[Freeswitch-users] ACL not working

Charles Bujold cjbujold at accra.ca
Tue Oct 6 16:54:36 MSD 2015


We are trying to have Freeswitch work for 2 LAN segments  (192.168.20.0/24
and 192.168.25.0/24)  We  have create an ACL for Freeswitch as follows.
However, the lan segment 192.168.25.0/24 cannot make calls, their calls are
routed via the WAN and not internally ( the Freeswitch server is on the
192.168.20.0/24 segment).  What are we missing?  Not certain when to use
Deny and Allow settings in ACL?  Any help would be appreciated. What is the
proper configuration for the ACL xml?  Internal Profile is listed below if
it needs to be changed please let us know.

 

Thanks

 

 

<configuration name="acl.conf" description="Network Lists">

  <network-lists>

    <!-- 

                 These ACL's are automatically created on startup.

 

                rfc1918.auto  - RFC1918 Space

                nat.auto      - RFC1918 Excluding your local lan.

                localnet.auto - ACL for your local lan.

                loopback.auto - ACL for your local lan.

    -->

 

    <list name="lan" default="deny">

      <node type="deny" cidr="192.168.20.0/24"/> 

      <node type="allow" cidr="192.168.25.0/24"/>

    </list>

 

    <list name="localnet.auto" default="allow">

        <node type="allow" cidr="192.168.20.0/24"/>

        <node type="allow" cidr="192.168.25.0/24"/>

    </list>

                

    <!--

                This will traverse the directory adding all users 

                with the cidr= tag to this ACL, when this ACL matches

                the users variables and params apply as if they 

                digest authenticated.

    -->

    <list name="domains" default="deny">

      <!-- domain= is special it scans the domain from the directory to
build the ACL -->

      <node type="allow" domain="$${domain}"/>

 

      <!-- use cidr= if you wish to allow ip ranges to this domains acl. -->

       <node type="allow" cidr="192.168.20.0/24"/>  

       <node type="allow" cidr="192.168.25.0/24"/> 

    </list>

 

  </network-lists>

</configuration>

 

 

Our Internal SIP Profile is configured as follows: 

 

<profile name="internal">

                <!--
http://wiki.freeswitch.org/wiki/Sofia_Configuration_Files --> 

                <!--aliases are other names that will work as a valid
profile name for this profile-->

                <aliases>

                                <!--

                                <alias name="default"/>

                                -->

                </aliases>

 

                <!-- Outbound Registrations -->

                <gateways>

                                <X-PRE-PROCESS cmd="include"
data="internal/*.xml"/>

                </gateways>

 

                <domains>

                                <!-- indicator to parse the directory for
domains with parse="true" to get gateways-->

                                <!--<domain name="$${domain}"
parse="true"/>-->

                                <!-- indicator to parse the directory for
domains with parse="true" to get gateways and alias every domain to this
profile -->

                                <!--<domain name="all" alias="true"
parse="true"/>-->

                                <domain name="all" alias="true"
parse="false"/> 

                </domains>

 

                <settings>

                                <param name="debug" value="0"/>

                                <param name="sip-trace" value="no"/>

                                <param name="sip-capture" value="no"/>

                                <param name="watchdog-enabled" value="no"/>

                                <param name="watchdog-step-timeout"
value="30000"/>

                                <param name="watchdog-event-timeout"
value="30000"/>

                                <param name="log-auth-failures"
value="true"/>

                                <param name="forward-unsolicited-mwi-notify"
value="false"/>

                                <param name="context" value="public"/>

                                <param name="rfc2833-pt" value="101"/>

                                <param name="sip-port"
value="$${internal_sip_port}"/>

                                <param name="dialplan" value="XML"/>

                                <param name="dtmf-duration" value="2000"/>

                                <param name="inbound-codec-prefs"
value="$${global_codec_prefs}"/>

                                <param name="outbound-codec-prefs"
value="$${global_codec_prefs}"/>

                                <param name="rtp-timer-name" value="soft"/>

                                <param name="rtp-ip"
value="$${local_ip_v4}"/>

                                <param name="sip-ip"
value="$${local_ip_v4}"/>

                                <param name="hold-music"
value="$${hold_music}"/>

                                <param name="apply-nat-acl"
value="nat.auto"/>

                                <param name="apply-inbound-acl"
value="domains"/>

                                <param name="local-network-acl"
value="localnet.auto"/>

                                <param name="record-path"
value="$${recordings_dir}"/>

                                <param name="record-template"
value="${caller_id_number}.${target_domain}.${strftime(%Y-%m-%d-%H-%M-%S)}.w
av"/>

                                <param name="manage-presence" value="true"/>

                                <param name="presence-hosts"
value="$${domain},$${local_ip_v4}"/>

                                <param name="presence-privacy"
value="$${presence_privacy}"/>

                                <param name="inbound-codec-negotiation"
value="generous"/>

                                <param name="tls"
value="$${internal_ssl_enable}"/>

                                <param name="tls-only" value="false"/>

                                <param name="tls-bind-params"
value="transport=tls"/>

                                <param name="tls-sip-port"
value="$${internal_tls_port}"/>

                                <param name="tls-cert-dir"
value="$${internal_ssl_dir}"/>

                                <param name="tls-passphrase" value=""/>

                                <param name="tls-verify-date" value="true"/>

                                <param name="tls-verify-policy"
value="none"/>

                                <param name="tls-verify-depth" value="2"/>

                                <param name="tls-verify-in-subjects"
value=""/>

                                <param name="tls-version"
value="$${sip_tls_version}"/>

                                <param name="nonce-ttl" value="60"/>

                                <param name="auth-calls"
value="$${internal_auth_calls}"/>

                                <param
name="inbound-reg-force-matching-username" value="true"/>

                                <param name="auth-all-packets"
value="false"/>

                                <param name="ext-rtp-ip"
value="$${external_rtp_ip}"/>

                                <param name="ext-sip-ip"
value="$${external_sip_ip}"/>

                                <param name="rtp-timeout-sec" value="300"/>

                                <param name="rtp-hold-timeout-sec"
value="1800"/>

                                <param name="force-register-domain"
value="$${domain}"/>

                                <param name="force-subscription-domain"
value="$${domain}"/>

                                <param name="force-register-db-domain"
value="$${domain}"/>

                                <param name="challenge-realm"
value="auto_from"/>

                                <param name="aggressive-nat-detection"
value="true"/>

 

                </settings>

</profile>

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20151006/896571fa/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list