[Freeswitch-users] SBC

Valter Nogueira valter at fastway.com.br
Tue Dec 13 05:33:04 MSK 2016


So "inside" profile should not have gateways at all. I should declare
asterisks as users like asterisk-1, asterisk-2 and soon. And bridge calls
to them using user/asterisk-1.

On "outside" profile I should have gateways but not users and bridge calls
to sofia/gateway/myistsp.com



Atenciosamente,



2016-12-13 0:25 GMT-02:00 David Villasmil <david.villasmil.work at gmail.com>:

> I also enable auth-calls and auth-all-packets.
>
> On Tue, Dec 13, 2016 at 3:19 AM Valter Nogueira <valter at fastway.com.br>
> wrote:
>
>> Which parameter I use to enable a profile to registration?
>>
>> <param name="force-register-domain" value="$${domain}"/>
>>
>>
>>
>>
>>
>> Atenciosamente,
>>
>>
>>
>> 2016-12-12 23:30 GMT-02:00 David Villasmil <david.villasmil.work at gmail.
>> com>:
>>
>> Hello,
>>
>> Every time fs receives a REGISTER it will look up the user trying to
>> register (if the profile is configured to authenticate) in the directory
>> path. You can register via any profile if configured. You can control what
>> user may register where by enabling multi-domain as per
>> https://wiki.freeswitch.org/wiki/Multiple_Companies.
>>
>> By default, the directory.xml is as follows:
>>
>> <include>
>>    <!--the domain or ip (the right hand side of the @ in the addr-->
>>    <domain name="$${domain}">
>>      ...
>>      <groups>
>>        <group name="default">
>>          <users>
>>            <X-PRE-PROCESS cmd="include" data="default/*.xml"/>
>>          </users>
>>        </group>
>> ...
>>
>> So, as you can see, there's only one domain directory ($${domain} which
>> is the ip address of your server) which has only one group called "users"
>> which *includes* any xml in "default/"
>>
>> hope this helps.
>>
>> David
>>>>
>> Regards,
>>
>> David Villasmil
>> email: david.villasmil.work at gmail.com
>> phone: +34669448337 <+34%20669%2044%2083%2037>
>>
>> On Mon, Dec 12, 2016 at 9:42 PM, Valter Nogueira <valter at fastway.com.br>
>> wrote:
>>
>> I am studying opensips and kamailio, but to be honest, I am a little
>> affraid of them - just because I am not sure if I can figure out every
>> situation in route.
>>
>> My environment is strictly controlled with iptables drop policy and just
>> friendly traffic is allowed.
>>
>> What I understood by now is that I must have a profile for every NIC used
>> to route traffic.
>>
>> What I don't get yet is how directory relates to profiles. In file
>> directory/default/example.com.xml there is a user "joe" which have a
>> gateway defined inside it and that sofia shows in every gateway availble
>> (expect in internal)
>>
>> Just to make me more confused: https://wiki.freeswitch.org/wiki/SBC_Setup
>>
>> In which internal and external are binded to the same ip+port but to
>> different vlans. How vlans tags are binded to internatl and external
>> profiles?
>>
>>
>>
>>
>>
>> Atenciosamente,
>>
>>
>>
>> 2016-12-12 9:09 GMT-02:00 David Villasmil <david.villasmil.work at gmail.com
>> >:
>>
>> At the very least start by looking at Homer (http://sipcapture.org/)
>> which works beautifully with kamailio (i assume also openSIPS) and
>> freeswitch. and it generates by default some nice graphs and alarms.
>>
>> Regards,
>>
>> David Villasmil
>> email: david.villasmil.work at gmail.com
>> phone: +34669448337 <+34%20669%2044%2083%2037>
>>
>> On Mon, Dec 12, 2016 at 10:19 AM, Stanislav Sinyagin <ssinyagin at gmail.com
>> > wrote:
>>
>> but that's part of a job for an end-to-end system designer, it's not
>> something specific to a particular piece of software.
>>
>> For the scenario that Valter has described, FreeSWITCH (or two servers
>> in a cluster) will do the job just fine. But of course it needs to be
>> designed, configured and tested properly, with security in mind.
>>
>> I would agree, it's good to place Kamailio as the first-hop Internet
>> gateway if you need to process INVITEs from unknown sources in
>> Internet. It has nice features that minimize the impact of various DOS
>> attacks or hacking. Also if you need to scale up, Kamailio will serve
>> nicely as a load-balancer. But there's nothing wrong in placing
>> FreeSWITCH alone in the Internet if you know what you're doing.
>>
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Dec 12, 2016 at 4:43 AM, Kamil Nigmatullin
>> <kamil.nigmatullin at gmail.com> wrote:
>> > The first was the problem, where attacker somehow got login and
>> password (i
>> > think they broke thier ATA) from clinet and used it. But for this client
>> > there was a limit of one line. I used limit module with local database.
>> What
>> > attacker actially did, is that they used REFER attack, where they put
>> their
>> > own number as a referrer, and opened unlimited lines to PSTN. So the,
>> > solution was - to replace limit functunality to opensips.
>> >
>> > The second - it is not actually the FS issue. It is because Freeswitch
>> is
>> > not flexible enouph to work at the low level where Kamailio or opensips
>> > operates. E.g, we programmed opensips to lookup for UserAgent database,
>> we
>> > add useragent for each client manually. And only using client's  IP and
>> > user-agent we allow this user to call to PSTN. We watch for blacklists
>> of IP
>> > adresses, subnets. If it comes from Gaza, Panama, China we block it.
>> And a
>> > lot of other things. Most of them is not out-of-box in opensips, but it
>> is
>> > not hard to implement. All this functionality is very important. We lost
>> > about $10k last time. This is very serious.
>> >
>> > 2016-12-12 8:56 GMT+06:00 Alex Balashov <abalashov at evaristesys.com>:
>> >>
>> >> On Mon, Dec 12, 2016 at 08:17:57AM +0600, Kamil Nigmatullin wrote:
>> >>
>> >> > I love freeswitch, but frankly I would not recomend to set it as
>> SBC. I
>> >> > personally faced two attacks where FS was not good at. And we lost a
>> lot
>> >> > of
>> >> > money. It works perfectly as NAT between internal and extenal
>> networks,
>> >> > actually in everything but it is weak as a firewall. Stanislav knows
>> >> > that,
>> >> > he helped me to resolve the problem first time when it happend. I
>> cannot
>> >> > go
>> >> > into details as this is open forum. You need to put either kamailio
>> or
>> >> > opensips in front of FS.
>> >>
>> >> Strongly agree.
>> >>
>> >> --
>> >> Alex Balashov | Principal | Evariste Systems LLC
>> >>
>> >> Tel: +1-706-510-6800 (direct) / +1-800-250-5920 (toll-free)
>> >> Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
>> >>
>> >> ____________________________________________________________
>> _____________
>> >> Professional FreeSWITCH Consulting Services:
>> >> consulting at freeswitch.org
>> >> http://www.freeswitchsolutions.com
>> >>
>> >> Official FreeSWITCH Sites
>> >> http://www.freeswitch.org
>> >> http://confluence.freeswitch.org
>> >> http://www.cluecon.com
>> >>
>> >> FreeSWITCH-users mailing list
>> >> FreeSWITCH-users at lists.freeswitch.org
>> >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> >> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/
>> options/freeswitch-users
>> >> http://www.freeswitch.org
>> >
>> >
>> >
>> >
>> > --
>> > Kamil Nigmatullin
>> > Tel: 77272323748
>> > mob: 7 (707) 2517003
>> > Skype: kamil.nigmatullin
>> >
>> > ____________________________________________________________
>> _____________
>> > Professional FreeSWITCH Consulting Services:
>> > consulting at freeswitch.org
>> > http://www.freeswitchsolutions.com
>> >
>> > Official FreeSWITCH Sites
>> > http://www.freeswitch.org
>> > http://confluence.freeswitch.org
>> > http://www.cluecon.com
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/
>> options/freeswitch-users
>> > http://www.freeswitch.org
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20161213/889d08f4/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list