<div class="gmail_quote">On Tue, Feb 8, 2011 at 4:18 PM, Simon J Mudd <span dir="ltr"><<a href="mailto:sjmudd@pobox.com">sjmudd@pobox.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
I don't think I got a definitive answer to the question I posed before:<br>
<br></blockquote><div>I know you came on to the #freeswitch IRC channel but I don't recall where you left off in your quest for FreeSWITCH knowledge. I'll provide information here with links to relevant wiki articles, etc. all inline. However, let me just put these two points out there for everyone:</div>
<div><br></div><div>#1 - If, when learning FreeSWITCH, you feel overwhelmed because there are so many different config options, etc. then remember this: FreeSWITCH is designed for power and flexibility, not simplicity. A carrier-grade, multi-protocol soft-switch is supposed to be complex. </div>
<div><br></div><div>#2 - The default configuration is just an example of some of the many cool things you can do with FreeSWITCH. It is not meant to be a turn-key, out-of-box solution to put into a production environment, even a SOHO environment. This is a feature, not a bug. </div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<a href="mailto:sjmudd@pobox.com">sjmudd@pobox.com</a> (Simon J Mudd) writes:<br>
<br>
...<br> </blockquote><div><snip></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
> This specifies a user for registration who:<br>
> (1) must provide a password<br>
> (2) can only register from the given network range<br>
> (3) is only allowed to make 1 call at a time </blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
I see that there are ways to implement (3) though it seems that's more on<br>
a per gateway basis than a per extension basis. That's ok.<br>
<br>
What really interests me is implementing (1) _and_ (2) together. Is this<br>
possible? If not it would certainly be a nice new feature.<br></blockquote><div><br></div><div>This is definitely possible. There are two ways to do it that I can think of:</div><div>#1 - The "proper" way with mod_xml_curl</div>
<div>#2 - The less proper but still quite functional way of using a user's channel variables and dialplan.*</div><div><br></div><div>Either option requires a bit of reading up. The good news is that setting the user information in the directory magically makes FS ready to do auth challenges for calls and user registrations.</div>
<div><br></div><div>For more information on mod_xml_curl see:</div><div><a href="http://wiki.freeswitch.org/wiki/Mod_xml_curl">http://wiki.freeswitch.org/wiki/Mod_xml_curl</a></div><div>Also see Raymond's samples in the freeswitch-contrib repo:</div>
<div><a href="http://fisheye.freeswitch.org/browse/freeswitch-contrib/intralanman/PHP/fs_curl">http://fisheye.freeswitch.org/browse/freeswitch-contrib/intralanman/PHP/fs_curl</a></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
Perhaps the default FreeSWITCH configuration should limit access to<br>
the default extensions to be registered only from the networks defined<br>
in localnet.auto. This reduces exposure to external bad<br>
software.<br></blockquote><div>Many people don't want this limitation turned on by default. If we did this then a lot of people would be asking for the ability to have external phones be able to access FreeSWITCH by default. Besides, there are other alternatives, such as using a firewall.</div>
<div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
Even if I can configure this extra limitation myself manually I'd be<br>
happy as this would basically leave me more comfortable with<br>
FreeSWITCH running unattended. I'm not confident to do that now if I<br>
configure any gateways due to the issues I've had before.<br></blockquote><div>Understood. It is always best to know your VoIP before you throw it out on the public Internet.</div><div><br></div><div>Your blog had several other issues so I'll number them here and then comment on them below.</div>
<div>Questions:</div><div><br></div><div>1. Default FreeSWITCH logging maybe too verbose</div><div>2. XML file breakage</div><div>3. Relatedly, comments need to be in "<!-- xxx -->" format</div><div>4. The external profile should log auth failures by default</div>
<div>5. FreeSWITCH should have some sort of rate-limiting</div><div>6. It should be more obvious how to configure network ACLs for for extensions, and these should be configured by default</div><div>7. For registration, a client can use FreeSWITCH's IP address as well as domain name</div>
<div>8. "For trunk connections if you have a DID number you expect the VoIP provider to call you..."</div><div>9. Allow rate-limiting to/from a gateway or extension</div><div><br></div><div>Answers:</div><div><br>
</div><div>1. This goes back to FreeSWITCH being a massively huge piece of software with lots of configuration options. Having verbose debugging is very handy. It is much better for a new person to have too much information at first and then learn about what logging to turn off. The other alternative is for a new person to come around with a question about something that happened and not have any logs to help debug. Log files can be archived or deleted, but the information that never got logged is worthless.</div>
<div><br></div><div>2. XML "file breakage" is well-documented here:</div><div><a href="http://wiki.freeswitch.org/wiki/Debugging_Freeswitch#Chasing_down_XML_errors">http://wiki.freeswitch.org/wiki/Debugging_Freeswitch#Chasing_down_XML_errors</a></div>
<div>If you wanted to you could take the aggregated file (freeswitch.xml.fsxml) and put it in conf/freeswitch.xml as the only config file. Of course, now you're editing a 4500 line XML file... :)</div><div><br></div><div>
3. These are just standard XML comments. They take the form:</div><div><font class="Apple-style-span" face="'courier new', monospace"><!-- comment --></font></div><div>The XML standard dictates that you have two dashes. (Your example seems to show single dashes.) The XML standard also states that you may not nest comments, nor may you include "--" inside of a comment. See <a href="http://www.w3.org/TR/REC-xml/#sec-comments">http://www.w3.org/TR/REC-xml/#sec-comments</a> for more info</div>
<div><br></div><div>4. This is a reasonable suggestion. We have a saying: "patches accepted". If anyone has a moment to implement *AND TEST* this please do so and send us a patch on Jira.</div><div><br></div><div>
5. Rate-limiting is absolutely possible in FreeSWITCH, and it is not limited to SIP traffic. Pretty much anything you can think of can be rate-limited using mod_limit. More information here:</div><div><a href="http://wiki.freeswitch.org/wiki/Mod_limit">http://wiki.freeswitch.org/wiki/Mod_limit</a></div>
<div><br></div><div>6. Not sure how to make it more obvious than this:</div><div><a href="http://wiki.freeswitch.org/wiki/Acl#Users">http://wiki.freeswitch.org/wiki/Acl#Users</a></div><div><br></div><div>7. We allow both IP and domain name by default to lower the barrier to entry. The default config is supposed to "just work" in a sandbox so that new users can learn. One great way to learn is by setting up a system and then making mods to the default config and see what breaks. </div>
<div><br></div><div>8. This is a fun one... What you ask for is something that would work in an ideal situation, however SIP is involved so idealism must give way to realism. Most providers will blow up and die if you send them 401's or 407's so that's not a logical choice for the default. (Again, nothing preventing you from modifying the default configs to suit your personal needs.) You can also use ACLs to limit the source of incoming calls, but then you run the risk of them reconfiguring and changing IP addresses. As long as you are prepared for that scenario then you're fine, but most new users probably could do without us adding that burden to them by default.</div>
<div><br></div><div>9. See #5</div><div><br></div><div>I hope we haven't scared you off! I'm sure that you can (and will) overcome all of your challenges in configuring FreeSWITCH for your needs. The community is here to assist. </div>
<div><br></div><div>Regards,</div><div>Michael S Collins (IRC: mercutioviz)</div><div><br></div><div>*BONUS CONTENT:</div><div>Here's an example of limiting a user's IP address. Add a line like this to your user's XML file:</div>
<div><font class="Apple-style-span" face="'courier new', monospace"><variable name="allowed_ipaddrs" value="^(192\.168\.1\.|10\.10\.16\.161)"/></font></div><div>This is a regex that matches an exact address (10.10.16.161) or matches a partial IP address (192.168.1.x) </div>
<div><br></div><div>Then do something like this in your dialplan:</div><div><div><font class="Apple-style-span" face="'courier new', monospace"> <extension name="check user's IP address" continue="true"></font></div>
<div><font class="Apple-style-span" face="'courier new', monospace"> <condition field="network_addr" expression="${allowed_ipaddrs}"></font></div><div><font class="Apple-style-span" face="'courier new', monospace"> <action application="log" data="WARNING IP Addr test passed"/></font></div>
<div><font class="Apple-style-span" face="'courier new', monospace"> <anti-action application="log" data="ERR IP Addr test is an EPIC FAIL"/></font></div><div><font class="Apple-style-span" face="'courier new', monospace"> <anti-action application="answer"/></font></div>
<div><font class="Apple-style-span" face="'courier new', monospace"> <anti-action application="sleep" data="1000"/></font></div><div><font class="Apple-style-span" face="'courier new', monospace"> <anti-action application="playback" data="ivr/ivr-all_your_call_are_belong_to_us.wav"/></font></div>
<div><font class="Apple-style-span" face="'courier new', monospace"> <anti-action application="hangup"/></font></div><div><font class="Apple-style-span" face="'courier new', monospace"> </condition></font></div>
<div><font class="Apple-style-span" face="'courier new', monospace"> </extension></font></div></div><div><br></div><meta http-equiv="content-type" content="text/html; charset=utf-8"></div>