeswitch.org/mailman/options/freeswitch-users
> > http://www.freeswitch.org
> >
> >
> >
> >
> > _______________________________________________
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > http://www.freeswitch.org
>
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
--
Sidharth Kshatriya
www.sidk.info
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20110615/b0ef6cf2/attachment-0001.html
More information about the FreeSWITCH-users
mailing list