[Freeswitch-users] ACL for ESL issue ?

Steven Ayre steveayre at gmail.com
Mon Sep 14 12:18:57 MSD 2015 

You need to use one or more apply-inbound-acl to allow access via ACLs you
have created.

If you don't supply apply-inbound-acl then the default will be
loopback.auto, to lock access down to local access only.

In 1.2 the default was to not apply any ACL (allow anyone), in 1.4 it
requires you to be explicit or it'll only allow local connections even if
you listen on 0.0.0.0 or ::. This is more secure.

If you're opening it up to remote access you want to be very careful about
who you allow to connect. The protocol is unencrypted, the password is sent
in plaintext, and it provides the ability to crash freeswitch or execute
system commands as the freeswitch user. So it's a security hole that you
don't want to be any more open than it absolutely has to be.





On 11 September 2015 at 12:58, Pavel <my.post at hotmail.com> wrote:

> Hello,
>  I was trying to enable esl connections from outside of fs host. To do so
> I've followed
> https://wiki.freeswitch.org/wiki/Mod_event_socket#Configuration and
> changed default event_socket.conf.xml
> from:
>
> <configuration name="event_socket.conf" description="Socket Client">
>   <settings>
>     <param name="nat-map" value="false"/>
>     <param name="listen-ip" value="::"/>
>     <param name="listen-port" value="8021"/>
>     <param name="password" value="ClueCon"/>
>   </settings>
> </configuration>
>
> to:
>
> <configuration name="event_socket.conf" description="Socket Client">
>   <settings>
>     <param name="nat-map" value="false"/>
>     <param name="listen-ip" value="0.0.0.0"/>
>     <param name="listen-port" value="8021"/>
>     <param name="password" value="ClueCon"/>
>   </settings>
> </configuration>
>
> and issued:
> reload mod_event_socket.
>
> Trying to telnet to fs host on port 8021 I observe:
>
> Content-Type: text/rude-rejection
> Content-Length: 24
>
> Access Denied, go away.
> Content-Type: text/disconnect-notice
> Content-Length: 67
>
> Disconnected, goodbye.
> See you at ClueCon! http://www.cluecon.com/
> Connection closed by foreign host.
>
> And in fs log i can see the following:
>
> mod_event_socket.c:2603 IP "someiphere" Rejected by acl "loopback.auto"
>
> But as far as I understand the event_socket.conf.xml doesn't mention any
> ACL set up against ESL connection ?
> Would someone please be so kind to point what am I missing ?
> Thanks.
> Regards,
> Pavel.
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150914/5eb4c4e6/attachment-0001.html

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list