[Freeswitch-users] SBC

Valter Nogueira valter at fastway.com.br
Mon Dec 12 23:42:04 MSK 2016


I am studying opensips and kamailio, but to be honest, I am a little
affraid of them - just because I am not sure if I can figure out every
situation in route.

My environment is strictly controlled with iptables drop policy and just
friendly traffic is allowed.

What I understood by now is that I must have a profile for every NIC used
to route traffic.

What I don't get yet is how directory relates to profiles. In file
directory/default/example.com.xml there is a user "joe" which have a
gateway defined inside it and that sofia shows in every gateway availble
(expect in internal)

Just to make me more confused: https://wiki.freeswitch.org/wiki/SBC_Setup

In which internal and external are binded to the same ip+port but to
different vlans. How vlans tags are binded to internatl and external
profiles?





Atenciosamente,



2016-12-12 9:09 GMT-02:00 David Villasmil <david.villasmil.work at gmail.com>:

> At the very least start by looking at Homer (http://sipcapture.org/)
> which works beautifully with kamailio (i assume also openSIPS) and
> freeswitch. and it generates by default some nice graphs and alarms.
>
> Regards,
>
> David Villasmil
> email: david.villasmil.work at gmail.com
> phone: +34669448337 <+34%20669%2044%2083%2037>
>
> On Mon, Dec 12, 2016 at 10:19 AM, Stanislav Sinyagin <ssinyagin at gmail.com>
> wrote:
>
>> but that's part of a job for an end-to-end system designer, it's not
>> something specific to a particular piece of software.
>>
>> For the scenario that Valter has described, FreeSWITCH (or two servers
>> in a cluster) will do the job just fine. But of course it needs to be
>> designed, configured and tested properly, with security in mind.
>>
>> I would agree, it's good to place Kamailio as the first-hop Internet
>> gateway if you need to process INVITEs from unknown sources in
>> Internet. It has nice features that minimize the impact of various DOS
>> attacks or hacking. Also if you need to scale up, Kamailio will serve
>> nicely as a load-balancer. But there's nothing wrong in placing
>> FreeSWITCH alone in the Internet if you know what you're doing.
>>
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Dec 12, 2016 at 4:43 AM, Kamil Nigmatullin
>> <kamil.nigmatullin at gmail.com> wrote:
>> > The first was the problem, where attacker somehow got login and
>> password (i
>> > think they broke thier ATA) from clinet and used it. But for this client
>> > there was a limit of one line. I used limit module with local database.
>> What
>> > attacker actially did, is that they used REFER attack, where they put
>> their
>> > own number as a referrer, and opened unlimited lines to PSTN. So the,
>> > solution was - to replace limit functunality to opensips.
>> >
>> > The second - it is not actually the FS issue. It is because Freeswitch
>> is
>> > not flexible enouph to work at the low level where Kamailio or opensips
>> > operates. E.g, we programmed opensips to lookup for UserAgent database,
>> we
>> > add useragent for each client manually. And only using client's  IP and
>> > user-agent we allow this user to call to PSTN. We watch for blacklists
>> of IP
>> > adresses, subnets. If it comes from Gaza, Panama, China we block it.
>> And a
>> > lot of other things. Most of them is not out-of-box in opensips, but it
>> is
>> > not hard to implement. All this functionality is very important. We lost
>> > about $10k last time. This is very serious.
>> >
>> > 2016-12-12 8:56 GMT+06:00 Alex Balashov <abalashov at evaristesys.com>:
>> >>
>> >> On Mon, Dec 12, 2016 at 08:17:57AM +0600, Kamil Nigmatullin wrote:
>> >>
>> >> > I love freeswitch, but frankly I would not recomend to set it as
>> SBC. I
>> >> > personally faced two attacks where FS was not good at. And we lost a
>> lot
>> >> > of
>> >> > money. It works perfectly as NAT between internal and extenal
>> networks,
>> >> > actually in everything but it is weak as a firewall. Stanislav knows
>> >> > that,
>> >> > he helped me to resolve the problem first time when it happend. I
>> cannot
>> >> > go
>> >> > into details as this is open forum. You need to put either kamailio
>> or
>> >> > opensips in front of FS.
>> >>
>> >> Strongly agree.
>> >>
>> >> --
>> >> Alex Balashov | Principal | Evariste Systems LLC
>> >>
>> >> Tel: +1-706-510-6800 (direct) / +1-800-250-5920 (toll-free)
>> >> Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
>> >>
>> >> ____________________________________________________________
>> _____________
>> >> Professional FreeSWITCH Consulting Services:
>> >> consulting at freeswitch.org
>> >> http://www.freeswitchsolutions.com
>> >>
>> >> Official FreeSWITCH Sites
>> >> http://www.freeswitch.org
>> >> http://confluence.freeswitch.org
>> >> http://www.cluecon.com
>> >>
>> >> FreeSWITCH-users mailing list
>> >> FreeSWITCH-users at lists.freeswitch.org
>> >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> >> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/
>> freeswitch-users
>> >> http://www.freeswitch.org
>> >
>> >
>> >
>> >
>> > --
>> > Kamil Nigmatullin
>> > Tel: 77272323748
>> > mob: 7 (707) 2517003
>> > Skype: kamil.nigmatullin
>> >
>> > ____________________________________________________________
>> _____________
>> > Professional FreeSWITCH Consulting Services:
>> > consulting at freeswitch.org
>> > http://www.freeswitchsolutions.com
>> >
>> > Official FreeSWITCH Sites
>> > http://www.freeswitch.org
>> > http://confluence.freeswitch.org
>> > http://www.cluecon.com
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/
>> freeswitch-users
>> > http://www.freeswitch.org
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20161212/0a2753b1/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list