<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Steven, thanks a lot for your reply. <div>The implicit apply-inbound-acl with a value of loopback.auto was my initial guess, but there were no mentions of it in wiki (perhaps I'd overlooked it). Would you be so kind to also answer is there any way to stack some acls like this:</div><div><br></div><div><div><configuration name="event_socket.conf" description="Socket Client"></div><div> <settings></div><div> <param name="nat-map" value="false"/></div><div> <param name="listen-ip" value="0.0.0.0"/></div><div> <param name="listen-port" value="8021"/></div><div> <param name="password" value="ClueCon"/></div><div> <param name="apply-inbound-acl" value="loopback.auto"/></div><div> <param name="apply-inbound-acl" value="192.168.1.0/24"/> </div><div> </settings></div><div></configuration></div></div><div><br></div><div>Regards,</div><div>Pavel.<br><br><div><hr id="stopSpelling">From: steveayre@gmail.com<br>Date: Mon, 14 Sep 2015 09:18:57 +0100<br>To: freeswitch-users@lists.freeswitch.org<br>Subject: Re: [Freeswitch-users] ACL for ESL issue ?<br><br><div dir="ltr">You need to use one or more apply-inbound-acl to allow access via ACLs you have created.<div><br></div><div>If you don't supply apply-inbound-acl then the default will be loopback.auto, to lock access down to local access only.<div><br></div><div>In 1.2 the default was to not apply any ACL (allow anyone), in 1.4 it requires you to be explicit or it'll only allow local connections even if you listen on 0.0.0.0 or ::. This is more secure.</div><div><br></div><div>If you're opening it up to remote access you want to be very careful about who you allow to connect. The protocol is unencrypted, the password is sent in plaintext, and it provides the ability to crash freeswitch or execute system commands as the freeswitch user. So it's a security hole that you don't want to be any more open than it absolutely has to be.</div><div><br></div><div><br></div><div><div><br></div><div><br></div></div></div></div><div class="ecxgmail_extra"><br><div class="ecxgmail_quote">On 11 September 2015 at 12:58, Pavel <span dir="ltr"><<a href="mailto:my.post@hotmail.com" target="_blank">my.post@hotmail.com</a>></span> wrote:<br><blockquote class="ecxgmail_quote" style="border-left:1px #ccc solid;padding-left:1ex;">
<div><div dir="ltr">Hello,<br> I was trying to enable esl connections from outside of fs host. To do so I've followed <a href="https://wiki.freeswitch.org/wiki/Mod_event_socket#Configuration" target="_blank">https://wiki.freeswitch.org/wiki/Mod_event_socket#Configuration</a> and changed default event_socket.conf.xml<br>from:<div><br><div><div><configuration name="event_socket.conf" description="Socket Client"></div><div> <settings></div><div> <param name="nat-map" value="false"/></div><div> <param name="listen-ip" value="::"/></div><div> <param name="listen-port" value="8021"/></div><div> <param name="password" value="ClueCon"/></div><div><span style="font-size:12pt;"> </settings></span></div><div></configuration></div><div><br>to:</div><div><br></div><div><div><configuration name="event_socket.conf" description="Socket Client"></div><div> <settings></div><div> <param name="nat-map" value="false"/></div><div> <param name="listen-ip" value="0.0.0.0"/></div><div> <param name="listen-port" value="8021"/></div><div> <param name="password" value="ClueCon"/></div><div><span style="font-size:12pt;"> </settings></span></div><div></configuration></div></div><div><br>and issued: </div><div>reload mod_event_socket.<br><br>Trying to telnet to fs host on port 8021 I observe:<br><br><div>Content-Type: text/rude-rejection</div><div>Content-Length: 24</div><div><br></div><div>Access Denied, go away.</div><div>Content-Type: text/disconnect-notice</div><div>Content-Length: 67</div><div><br></div><div>Disconnected, goodbye.</div><div>See you at ClueCon! <a href="http://www.cluecon.com/" target="_blank">http://www.cluecon.com/</a></div><div>Connection closed by foreign host.</div><div><br></div>And in fs log i can see the following:<br><br>mod_event_socket.c:2603 IP "someiphere" Rejected by acl "loopback.auto"<br><br>But as far as I understand the <span style="font-size:12pt;">event_socket.conf.xml doesn't mention any ACL set up against ESL connection ?</span></div><div>Would someone please be so kind to point what am I missing ?</div><div>Thanks.</div><div>Regards,</div><div>Pavel.</div><div><span style="font-size:12pt;"><br></span></div><div><br></div><br></div></div> </div></div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div>
<br>_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting@freeswitch.org
http://www.freeswitchsolutions.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://confluence.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org</div></div> </div></body>
</html>