[Freeswitch-users] ACL not working
Brian West
brian at freeswitch.org
Tue Oct 6 19:17:46 MSD 2015
Your local network acl should be default deny, then allow the local network
cidr ranges that you consider local.
On Tuesday, October 6, 2015, Charles Bujold <cjbujold at accra.ca> wrote:
> We are trying to have Freeswitch work for 2 LAN segments (192.168.20.0/24
> and 192.168.25.0/24) We have create an ACL for Freeswitch as follows.
> However, the lan segment 192.168.25.0/24 cannot make calls, their calls
> are routed via the WAN and not internally ( the Freeswitch server is on the
> 192.168.20.0/24 segment). What are we missing? Not certain when to use
> Deny and Allow settings in ACL? Any help would be appreciated. What is the
> proper configuration for the ACL xml? Internal Profile is listed below if
> it needs to be changed please let us know.
>
>
>
> Thanks
>
>
>
>
>
> <configuration name="acl.conf" description="Network Lists">
>
> <network-lists>
>
> <!--
>
> These ACL's are automatically created on startup.
>
>
>
> rfc1918.auto - RFC1918 Space
>
> nat.auto - RFC1918 Excluding your local lan.
>
> localnet.auto - ACL for your local lan.
>
> loopback.auto - ACL for your local lan.
>
> -->
>
>
>
> <list name="lan" default="deny">
>
> <node type="deny" cidr="192.168.20.0/24"/>
>
> <node type="allow" cidr="192.168.25.0/24"/>
>
> </list>
>
>
>
> <list name="localnet.auto" default="allow">
>
> <node type="allow" cidr="192.168.20.0/24"/>
>
> <node type="allow" cidr="192.168.25.0/24"/>
>
> </list>
>
>
>
> <!--
>
> This will traverse the directory adding all users
>
> with the cidr= tag to this ACL, when this ACL matches
>
> the users variables and params apply as if they
>
> digest authenticated.
>
> -->
>
> <list name="domains" default="deny">
>
> <!-- domain= is special it scans the domain from the directory to
> build the ACL -->
>
> <node type="allow" domain="$${domain}"/>
>
>
>
> <!-- use cidr= if you wish to allow ip ranges to this domains acl.
> -->
>
> <node type="allow" cidr="192.168.20.0/24"/>
>
> <node type="allow" cidr="192.168.25.0/24"/>
>
> </list>
>
>
>
> </network-lists>
>
> </configuration>
>
>
>
>
>
> Our Internal SIP Profile is configured as follows:
>
>
>
> <profile name="internal">
>
> <!--
> http://wiki.freeswitch.org/wiki/Sofia_Configuration_Files -->
>
> <!--aliases are other names that will work as a valid
> profile name for this profile-->
>
> <aliases>
>
> <!--
>
> <alias name="default"/>
>
> -->
>
> </aliases>
>
>
>
> <!-- Outbound Registrations -->
>
> <gateways>
>
> <X-PRE-PROCESS cmd="include"
> data="internal/*.xml"/>
>
> </gateways>
>
>
>
> <domains>
>
> <!-- indicator to parse the directory for
> domains with parse="true" to get gateways-->
>
> <!--<domain name="$${domain}"
> parse="true"/>-->
>
> <!-- indicator to parse the directory for
> domains with parse="true" to get gateways and alias every domain to this
> profile -->
>
> <!--<domain name="all" alias="true"
> parse="true"/>-->
>
> <domain name="all" alias="true"
> parse="false"/>
>
> </domains>
>
>
>
> <settings>
>
> <param name="debug" value="0"/>
>
> <param name="sip-trace" value="no"/>
>
> <param name="sip-capture" value="no"/>
>
> <param name="watchdog-enabled" value="no"/>
>
> <param name="watchdog-step-timeout"
> value="30000"/>
>
> <param name="watchdog-event-timeout"
> value="30000"/>
>
> <param name="log-auth-failures"
> value="true"/>
>
> <param
> name="forward-unsolicited-mwi-notify" value="false"/>
>
> <param name="context" value="public"/>
>
> <param name="rfc2833-pt" value="101"/>
>
> <param name="sip-port"
> value="$${internal_sip_port}"/>
>
> <param name="dialplan" value="XML"/>
>
> <param name="dtmf-duration" value="2000"/>
>
> <param name="inbound-codec-prefs"
> value="$${global_codec_prefs}"/>
>
> <param name="outbound-codec-prefs"
> value="$${global_codec_prefs}"/>
>
> <param name="rtp-timer-name" value="soft"/>
>
> <param name="rtp-ip"
> value="$${local_ip_v4}"/>
>
> <param name="sip-ip"
> value="$${local_ip_v4}"/>
>
> <param name="hold-music"
> value="$${hold_music}"/>
>
> <param name="apply-nat-acl"
> value="nat.auto"/>
>
> <param name="apply-inbound-acl"
> value="domains"/>
>
> <param name="local-network-acl"
> value="localnet.auto"/>
>
> <param name="record-path"
> value="$${recordings_dir}"/>
>
> <param name="record-template"
> value="${caller_id_number}.${target_domain}.${strftime(%Y-%m-%d-%H-%M-%S)}.wav"/>
>
> <param name="manage-presence"
> value="true"/>
>
> <param name="presence-hosts"
> value="$${domain},$${local_ip_v4}"/>
>
> <param name="presence-privacy"
> value="$${presence_privacy}"/>
>
> <param name="inbound-codec-negotiation"
> value="generous"/>
>
> <param name="tls"
> value="$${internal_ssl_enable}"/>
>
> <param name="tls-only" value="false"/>
>
> <param name="tls-bind-params"
> value="transport=tls"/>
>
> <param name="tls-sip-port"
> value="$${internal_tls_port}"/>
>
> <param name="tls-cert-dir"
> value="$${internal_ssl_dir}"/>
>
> <param name="tls-passphrase" value=""/>
>
> <param name="tls-verify-date"
> value="true"/>
>
> <param name="tls-verify-policy"
> value="none"/>
>
> <param name="tls-verify-depth" value="2"/>
>
> <param name="tls-verify-in-subjects"
> value=""/>
>
> <param name="tls-version"
> value="$${sip_tls_version}"/>
>
> <param name="nonce-ttl" value="60"/>
>
> <param name="auth-calls"
> value="$${internal_auth_calls}"/>
>
> <param
> name="inbound-reg-force-matching-username" value="true"/>
>
> <param name="auth-all-packets"
> value="false"/>
>
> <param name="ext-rtp-ip"
> value="$${external_rtp_ip}"/>
>
> <param name="ext-sip-ip"
> value="$${external_sip_ip}"/>
>
> <param name="rtp-timeout-sec" value="300"/>
>
> <param name="rtp-hold-timeout-sec"
> value="1800"/>
>
> <param name="force-register-domain"
> value="$${domain}"/>
>
> <param name="force-subscription-domain"
> value="$${domain}"/>
>
> <param name="force-register-db-domain"
> value="$${domain}"/>
>
> <param name="challenge-realm"
> value="auto_from"/>
>
> <param name="aggressive-nat-detection"
> value="true"/>
>
>
>
> </settings>
>
> </profile>
>
>
>
--
*Brian West*
brian at freeswitch.org
*Twitter: @FreeSWITCH , @briankwest*
http://www.freeswitchbook.com
http://www.freeswitchcookbook.com
Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
/r/freeswitch <https://www.reddit.com/r/freeswitch>
*T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
*iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20151006/a059ad7c/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list