[Freeswitch-users] ACL for ESL issue ?

Pavel my.post at hotmail.com
Mon Sep 14 14:56:51 MSD 2015


Steven, thanks a lot for your reply. The implicit apply-inbound-acl with a value of loopback.auto was my initial guess, but there were no mentions of it in wiki (perhaps I'd overlooked it). Would you be so kind to also answer is there any way to stack some acls like this:
<configuration name="event_socket.conf" description="Socket Client">  <settings>    <param name="nat-map" value="false"/>    <param name="listen-ip" value="0.0.0.0"/>    <param name="listen-port" value="8021"/>    <param name="password" value="ClueCon"/>    <param name="apply-inbound-acl" value="loopback.auto"/>    <param name="apply-inbound-acl" value="192.168.1.0/24"/>   </settings></configuration>
Regards,Pavel.

From: steveayre at gmail.com
Date: Mon, 14 Sep 2015 09:18:57 +0100
To: freeswitch-users at lists.freeswitch.org
Subject: Re: [Freeswitch-users] ACL for ESL issue ?

You need to use one or more apply-inbound-acl to allow access via ACLs you have created.
If you don't supply apply-inbound-acl then the default will be loopback.auto, to lock access down to local access only.
In 1.2 the default was to not apply any ACL (allow anyone), in 1.4 it requires you to be explicit or it'll only allow local connections even if you listen on 0.0.0.0 or ::. This is more secure.
If you're opening it up to remote access you want to be very careful about who you allow to connect. The protocol is unencrypted, the password is sent in plaintext, and it provides the ability to crash freeswitch or execute system commands as the freeswitch user. So it's a security hole that you don't want to be any more open than it absolutely has to be.




On 11 September 2015 at 12:58, Pavel <my.post at hotmail.com> wrote:



Hello,
 I was trying to enable esl connections from outside of fs host. To do so I've followed https://wiki.freeswitch.org/wiki/Mod_event_socket#Configuration and changed default event_socket.conf.xml
from:
<configuration name="event_socket.conf" description="Socket Client">  <settings>    <param name="nat-map" value="false"/>    <param name="listen-ip" value="::"/>    <param name="listen-port" value="8021"/>    <param name="password" value="ClueCon"/>  </settings></configuration>
to:
<configuration name="event_socket.conf" description="Socket Client">  <settings>    <param name="nat-map" value="false"/>    <param name="listen-ip" value="0.0.0.0"/>    <param name="listen-port" value="8021"/>    <param name="password" value="ClueCon"/>  </settings></configuration>
and issued: reload mod_event_socket.

Trying to telnet to fs host on port 8021 I observe:

Content-Type: text/rude-rejectionContent-Length: 24
Access Denied, go away.Content-Type: text/disconnect-noticeContent-Length: 67
Disconnected, goodbye.See you at ClueCon! http://www.cluecon.com/Connection closed by foreign host.
And in fs log i can see the following:

mod_event_socket.c:2603 IP "someiphere" Rejected by acl "loopback.auto"

But as far as I understand the event_socket.conf.xml doesn't mention any ACL set up against ESL connection ?Would someone please be so kind to point what am I missing ?Thanks.Regards,Pavel.


 		 	   		  

_________________________________________________________________________

Professional FreeSWITCH Consulting Services:

consulting at freeswitch.org

http://www.freeswitchsolutions.com



Official FreeSWITCH Sites

http://www.freeswitch.org

http://confluence.freeswitch.org

http://www.cluecon.com



FreeSWITCH-users mailing list

FreeSWITCH-users at lists.freeswitch.org

http://lists.freeswitch.org/mailman/listinfo/freeswitch-users

UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users

http://www.freeswitch.org



_________________________________________________________________________
Professional FreeSWITCH Consulting Services: 
consulting at freeswitch.org
http://www.freeswitchsolutions.com

Official FreeSWITCH Sites
http://www.freeswitch.org
http://confluence.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150914/a723cc43/attachment.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list