[Freeswitch-users] ACL for ESL issue ?

Steven Ayre steveayre at gmail.com
Mon Sep 14 19:47:02 MSD 2015 

>From a read of the source code, yes you can do that.

Although the value is an ACL name, not a CIDR... you'd want to create an
ACL named something like 'lan' and add 192.168.1.0/24 to that.



On 14 September 2015 at 11:56, Pavel <my.post at hotmail.com> wrote:

> Steven, thanks a lot for your reply.
> The implicit apply-inbound-acl with a value of loopback.auto was my
> initial guess, but there were no mentions of it in wiki (perhaps I'd
> overlooked it). Would you be so kind to also answer is there any way to
> stack some acls like this:
>
> <configuration name="event_socket.conf" description="Socket Client">
>   <settings>
>     <param name="nat-map" value="false"/>
>     <param name="listen-ip" value="0.0.0.0"/>
>     <param name="listen-port" value="8021"/>
>     <param name="password" value="ClueCon"/>
>     <param name="apply-inbound-acl" value="loopback.auto"/>
>     <param name="apply-inbound-acl" value="192.168.1.0/24"/>
>   </settings>
> </configuration>
>
> Regards,
> Pavel.
>
> ------------------------------
> From: steveayre at gmail.com
> Date: Mon, 14 Sep 2015 09:18:57 +0100
> To: freeswitch-users at lists.freeswitch.org
> Subject: Re: [Freeswitch-users] ACL for ESL issue ?
>
>
> You need to use one or more apply-inbound-acl to allow access via ACLs you
> have created.
>
> If you don't supply apply-inbound-acl then the default will be
> loopback.auto, to lock access down to local access only.
>
> In 1.2 the default was to not apply any ACL (allow anyone), in 1.4 it
> requires you to be explicit or it'll only allow local connections even if
> you listen on 0.0.0.0 or ::. This is more secure.
>
> If you're opening it up to remote access you want to be very careful about
> who you allow to connect. The protocol is unencrypted, the password is sent
> in plaintext, and it provides the ability to crash freeswitch or execute
> system commands as the freeswitch user. So it's a security hole that you
> don't want to be any more open than it absolutely has to be.
>
>
>
>
>
> On 11 September 2015 at 12:58, Pavel <my.post at hotmail.com> wrote:
>
> Hello,
>  I was trying to enable esl connections from outside of fs host. To do so
> I've followed
> https://wiki.freeswitch.org/wiki/Mod_event_socket#Configuration and
> changed default event_socket.conf.xml
> from:
>
> <configuration name="event_socket.conf" description="Socket Client">
>   <settings>
>     <param name="nat-map" value="false"/>
>     <param name="listen-ip" value="::"/>
>     <param name="listen-port" value="8021"/>
>     <param name="password" value="ClueCon"/>
>   </settings>
> </configuration>
>
> to:
>
> <configuration name="event_socket.conf" description="Socket Client">
>   <settings>
>     <param name="nat-map" value="false"/>
>     <param name="listen-ip" value="0.0.0.0"/>
>     <param name="listen-port" value="8021"/>
>     <param name="password" value="ClueCon"/>
>   </settings>
> </configuration>
>
> and issued:
> reload mod_event_socket.
>
> Trying to telnet to fs host on port 8021 I observe:
>
> Content-Type: text/rude-rejection
> Content-Length: 24
>
> Access Denied, go away.
> Content-Type: text/disconnect-notice
> Content-Length: 67
>
> Disconnected, goodbye.
> See you at ClueCon! http://www.cluecon.com/
> Connection closed by foreign host.
>
> And in fs log i can see the following:
>
> mod_event_socket.c:2603 IP "someiphere" Rejected by acl "loopback.auto"
>
> But as far as I understand the event_socket.conf.xml doesn't mention any
> ACL set up against ESL connection ?
> Would someone please be so kind to point what am I missing ?
> Thanks.
> Regards,
> Pavel.
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services: consulting at freeswitch.org
> http://www.freeswitchsolutions.com Official FreeSWITCH Sites
> http://www.freeswitch.org http://confluence.freeswitch.org
> http://www.cluecon.com FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users UNSUBSCRIBE:
> http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150914/c84e3720/attachment-0001.html

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list