<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Simon,</div><div><br></div>You can also add rate-limiting rules in iptables, to prevent SIP DoS (people sending you lots of INVITE).<div><br></div><div>On the other side, one reason not to use iptables for everything is to avoid sawing off the branch you are sitting on.</div><div><br></div><div>When both ACLs are possible, my personal rule would be:</div><div>-if changes are required everyday or by various people who are not iptables experts, use FreeSWITCH ACL</div><div>-if changes are done by an expert and/or are not frequent, go for iptables</div><div><br><div>
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><font class="Apple-style-span" face="'Helvetica Neue'"><font class="Apple-style-span" color="#1C00FF">David Ponzone </font><font class="Apple-style-span" color="#000000" size="3"><span class="Apple-style-span" style="font-size: 12px; ">Direction Technique</span></font></font></div><div><font class="Apple-style-span" face="'Helvetica Neue'"><font class="Apple-style-span" size="3"><span class="Apple-style-span" style="font-size: 13px; ">email: <a href="mailto:david.ponzone@ipeva.fr">david.ponzone@ipeva.fr</a></span></font></font></div><div><font class="Apple-style-span" face="'Helvetica Neue'"><font class="Apple-style-span" size="3"><span class="Apple-style-span" style="font-size: 13px; ">tel: 01 74 03 18 97</span></font></font></div><div><font class="Apple-style-span" face="'Helvetica Neue'"><font class="Apple-style-span" size="3"><span class="Apple-style-span" style="font-size: 13px; ">gsm: 06 66 98 76 34</span></font></font></div><div><font class="Apple-style-span" face="'Helvetica Neue'"><br></font></div><div><font class="Apple-style-span" color="#1C00FF" face="'Helvetica Neue'">Service Client<span class="Apple-converted-space"> </span></font><font class="Apple-style-span" face="'Helvetica Neue'"><font class="Apple-style-span" color="#FF0000">IP</font></font><font class="Apple-style-span" color="#1C00FF" face="'Helvetica Neue'">eva</font></div><div><font class="Apple-style-span" color="#1C00FF" face="'Helvetica Neue'"><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: Helvetica; "><div><font class="Apple-style-span" face="'Helvetica Neue'"><font class="Apple-style-span" size="3"><span class="Apple-style-span" style="font-size: 13px; ">tel: 0811 46 26 26</span></font></font></div><div><font class="Apple-style-span" face="'Helvetica Neue'" size="3"><span class="Apple-style-span" style="font-size: 13px; "><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 10px/normal Arial; color: rgb(0, 34, 243); "><span style="text-decoration: underline; "><a href="BLOCKED::http://www.ipeva.fr/">www.ipeva.fr</a></span><span style="color: rgb(101, 104, 149); "> - <span style="color: rgb(0, 34, 243); text-decoration: underline; "><a href="BLOCKED::http://www.ipeva-studio.com/">www.ipeva-studio.com</a></span></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 10px/normal Arial; color: rgb(0, 34, 243); "><span class="Apple-style-span" style="text-decoration: underline; "><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 10px/normal Arial; color: rgb(0, 34, 243); "><span class="Apple-style-span"><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; text-align: justify; font: normal normal normal 10px/normal Arial; color: rgb(192, 192, 192); "><i>Ce message et toutes les pièces jointes sont confidentiels et établis à l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. </i><b><i>IPeva</i></b><i> décline toute responsabilité au titre de ce message s'il a été altéré, déformé ou falsifié. Si vous n'êtes pas destinataire de ce message, merci de le détruire immédiatement et d'avertir l'expéditeur.</i></div><div style="text-decoration: underline; text-align: justify; "><font class="Apple-style-span" color="#C0C0C0"><i><br></i></font></div></span></div></span></font></div></span></font></div></div></span><br class="Apple-interchange-newline"></span><br class="Apple-interchange-newline">
</div>
<br><div><div>Le 07/02/2011 à 08:49, Steven Ayre a écrit :</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>You can do so in freeswitch but sometimes it's better to do it in the firewall. For example it uses far fewer resources to block someone in the firewall. It's also easier to block scanners such as friendly-scanner in the firewall.<br><br>Steve on iPhone<br><br>On 7 Feb 2011, at 07:31, Simon J Mudd <<a href="mailto:sjmudd@pobox.com">sjmudd@pobox.com</a>> wrote:<br><br><blockquote type="cite">On Mon, Feb 07, 2011 at 12:22:36AM +0100, Simon J Mudd wrote:<br></blockquote><blockquote type="cite"><blockquote type="cite">I've been looking at trying to configure tighter controls for extensions that register.<br></blockquote></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Looking at <a href="http://wiki.freeswitch.org/wiki/Acl">http://wiki.freeswitch.org/wiki/Acl</a> I see the comment lower down:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">sip_profiles<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">... Should you want to protect your FreeSWITCH installation from being contacted by some IP addresses, you will need to setup some firewall rules. To protect your installation, you can look at QoS.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I'm confused. I understand that a firewall can be configured to drop/allow certain packages but given that FreeSWITCH does have acls it seems unusual to me that you<br></blockquote><blockquote type="cite">can do this directly in FreeSWITCH.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">That is I have an Asterisk configuration which I am trying to migrate from and can easily configure in sip.conf:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">[1000]<br></blockquote><blockquote type="cite">username=1000<br></blockquote><blockquote type="cite">type=friend<br></blockquote><blockquote type="cite">secret=1234567890<br></blockquote><blockquote type="cite">context=xxxxxx<br></blockquote><blockquote type="cite">host=dynamic<br></blockquote><blockquote type="cite">registersip=yes<br></blockquote><blockquote type="cite">deny=0.0.0.0/0.0.0.0<br></blockquote><blockquote type="cite">permit=88.100.50.0/255.255.255.0 -- this is not a real network range but you get the idea.<br></blockquote><blockquote type="cite">nat=yes<br></blockquote><blockquote type="cite">call-limit=1<br></blockquote><blockquote type="cite">...<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">This specifies a user for registration who:<br></blockquote><blockquote type="cite">(1) must provide a password<br></blockquote><blockquote type="cite">(2) can only register from the given network range<br></blockquote><blockquote type="cite">(3) is only allowed to make 1 call at a time<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Basically I want to mimic this functionality.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I'm assuming that FreeSWITCH acls would be the way to do this. The<br></blockquote><blockquote type="cite">examples on the wiki don't seem to suggest this is possible.<br></blockquote><blockquote type="cite">Could someone help provide an example of if/how this would be done<br></blockquote><blockquote type="cite">in FreeSWITCH?<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Thanks,<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Simon<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">_______________________________________________<br></blockquote><blockquote type="cite">FreeSWITCH-users mailing list<br></blockquote><blockquote type="cite"><a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br></blockquote><blockquote type="cite"><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br></blockquote><blockquote type="cite">UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users<br></blockquote><blockquote type="cite"><a href="http://www.freeswitch.org">http://www.freeswitch.org</a><br></blockquote><br>_______________________________________________<br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>http://lists.freeswitch.org/mailman/listinfo/freeswitch-users<br>UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users<br>http://www.freeswitch.org<br></div></blockquote></div><br></div></body></html>