ACLs control registrations and calls, not options requests.<br><br>You'd be best off blocking sipvicious with this iptables entry:<br><pre>iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm</pre>
<br>-Steve<br><br><br><div class="gmail_quote">On 8 June 2011 20:11, Eric Beard <span dir="ltr"><<a href="mailto:eric@loopfx.com">eric@loopfx.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div link="blue" vlink="purple" lang="EN-US"><div><p class="MsoNormal">It seems I misunderstand the purpose of the acl.conf.xml file.</p><p class="MsoNormal"> </p><p class="MsoNormal">What I want to do is create an IP whitelist, so only the IPs I designate get a response from FreeSwitch. I’d like to do this with FreeSwitch rather than a firewall.</p>
<p class="MsoNormal"> </p><p class="MsoNormal">I have this in acl.conf.xml:</p><p class="MsoNormal"> </p><p class="MsoNormal"> <list name="domains" default="deny"></p><p class="MsoNormal"> <!-- domain= is special it scans the domain from the directory to build the ACL --></p>
<p class="MsoNormal"> <node type="allow" domain="$${domain}"/></p><p class="MsoNormal"> <!-- use cidr= if you wish to allow ip ranges to this domains acl. --></p><p class="MsoNormal">
<node type="allow" cidr="<a href="http://10.1.0.0/24" target="_blank">10.1.0.0/24</a>"/></p><p class="MsoNormal"> </p><p class="MsoNormal"> <!-- Broadvox DID --></p><p class="MsoNormal">
<node type="allow" cidr="<a href="http://209.249.3.74/32" target="_blank">209.249.3.74/32</a>"/></p><p class="MsoNormal"> </list></p><p class="MsoNormal"> </p><p class="MsoNormal">
I was assuming that this would only allow traffic from my local network, 10.1.0.0, and from the single IP 209.249.3.74</p><p class="MsoNormal"> </p><p class="MsoNormal">But while watching sip traffic, I saw an OPTIONS request from a different IP (sipvicious scan). Freeswitch happily responded to the OPTIONS with an OK.</p>
<p class="MsoNormal"> </p><p class="MsoNormal">How can I configure it so that it ignores requests that are not on my whitelist?</p><p class="MsoNormal"> </p><p class="MsoNormal">Thanks!</p><p class="MsoNormal"> </p><p class="MsoNormal">
<span style="font-size:10.0pt;color:#1F497D">-----------------------</span></p><p class="MsoNormal"><b><span style="font-size:10.0pt;color:#1F497D">Eric Z. Beard, CTO</span></b><span style="font-size:10.0pt;color:#1F497D"></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Loop LLC</span></p><p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">w (877) 850-2010 x9249</span></p><p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">m (727) 776-2768</span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D"><a href="mailto:eric@loopfx.com" target="_blank"><span style="color:blue">eric@loopfx.com</span></a></span></p><p class="MsoNormal"> </p></div></div><br>_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br><div style="visibility: hidden; left: -5000px; position: absolute; z-index: 9999; padding: 0px; margin-left: 0px; margin-top: 0px; overflow: hidden; word-wrap: break-word; color: black; font-size: 10px; text-align: left; line-height: 130%;" id="avg_ls_inline_popup">
</div>