<div dir="ltr"><div><div><div><div><div>I am studying opensips and kamailio, but to be honest, I am a little affraid of them - just because I am not sure if I can figure out every situation in route.<br><br></div>My environment is strictly controlled with iptables drop policy and just friendly traffic is allowed.<br><br></div>What I understood by now is that I must have a profile for every NIC used to route traffic.<br><br></div>What I don't get yet is how directory relates to profiles. In file directory/default/example.com.xml there is a user "joe" which have a gateway defined inside it and that sofia shows in every gateway availble (expect in internal)<br><br></div>Just to make me more confused: <a href="https://wiki.freeswitch.org/wiki/SBC_Setup">https://wiki.freeswitch.org/wiki/SBC_Setup</a><br><br></div>In which internal and external are binded to the same ip+port but to different vlans. How vlans tags are binded to internatl and external profiles?<br><br><br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><br><br></div><div>Atenciosamente,<br><br><img src="http://fastway.com.br/assinaturas/jpg/assinatura_branca_valter-min.jpg"><br></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">2016-12-12 9:09 GMT-02:00 David Villasmil <span dir="ltr"><<a href="mailto:david.villasmil.work@gmail.com" target="_blank">david.villasmil.work@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">At the very least start by looking at Homer (<a href="http://sipcapture.org/" target="_blank">http://sipcapture.org/</a>) which works beautifully with kamailio (i assume also openSIPS) and freeswitch. and it generates by default some nice graphs and alarms.</div><div class="gmail_extra"><br clear="all"><div><div class="m_4293907271943176416gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Regards,</div><div><br></div>David Villasmil<div>email: <a href="mailto:david.villasmil.work@gmail.com" target="_blank">david.villasmil.work@gmail.com</a></div><div>phone: <a href="tel:+34%20669%2044%2083%2037" value="+34669448337" target="_blank">+34669448337</a></div></div></div></div>
<br><div class="gmail_quote">On Mon, Dec 12, 2016 at 10:19 AM, Stanislav Sinyagin <span dir="ltr"><<a href="mailto:ssinyagin@gmail.com" target="_blank">ssinyagin@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">but that's part of a job for an end-to-end system designer, it's not<br>
something specific to a particular piece of software.<br>
<br>
For the scenario that Valter has described, FreeSWITCH (or two servers<br>
in a cluster) will do the job just fine. But of course it needs to be<br>
designed, configured and tested properly, with security in mind.<br>
<br>
I would agree, it's good to place Kamailio as the first-hop Internet<br>
gateway if you need to process INVITEs from unknown sources in<br>
Internet. It has nice features that minimize the impact of various DOS<br>
attacks or hacking. Also if you need to scale up, Kamailio will serve<br>
nicely as a load-balancer. But there's nothing wrong in placing<br>
FreeSWITCH alone in the Internet if you know what you're doing.<br>
<div class="m_4293907271943176416HOEnZb"><div class="m_4293907271943176416h5"><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
On Mon, Dec 12, 2016 at 4:43 AM, Kamil Nigmatullin<br>
<<a href="mailto:kamil.nigmatullin@gmail.com" target="_blank">kamil.nigmatullin@gmail.com</a>> wrote:<br>
> The first was the problem, where attacker somehow got login and password (i<br>
> think they broke thier ATA) from clinet and used it. But for this client<br>
> there was a limit of one line. I used limit module with local database. What<br>
> attacker actially did, is that they used REFER attack, where they put their<br>
> own number as a referrer, and opened unlimited lines to PSTN. So the,<br>
> solution was - to replace limit functunality to opensips.<br>
><br>
> The second - it is not actually the FS issue. It is because Freeswitch is<br>
> not flexible enouph to work at the low level where Kamailio or opensips<br>
> operates. E.g, we programmed opensips to lookup for UserAgent database, we<br>
> add useragent for each client manually. And only using client's IP and<br>
> user-agent we allow this user to call to PSTN. We watch for blacklists of IP<br>
> adresses, subnets. If it comes from Gaza, Panama, China we block it. And a<br>
> lot of other things. Most of them is not out-of-box in opensips, but it is<br>
> not hard to implement. All this functionality is very important. We lost<br>
> about $10k last time. This is very serious.<br>
><br>
> 2016-12-12 8:56 GMT+06:00 Alex Balashov <<a href="mailto:abalashov@evaristesys.com" target="_blank">abalashov@evaristesys.com</a>>:<br>
>><br>
>> On Mon, Dec 12, 2016 at 08:17:57AM +0600, Kamil Nigmatullin wrote:<br>
>><br>
>> > I love freeswitch, but frankly I would not recomend to set it as SBC. I<br>
>> > personally faced two attacks where FS was not good at. And we lost a lot<br>
>> > of<br>
>> > money. It works perfectly as NAT between internal and extenal networks,<br>
>> > actually in everything but it is weak as a firewall. Stanislav knows<br>
>> > that,<br>
>> > he helped me to resolve the problem first time when it happend. I cannot<br>
>> > go<br>
>> > into details as this is open forum. You need to put either kamailio or<br>
>> > opensips in front of FS.<br>
>><br>
>> Strongly agree.<br>
>><br>
>> --<br>
>> Alex Balashov | Principal | Evariste Systems LLC<br>
>><br>
>> Tel: <a href="tel:%2B1-706-510-6800" value="+17065106800" target="_blank">+1-706-510-6800</a> (direct) / <a href="tel:%2B1-800-250-5920" value="+18002505920" target="_blank">+1-800-250-5920</a> (toll-free)<br>
>> Web: <a href="http://www.evaristesys.com/" rel="noreferrer" target="_blank">http://www.evaristesys.com/</a>, <a href="http://www.csrpswitch.com/" rel="noreferrer" target="_blank">http://www.csrpswitch.com/</a><br>
>><br>
>> ______________________________<wbr>______________________________<wbr>_____________<br>
>> Professional FreeSWITCH Consulting Services:<br>
>> <a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
>> <a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions<wbr>.com</a><br>
>><br>
>> Official FreeSWITCH Sites<br>
>> <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
>> <a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.o<wbr>rg</a><br>
>> <a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
>><br>
>> FreeSWITCH-users mailing list<br>
>> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswi<wbr>tch.org</a><br>
>> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/ma<wbr>ilman/listinfo/freeswitch-user<wbr>s</a><br>
>> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.frees<wbr>witch.org/mailman/options/<wbr>freeswitch-users</a><br>
>> <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
><br>
><br>
><br>
><br>
> --<br>
> Kamil Nigmatullin<br>
> Tel: 77272323748<br>
> mob: 7 <a href="tel:%28707%29%202517003" value="+17072517003" target="_blank">(707) 2517003</a><br>
> Skype: kamil.nigmatullin<br>
><br>
> ______________________________<wbr>______________________________<wbr>_____________<br>
> Professional FreeSWITCH Consulting Services:<br>
> <a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
> <a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions<wbr>.com</a><br>
><br>
> Official FreeSWITCH Sites<br>
> <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
> <a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.o<wbr>rg</a><br>
> <a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
><br>
> FreeSWITCH-users mailing list<br>
> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswi<wbr>tch.org</a><br>
> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/ma<wbr>ilman/listinfo/freeswitch-user<wbr>s</a><br>
> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.frees<wbr>witch.org/mailman/options/<wbr>freeswitch-users</a><br>
> <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<br>
______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions<wbr>.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.o<wbr>rg</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswi<wbr>tch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/ma<wbr>ilman/listinfo/freeswitch-user<wbr>s</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.frees<wbr>witch.org/mailman/options/<wbr>freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
</div></div></blockquote></div><br></div>
<br>______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div>