[Freeswitch-users] ACL not working
Guillermo Ruiz Camauer
grcamauer at gmail.com
Tue Oct 6 21:29:50 MSD 2015
Could it be this:
<list name="lan" default="deny">
<node type="deny" cidr="192.168.20.0/24"/>
<node type="allow" cidr="192.168.25.0/24"/>
</list>
You are denying the 192.168.20.0/24 network.
Guillermo
On Tue, Oct 6, 2015 at 12:17 PM, Brian West <brian at freeswitch.org> wrote:
> Your local network acl should be default deny, then allow the local
> network cidr ranges that you consider local.
>
>
> On Tuesday, October 6, 2015, Charles Bujold <cjbujold at accra.ca> wrote:
>
>> We are trying to have Freeswitch work for 2 LAN segments (
>> 192.168.20.0/24 and 192.168.25.0/24) We have create an ACL for
>> Freeswitch as follows. However, the lan segment 192.168.25.0/24 cannot
>> make calls, their calls are routed via the WAN and not internally ( the
>> Freeswitch server is on the 192.168.20.0/24 segment). What are we
>> missing? Not certain when to use Deny and Allow settings in ACL? Any help
>> would be appreciated. What is the proper configuration for the ACL xml?
>> Internal Profile is listed below if it needs to be changed please let us
>> know.
>>
>>
>>
>> Thanks
>>
>>
>>
>>
>>
>> <configuration name="acl.conf" description="Network Lists">
>>
>> <network-lists>
>>
>> <!--
>>
>> These ACL's are automatically created on startup.
>>
>>
>>
>> rfc1918.auto - RFC1918 Space
>>
>> nat.auto - RFC1918 Excluding your local lan.
>>
>> localnet.auto - ACL for your local lan.
>>
>> loopback.auto - ACL for your local lan.
>>
>> -->
>>
>>
>>
>> <list name="lan" default="deny">
>>
>> <node type="deny" cidr="192.168.20.0/24"/>
>>
>> <node type="allow" cidr="192.168.25.0/24"/>
>>
>> </list>
>>
>>
>>
>> <list name="localnet.auto" default="allow">
>>
>> <node type="allow" cidr="192.168.20.0/24"/>
>>
>> <node type="allow" cidr="192.168.25.0/24"/>
>>
>> </list>
>>
>>
>>
>> <!--
>>
>> This will traverse the directory adding all users
>>
>> with the cidr= tag to this ACL, when this ACL matches
>>
>> the users variables and params apply as if they
>>
>> digest authenticated.
>>
>> -->
>>
>> <list name="domains" default="deny">
>>
>> <!-- domain= is special it scans the domain from the directory to
>> build the ACL -->
>>
>> <node type="allow" domain="$${domain}"/>
>>
>>
>>
>> <!-- use cidr= if you wish to allow ip ranges to this domains acl.
>> -->
>>
>> <node type="allow" cidr="192.168.20.0/24"/>
>>
>> <node type="allow" cidr="192.168.25.0/24"/>
>>
>> </list>
>>
>>
>>
>> </network-lists>
>>
>> </configuration>
>>
>>
>>
>>
>>
>> Our Internal SIP Profile is configured as follows:
>>
>>
>>
>> <profile name="internal">
>>
>> <!--
>> http://wiki.freeswitch.org/wiki/Sofia_Configuration_Files -->
>>
>> <!--aliases are other names that will work as a valid
>> profile name for this profile-->
>>
>> <aliases>
>>
>> <!--
>>
>> <alias name="default"/>
>>
>> -->
>>
>> </aliases>
>>
>>
>>
>> <!-- Outbound Registrations -->
>>
>> <gateways>
>>
>> <X-PRE-PROCESS cmd="include"
>> data="internal/*.xml"/>
>>
>> </gateways>
>>
>>
>>
>> <domains>
>>
>> <!-- indicator to parse the directory for
>> domains with parse="true" to get gateways-->
>>
>> <!--<domain name="$${domain}"
>> parse="true"/>-->
>>
>> <!-- indicator to parse the directory for
>> domains with parse="true" to get gateways and alias every domain to this
>> profile -->
>>
>> <!--<domain name="all" alias="true"
>> parse="true"/>-->
>>
>> <domain name="all" alias="true"
>> parse="false"/>
>>
>> </domains>
>>
>>
>>
>> <settings>
>>
>> <param name="debug" value="0"/>
>>
>> <param name="sip-trace" value="no"/>
>>
>> <param name="sip-capture" value="no"/>
>>
>> <param name="watchdog-enabled"
>> value="no"/>
>>
>> <param name="watchdog-step-timeout"
>> value="30000"/>
>>
>> <param name="watchdog-event-timeout"
>> value="30000"/>
>>
>> <param name="log-auth-failures"
>> value="true"/>
>>
>> <param
>> name="forward-unsolicited-mwi-notify" value="false"/>
>>
>> <param name="context" value="public"/>
>>
>> <param name="rfc2833-pt" value="101"/>
>>
>> <param name="sip-port"
>> value="$${internal_sip_port}"/>
>>
>> <param name="dialplan" value="XML"/>
>>
>> <param name="dtmf-duration" value="2000"/>
>>
>> <param name="inbound-codec-prefs"
>> value="$${global_codec_prefs}"/>
>>
>> <param name="outbound-codec-prefs"
>> value="$${global_codec_prefs}"/>
>>
>> <param name="rtp-timer-name"
>> value="soft"/>
>>
>> <param name="rtp-ip"
>> value="$${local_ip_v4}"/>
>>
>> <param name="sip-ip"
>> value="$${local_ip_v4}"/>
>>
>> <param name="hold-music"
>> value="$${hold_music}"/>
>>
>> <param name="apply-nat-acl"
>> value="nat.auto"/>
>>
>> <param name="apply-inbound-acl"
>> value="domains"/>
>>
>> <param name="local-network-acl"
>> value="localnet.auto"/>
>>
>> <param name="record-path"
>> value="$${recordings_dir}"/>
>>
>> <param name="record-template"
>> value="${caller_id_number}.${target_domain}.${strftime(%Y-%m-%d-%H-%M-%S)}.wav"/>
>>
>> <param name="manage-presence"
>> value="true"/>
>>
>> <param name="presence-hosts"
>> value="$${domain},$${local_ip_v4}"/>
>>
>> <param name="presence-privacy"
>> value="$${presence_privacy}"/>
>>
>> <param name="inbound-codec-negotiation"
>> value="generous"/>
>>
>> <param name="tls"
>> value="$${internal_ssl_enable}"/>
>>
>> <param name="tls-only" value="false"/>
>>
>> <param name="tls-bind-params"
>> value="transport=tls"/>
>>
>> <param name="tls-sip-port"
>> value="$${internal_tls_port}"/>
>>
>> <param name="tls-cert-dir"
>> value="$${internal_ssl_dir}"/>
>>
>> <param name="tls-passphrase" value=""/>
>>
>> <param name="tls-verify-date"
>> value="true"/>
>>
>> <param name="tls-verify-policy"
>> value="none"/>
>>
>> <param name="tls-verify-depth" value="2"/>
>>
>> <param name="tls-verify-in-subjects"
>> value=""/>
>>
>> <param name="tls-version"
>> value="$${sip_tls_version}"/>
>>
>> <param name="nonce-ttl" value="60"/>
>>
>> <param name="auth-calls"
>> value="$${internal_auth_calls}"/>
>>
>> <param
>> name="inbound-reg-force-matching-username" value="true"/>
>>
>> <param name="auth-all-packets"
>> value="false"/>
>>
>> <param name="ext-rtp-ip"
>> value="$${external_rtp_ip}"/>
>>
>> <param name="ext-sip-ip"
>> value="$${external_sip_ip}"/>
>>
>> <param name="rtp-timeout-sec"
>> value="300"/>
>>
>> <param name="rtp-hold-timeout-sec"
>> value="1800"/>
>>
>> <param name="force-register-domain"
>> value="$${domain}"/>
>>
>> <param name="force-subscription-domain"
>> value="$${domain}"/>
>>
>> <param name="force-register-db-domain"
>> value="$${domain}"/>
>>
>> <param name="challenge-realm"
>> value="auto_from"/>
>>
>> <param name="aggressive-nat-detection"
>> value="true"/>
>>
>>
>>
>> </settings>
>>
>> </profile>
>>
>>
>>
>
>
> --
>
> *Brian West*
> brian at freeswitch.org
>
>
> *Twitter: @FreeSWITCH , @briankwest*
> http://www.freeswitchbook.com
> http://www.freeswitchcookbook.com
>
> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>
> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
--
Guillermo Ruiz Camauer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20151006/562cfd0b/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list