<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Hi Ken, thank you for your feedback, you are right, even though it would have to be done by hand (maintenaning the ip tables) it is completely doable<br>but i had a wrong impression on how the sip profiles worked together with lua to capture the 'register' requests and filter the bad ones out,<br>so i took a wrong design decision earlier by coupling that service with others in the same profile and putting a FW in front filtering IP would have<br>affected the other services on the same profile, but it is clear now and all you mentioned could be implemented easily as well. thank you for your suggestions.<br><br><div><hr id="stopSpelling">From: krice@freeswitch.org<br>To: freeswitch-users@lists.freeswitch.org<br>Date: Sat, 26 Sep 2015 11:06:54 -0500<br>Subject: Re: [Freeswitch-users] Filtering UA's IP<br><br><style><!--
.ExternalClass p.ecxMsoNormal, .ExternalClass li.ecxMsoNormal, .ExternalClass div.ecxMsoNormal {
font-size:12.0pt;
font-family:"Times New Roman",serif;
}
.ExternalClass a:link, .ExternalClass span.ecxMsoHyperlink {
color:#0563C1;
text-decoration:underline;
}
.ExternalClass span.ecxMsoHyperlinkFollowed {
color:#954F72;
text-decoration:underline;
}
.ExternalClass p {
font-size:12.0pt;
font-family:"Times New Roman",serif;
}
.ExternalClass span.ecxEmailStyle18 {
font-family:"Calibri",sans-serif;
color:#1F497D;
}
.ExternalClass .ecxMsoChpDefault {
font-size:10.0pt;
}
.ExternalClass div.ecxWordSection1 {
}
--></style><div class="ecxWordSection1"><p class="ecxMsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;">Why can’t you use a firewall? Pretty much every firewall that I know of allows you to define not just which hosts, but which ports to filter.</span></p><p class="ecxMsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;"> </span></p><p class="ecxMsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;">Example lets just say 10.0.0.0/8 is a bad actor region, but you still want to allow them to send email and visit the website.</span></p><p class="ecxMsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;"> </span></p><p class="ecxMsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;">You block src IP 10.0.0.0/8 to dst port 5060, 5080 etc</span></p><p class="ecxMsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;">And allow that same block to still hit port 25 (STMP) along with 80 and 443 (http/https respectively)</span></p><p class="ecxMsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;"> </span></p><p class="ecxMsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;"> </span></p><p class="ecxMsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;"> </span></p><div><div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in;"><p class="ecxMsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;"> freeswitch-users-bounces@lists.freeswitch.org [mailto:freeswitch-users-bounces@lists.freeswitch.org] <b>On Behalf Of </b>Juan Pablo L.<br><b>Sent:</b> Saturday, September 26, 2015 1:12 AM<br><b>To:</b> freeswitch-users@lists.freeswitch.org<br><b>Subject:</b> [Freeswitch-users] Filtering UA's IP</span></p></div></div><p class="ecxMsoNormal"> </p><div><p class="ecxMsoNormal"><span style="font-family:"Calibri",sans-serif;">Hi, is there any way on freeswitch to forbid registration (or any connection) from certain regions in the world ? .. <br>what i need to accomplish is to prevent people from connecting from my same country as we have a voip service<br>that is supposed to be accessed only when you are out of the country so i need to validate the UA's ip when registering.<br>I can not use a router or FW or any other thing in front of the freeswitch because the same freeswitch also serves <br>other services that do not have this restriction. This restriction only affects users in one profile only. <br>I m aware that i could capture the registrations using a lua script and i guess from there i could consult<br>a GeoIP database etc etc but that affects all profiles and not only this particular profile of this particular service<br>and that could be a performance hit for the service as a whole so i would like to avoid that.<br><br>thank you!</span></p></div></div><br>_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting@freeswitch.org
http://www.freeswitchsolutions.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://confluence.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org</div> </div></body>
</html>