[Freeswitch-users] ACL for ESL issue ?

Brian West brian at freeswitch.org
Mon Sep 14 19:56:41 MSD 2015


<param name="apply-inbound-acl" value="192.168.1.0/24"/>

It should work too.

On Mon, Sep 14, 2015 at 10:47 AM, Steven Ayre <steveayre at gmail.com> wrote:

> From a read of the source code, yes you can do that.
>
> Although the value is an ACL name, not a CIDR... you'd want to create an
> ACL named something like 'lan' and add 192.168.1.0/24 to that.
>
>
>
> On 14 September 2015 at 11:56, Pavel <my.post at hotmail.com> wrote:
>
>> Steven, thanks a lot for your reply.
>> The implicit apply-inbound-acl with a value of loopback.auto was my
>> initial guess, but there were no mentions of it in wiki (perhaps I'd
>> overlooked it). Would you be so kind to also answer is there any way to
>> stack some acls like this:
>>
>> <configuration name="event_socket.conf" description="Socket Client">
>>   <settings>
>>     <param name="nat-map" value="false"/>
>>     <param name="listen-ip" value="0.0.0.0"/>
>>     <param name="listen-port" value="8021"/>
>>     <param name="password" value="ClueCon"/>
>>     <param name="apply-inbound-acl" value="loopback.auto"/>
>>     <param name="apply-inbound-acl" value="192.168.1.0/24"/>
>>   </settings>
>> </configuration>
>>
>> Regards,
>> Pavel.
>>
>> ------------------------------
>> From: steveayre at gmail.com
>> Date: Mon, 14 Sep 2015 09:18:57 +0100
>> To: freeswitch-users at lists.freeswitch.org
>> Subject: Re: [Freeswitch-users] ACL for ESL issue ?
>>
>>
>> You need to use one or more apply-inbound-acl to allow access via ACLs
>> you have created.
>>
>> If you don't supply apply-inbound-acl then the default will be
>> loopback.auto, to lock access down to local access only.
>>
>> In 1.2 the default was to not apply any ACL (allow anyone), in 1.4 it
>> requires you to be explicit or it'll only allow local connections even if
>> you listen on 0.0.0.0 or ::. This is more secure.
>>
>> If you're opening it up to remote access you want to be very careful
>> about who you allow to connect. The protocol is unencrypted, the password
>> is sent in plaintext, and it provides the ability to crash freeswitch or
>> execute system commands as the freeswitch user. So it's a security hole
>> that you don't want to be any more open than it absolutely has to be.
>>
>>
>>
>>
>>
>> On 11 September 2015 at 12:58, Pavel <my.post at hotmail.com> wrote:
>>
>> Hello,
>>  I was trying to enable esl connections from outside of fs host. To do so
>> I've followed
>> https://wiki.freeswitch.org/wiki/Mod_event_socket#Configuration and
>> changed default event_socket.conf.xml
>> from:
>>
>> <configuration name="event_socket.conf" description="Socket Client">
>>   <settings>
>>     <param name="nat-map" value="false"/>
>>     <param name="listen-ip" value="::"/>
>>     <param name="listen-port" value="8021"/>
>>     <param name="password" value="ClueCon"/>
>>   </settings>
>> </configuration>
>>
>> to:
>>
>> <configuration name="event_socket.conf" description="Socket Client">
>>   <settings>
>>     <param name="nat-map" value="false"/>
>>     <param name="listen-ip" value="0.0.0.0"/>
>>     <param name="listen-port" value="8021"/>
>>     <param name="password" value="ClueCon"/>
>>   </settings>
>> </configuration>
>>
>> and issued:
>> reload mod_event_socket.
>>
>> Trying to telnet to fs host on port 8021 I observe:
>>
>> Content-Type: text/rude-rejection
>> Content-Length: 24
>>
>> Access Denied, go away.
>> Content-Type: text/disconnect-notice
>> Content-Length: 67
>>
>> Disconnected, goodbye.
>> See you at ClueCon! http://www.cluecon.com/
>> Connection closed by foreign host.
>>
>> And in fs log i can see the following:
>>
>> mod_event_socket.c:2603 IP "someiphere" Rejected by acl "loopback.auto"
>>
>> But as far as I understand the event_socket.conf.xml doesn't mention any
>> ACL set up against ESL connection ?
>> Would someone please be so kind to point what am I missing ?
>> Thanks.
>> Regards,
>> Pavel.
>>
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services: consulting at freeswitch.org
>> http://www.freeswitchsolutions.com Official FreeSWITCH Sites
>> http://www.freeswitch.org http://confluence.freeswitch.org
>> http://www.cluecon.com FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>



-- 

*Brian West*
brian at freeswitch.org


*Twitter: @FreeSWITCH , @briankwest*
http://www.freeswitchbook.com
http://www.freeswitchcookbook.com

Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
/r/freeswitch <https://www.reddit.com/r/freeswitch>

*T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
*iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150914/9dce7986/attachment.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list