Thank you. Could you please share your configuration section from the two files?<div><br></div><div>I tried what you suggested. I put another IP as my ACL (which should be rejected) but it goes through. So 41.XXX is not the IP I am calling from but it connects me anyway.</div>
<div><br></div><div>acl.conf.xml</div><div>-----------------</div><div><configuration name="acl.conf" description="Network Lists"></div><div> <network-lists></div><div> <!-- </div><div>
<span class="Apple-tab-span" style="white-space:pre"> </span> These ACL's are automatically created on startup.</div><div> --></div><div><br></div><div> <list name="lan" default="allow"></div>
<div> <node type="deny" cidr="<a href="http://192.168.42.0/24">192.168.42.0/24</a>"/></div><div> <node type="allow" cidr="<a href="http://192.168.42.42/32">192.168.42.42/32</a>"/></div>
<div> </list></div><div><br></div><div> <!-- 08232010</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>Allow only inbound from vitelity IP</div><div> --></div><div><span class="Apple-tab-span" style="white-space:pre"> </span><list name="localnet.auto" default="allow"></div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span><node type="allow" cidr="41.XXX.XXX.XXX/29"/></div><div><span class="Apple-tab-span" style="white-space:pre"> </span></list></div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span></div><div> <!--</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>This will traverse the directory adding all users </div><div>
<span class="Apple-tab-span" style="white-space:pre"> </span>with the cidr= tag to this ACL, when this ACL matches</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>the users variables and params apply as if they </div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>digest authenticated.</div><div> --></div><div> <list name="domains" default="deny"></div><div> <node type="allow" domain="$${domain}"/></div>
<div> </list></div><div><br></div><div> </network-lists></div><div></configuration></div><div><br></div><div>------------- </div><div>Base_Settings.xml file under sip_profiles folder:</div><div><div>
<include></div><div> <profile name="sipinterface_1"></div><div> <domains></div><div> <domain name="all" alias="true" parse="true"/></div><div> </domains></div>
<div> <settings></div><div> <param name="rtp-ip" value="XY.XY.XY.XY"/></div><div> <param name="sip-ip" value="XY.XY.XY.XY"/></div><div> <param name="ext-rtp-ip" value="XY.XY.XY.XY"/></div>
<div> <param name="ext-sip-ip" value="XY.XY.XY.XY"/></div><div> <param name="sip-port" value="5060"/></div><div> <param name="auth-calls" value="false"/></div>
<div> <param name="context" value="inbound"/></div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span> <!-- 08232010</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>Allow only inbound from vitelity IP</div>
<div><span class="Apple-tab-span" style="white-space: pre; "> </span>--></div><div><span class="Apple-tab-span" style="white-space:pre"> </span><param name="local-network-acl" value="localnet.auto"/></div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span><param name="apply-inbound-acl" value="localnet.auto"/></div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span></settings></div>
<div> </profile></div><div></include></div></div><div>-----------------</div><div><br></div><div>Please let me know what am I doing wrong or missing?</div><div><br></div><div>Thank you.</div><div><br></div><div>
<br><div class="gmail_quote">On Mon, Aug 23, 2010 at 6:00 PM, Victor Chukalovskiy <span dir="ltr"><<a href="mailto:Victor@isptelecom.net">Victor@isptelecom.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div text="#000000" bgcolor="#ffffff">
Malay,<br>
<br>
I use apply-inbound-acl="providers" in my sip profile. Then I define
my providers IP addresses in ACL "providers" (within acl.conf.xml)<br>
This way all other IPs are forced to authorize in order to place
calls through. <br>
Why bother with firewall if freeswitch has built-in ACL
functionality?<br>
<br>
Regards,<br><font color="#888888">
Victor</font><div><div></div><div class="h5"><br>
<br>
On -10/01/37 02:59 PM, David Ponzone wrote:
<blockquote type="cite">You should do that in your firewall.
<div>The quicker you filter, the better.</div>
<div><br>
</div>
<div>I would not care much about the RTP traffic.</div>
<div>So you need to filter SIP.</div>
<div>And I would really don't think Vitelity is going to change
the IP of their softswitch/SBC very often, and if they do, they
should tell you.</div>
<div><br>
</div>
<div>If Vitelity's IP is X and your SIP port is 5060, what you
should do as filters is:</div>
<div>allow UDP from X to yourIP:5060 (this will match SIP packets
coming from Vitelity)</div>
<div>deny UDP from all to yourIP:5060 (this will match malicious
SIP packets)</div>
<div>allow UDP from all to all (this will match the RTP traffic
and other UDP traffic)</div>
<div>and then add your other usual filters</div>
<div><br>
</div>
<div>
<div> <span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-size:14px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<div style="word-wrap:break-word"><span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-size:14px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<div style="word-wrap:break-word">
<div><font face="'Helvetica
Neue'"><font color="#1c00ff">David Ponzone </font><font size="3" color="#000000"><span style="font-size:12px">Direction Technique</span></font></font></div>
<div><font face="'Helvetica
Neue'"><font size="3"><span style="font-size:13px">email: <a href="mailto:david.ponzone@ipeva.fr" target="_blank">david.ponzone@ipeva.fr</a></span></font></font></div>
<div><font face="'Helvetica
Neue'"><font size="3"><span style="font-size:13px">tel: 01 74 03 18 97</span></font></font></div>
<div><font face="'Helvetica
Neue'"><font size="3"><span style="font-size:13px">gsm: 06 66 98 76 34</span></font></font></div>
<div><font face="'Helvetica
Neue'"><br>
</font></div>
<div><font color="#1c00ff" face="'Helvetica Neue'">Service Client<span> </span></font><font face="'Helvetica Neue'"><font color="#ff0000">IP</font></font><font color="#1c00ff" face="'Helvetica Neue'">eva</font></div>
<div><font color="#1c00ff" face="'Helvetica Neue'"><span style="color:rgb(0, 0, 0);font-family:Helvetica">
<div><font face="'Helvetica Neue'"><font size="3"><span style="font-size:13px">tel: 0811
46 26 26</span></font></font></div>
<div><font size="3" face="'Helvetica Neue'"><span style="font-size:13px">
<div style="margin:0px;font:10px Arial;color:rgb(0, 34, 243)"><span style="text-decoration:underline"><a>www.ipeva.fr</a></span><span style="color:rgb(101, 104, 149)">
- <span style="color:rgb(0, 34, 243);text-decoration:underline"><a>www.ipeva-studio.com</a></span></span></div>
<div style="margin:0px;font:10px Arial;color:rgb(0, 34, 243)"><span style="text-decoration:underline"><br>
</span></div>
<div style="margin:0px;font:10px Arial;color:rgb(0, 34, 243)"><span>
<div style="margin:0px;text-align:justify;font:10px Arial;color:rgb(192, 192, 192)"><i>Ce message
et toutes les pièces jointes sont
confidentiels et établis à
l'intention exclusive de ses
destinataires. Toute utilisation
ou diffusion non autorisée est
interdite. Tout message
électronique est susceptible
d'altération. </i><b><i>IPeva</i></b><i> décline
toute responsabilité au titre de
ce message s'il a été altéré,
déformé ou falsifié. Si vous
n'êtes pas destinataire de ce
message, merci de le détruire
immédiatement et d'avertir
l'expéditeur.</i></div>
<div style="text-decoration:underline;text-align:justify"><font color="#c0c0c0"><i><br>
</i></font></div>
</span></div>
</span></font></div>
</span></font></div>
</div>
</span><br>
</div>
</span><br>
</div>
<br>
<div>
<div>Le 23/08/2010 à 23:11, Malay Thakershi a écrit :</div>
<br>
<blockquote type="cite">That is true. So do I block all other
IP in my firewall? Or do I configure that in FreeSwitch?
Also, How can be sure my provider's IP to remain same? (I
use vitelity)
<div><br>
</div>
<div>Please let me know.<br>
<br>
<div class="gmail_quote"> On Mon, Aug 23, 2010 at 3:03 PM,
David Ponzone <span dir="ltr"><<a href="mailto:david.ponzone@ipeva.fr" target="_blank">david.ponzone@ipeva.fr</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<div style="word-wrap:break-word">If I understand
correctly, you expect calls form PSTN, so only from
the known IPs of your provider ?
<div>You can then filter all other IPs going to your
port X (5060, 5080, your mileage may vary).</div>
<div><br>
</div>
<div>Also, a call coming to a port you don't use (so
not opened) should not have ANY impact.</div>
<div>It should not even hit the dialplan.</div>
<div>it should be rejected with ICMP port
unreachable by the Windows TCP/IP stack.</div>
<div>
<div><br>
<div> <span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-size:14px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<div style="word-wrap:break-word"> <span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-size:14px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<div style="word-wrap:break-word">
<div><font face="'Helvetica Neue'"><font color="#1c00ff">David Ponzone </font><font size="3" color="#000000"><span style="font-size:12px">Direction
Technique</span></font></font></div>
<div><font face="'Helvetica Neue'"><font size="3"><span style="font-size:13px">email: <a href="mailto:david.ponzone@ipeva.fr" target="_blank">david.ponzone@ipeva.fr</a></span></font></font></div>
<div><font face="'Helvetica Neue'"><font size="3"><span style="font-size:13px">tel: 01 74 03 18
97</span></font></font></div>
<div><font face="'Helvetica Neue'"><font size="3"><span style="font-size:13px">gsm: 06 66 98 76 34</span></font></font></div>
<div><font face="'Helvetica Neue'"><br>
</font></div>
<div><font color="#1c00ff" face="'Helvetica Neue'">Service
Client<span> </span></font><font face="'Helvetica Neue'"><font color="#ff0000">IP</font></font><font color="#1c00ff" face="'Helvetica
Neue'">eva</font></div>
<div><font color="#1c00ff" face="'Helvetica Neue'"><span style="color:rgb(0, 0, 0);font-family:Helvetica">
<div><font face="'Helvetica
Neue'"><font size="3"><span style="font-size:13px">tel:
0811 46 26 26</span></font></font></div>
<div><font size="3" face="'Helvetica Neue'"><span style="font-size:13px">
<div style="margin:0px;color:rgb(0, 34, 243)"><span style="text-decoration:underline"><a>www.ipeva.fr</a></span><span style="color:rgb(101, 104, 149)"> - <span style="color:rgb(0, 34, 243);text-decoration:underline"><a>www.ipeva-studio.com</a></span></span></div>
<div style="margin:0px;color:rgb(0, 34, 243)"><span style="text-decoration:underline"><br>
</span></div>
<div style="margin:0px;color:rgb(0, 34, 243)">
<span>
<div style="margin:0px;text-align:justify;color:rgb(192, 192, 192)"><i>Ce
message et toutes
les pièces jointes
sont confidentiels
et établis à
l'intention
exclusive de ses
destinataires.
Toute utilisation
ou diffusion non
autorisée est
interdite. Tout
message
électronique est
susceptible
d'altération. </i><b><i>IPeva</i></b><i> décline
toute
responsabilité au
titre de ce
message s'il a été
altéré, déformé ou
falsifié. Si vous
n'êtes pas
destinataire de ce
message, merci de
le détruire
immédiatement et
d'avertir
l'expéditeur.</i></div>
<div style="text-decoration:underline;text-align:justify"><font color="#c0c0c0"><i><br>
</i></font></div>
</span></div>
</span></font></div>
</span></font></div>
</div>
</span><br>
</div>
</span><br>
</div>
<br>
</div>
<div>
<div>Le 23/08/2010 à 21:47, Malay Thakershi a
écrit :</div>
<div>
<div><br>
<blockquote type="cite">I am going through
documentation but seems iptables can
eliminate calls being made on ports other
than required ones.
<div><br>
</div>
<div>But my server is Windows. How do I
run iptables command?</div>
<div><br>
</div>
<div>Also, could you tell me if I block
all incoming ports other than 5060 and
5061, will my regular inbound calls
work?</div>
<div><br>
</div>
<div>Thank you.</div>
<div><br>
</div>
<div><br>
<br>
<div class="gmail_quote"> 2010/8/23
Brian West <span dir="ltr"><<a href="mailto:brian@freeswitch.org" target="_blank">brian@freeswitch.org</a>></span><br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex"> David,<br>
No Clue, Never Used It, Can't
Say...<br>
<font color="#888888"><br>
/b<br>
</font>
<div><br>
On Aug 23, 2010, at 2:32 PM, David
Ponzone wrote:<br>
<br>
> Brian<br>
><br>
> he can't add an ACL with
FreePBX ?<br>
><br>
> David Ponzone Direction
Technique<br>
> email: <a href="mailto:david.ponzone@ipeva.fr" target="_blank">david.ponzone@ipeva.fr</a><br>
> tel: 01 74 03 18 97<br>
> gsm: 06 66 98 76 34<br>
><br>
> Service Client IPeva<br>
> tel: 0811 46 26 26<br>
> <a href="http://www.ipeva.fr" target="_blank">www.ipeva.fr</a>
- <a href="http://www.ipeva-studio.com" target="_blank">www.ipeva-studio.com</a><br>
><br>
> Ce message et toutes les
pièces jointes sont confidentiels
et établis à l'intention exclusive
de ses destinataires. Toute
utilisation ou diffusion non
autorisée est interdite. Tout
message électronique est
susceptible d'altération. IPeva
décline toute responsabilité au
titre de ce message s'il a été
altéré, déformé ou falsifié. Si
vous n'êtes pas destinataire de ce
message, merci de le détruire
immédiatement et d'avertir
l'expéditeur.<br>
><br>
><br>
><br>
><br>
> Le 23/08/2010 à 21:26, Brian
West a écrit :<br>
><br>
>> Well you're using FreePBX
right? The only corse of action
you have is to find out why its
crashing and reporting the issue
on our Jira. Without any more
info to go on you're SOL.<br>
>><br>
>> <a href="http://www.google.com/search?hl=en&client=safari&rls=en&defl=en&q=define:Vishing&sa=X&ei=RstyTO24JI_Znge7-6yNCw&ved=0CBIQkAE" target="_blank">http://www.google.com/search?hl=en&client=safari&rls=en&defl=en&q=define:Vishing&sa=X&ei=RstyTO24JI_Znge7-6yNCw&ved=0CBIQkAE</a><br>
>><br>
>> /b<br>
<br>
<br>
</div>
<div>
<div>_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</blockquote>
</div>
</div>
</div>
<br>
</div>
</div>
<br>
_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br>
</blockquote>
</div>
<br>
</div>
_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div>