[Freeswitch-users] SBC
Valter Nogueira
valter at fastway.com.br
Tue Dec 13 05:19:10 MSK 2016
Which parameter I use to enable a profile to registration?
<param name="force-register-domain" value="$${domain}"/>
Atenciosamente,
2016-12-12 23:30 GMT-02:00 David Villasmil <david.villasmil.work at gmail.com>:
> Hello,
>
> Every time fs receives a REGISTER it will look up the user trying to
> register (if the profile is configured to authenticate) in the directory
> path. You can register via any profile if configured. You can control what
> user may register where by enabling multi-domain as per
> https://wiki.freeswitch.org/wiki/Multiple_Companies.
>
> By default, the directory.xml is as follows:
>
> <include>
> <!--the domain or ip (the right hand side of the @ in the addr-->
> <domain name="$${domain}">
> ...
> <groups>
> <group name="default">
> <users>
> <X-PRE-PROCESS cmd="include" data="default/*.xml"/>
> </users>
> </group>
> ...
>
> So, as you can see, there's only one domain directory ($${domain} which is
> the ip address of your server) which has only one group called "users"
> which *includes* any xml in "default/"
>
> hope this helps.
>
> David
> ᐧ
>
> Regards,
>
> David Villasmil
> email: david.villasmil.work at gmail.com
> phone: +34669448337 <+34%20669%2044%2083%2037>
>
> On Mon, Dec 12, 2016 at 9:42 PM, Valter Nogueira <valter at fastway.com.br>
> wrote:
>
>> I am studying opensips and kamailio, but to be honest, I am a little
>> affraid of them - just because I am not sure if I can figure out every
>> situation in route.
>>
>> My environment is strictly controlled with iptables drop policy and just
>> friendly traffic is allowed.
>>
>> What I understood by now is that I must have a profile for every NIC used
>> to route traffic.
>>
>> What I don't get yet is how directory relates to profiles. In file
>> directory/default/example.com.xml there is a user "joe" which have a
>> gateway defined inside it and that sofia shows in every gateway availble
>> (expect in internal)
>>
>> Just to make me more confused: https://wiki.freeswitch.org/wiki/SBC_Setup
>>
>> In which internal and external are binded to the same ip+port but to
>> different vlans. How vlans tags are binded to internatl and external
>> profiles?
>>
>>
>>
>>
>>
>> Atenciosamente,
>>
>>
>>
>> 2016-12-12 9:09 GMT-02:00 David Villasmil <david.villasmil.work at gmail.com
>> >:
>>
>>> At the very least start by looking at Homer (http://sipcapture.org/)
>>> which works beautifully with kamailio (i assume also openSIPS) and
>>> freeswitch. and it generates by default some nice graphs and alarms.
>>>
>>> Regards,
>>>
>>> David Villasmil
>>> email: david.villasmil.work at gmail.com
>>> phone: +34669448337 <+34%20669%2044%2083%2037>
>>>
>>> On Mon, Dec 12, 2016 at 10:19 AM, Stanislav Sinyagin <
>>> ssinyagin at gmail.com> wrote:
>>>
>>>> but that's part of a job for an end-to-end system designer, it's not
>>>> something specific to a particular piece of software.
>>>>
>>>> For the scenario that Valter has described, FreeSWITCH (or two servers
>>>> in a cluster) will do the job just fine. But of course it needs to be
>>>> designed, configured and tested properly, with security in mind.
>>>>
>>>> I would agree, it's good to place Kamailio as the first-hop Internet
>>>> gateway if you need to process INVITEs from unknown sources in
>>>> Internet. It has nice features that minimize the impact of various DOS
>>>> attacks or hacking. Also if you need to scale up, Kamailio will serve
>>>> nicely as a load-balancer. But there's nothing wrong in placing
>>>> FreeSWITCH alone in the Internet if you know what you're doing.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, Dec 12, 2016 at 4:43 AM, Kamil Nigmatullin
>>>> <kamil.nigmatullin at gmail.com> wrote:
>>>> > The first was the problem, where attacker somehow got login and
>>>> password (i
>>>> > think they broke thier ATA) from clinet and used it. But for this
>>>> client
>>>> > there was a limit of one line. I used limit module with local
>>>> database. What
>>>> > attacker actially did, is that they used REFER attack, where they put
>>>> their
>>>> > own number as a referrer, and opened unlimited lines to PSTN. So the,
>>>> > solution was - to replace limit functunality to opensips.
>>>> >
>>>> > The second - it is not actually the FS issue. It is because
>>>> Freeswitch is
>>>> > not flexible enouph to work at the low level where Kamailio or
>>>> opensips
>>>> > operates. E.g, we programmed opensips to lookup for UserAgent
>>>> database, we
>>>> > add useragent for each client manually. And only using client's IP
>>>> and
>>>> > user-agent we allow this user to call to PSTN. We watch for
>>>> blacklists of IP
>>>> > adresses, subnets. If it comes from Gaza, Panama, China we block it.
>>>> And a
>>>> > lot of other things. Most of them is not out-of-box in opensips, but
>>>> it is
>>>> > not hard to implement. All this functionality is very important. We
>>>> lost
>>>> > about $10k last time. This is very serious.
>>>> >
>>>> > 2016-12-12 8:56 GMT+06:00 Alex Balashov <abalashov at evaristesys.com>:
>>>> >>
>>>> >> On Mon, Dec 12, 2016 at 08:17:57AM +0600, Kamil Nigmatullin wrote:
>>>> >>
>>>> >> > I love freeswitch, but frankly I would not recomend to set it as
>>>> SBC. I
>>>> >> > personally faced two attacks where FS was not good at. And we lost
>>>> a lot
>>>> >> > of
>>>> >> > money. It works perfectly as NAT between internal and extenal
>>>> networks,
>>>> >> > actually in everything but it is weak as a firewall. Stanislav
>>>> knows
>>>> >> > that,
>>>> >> > he helped me to resolve the problem first time when it happend. I
>>>> cannot
>>>> >> > go
>>>> >> > into details as this is open forum. You need to put either
>>>> kamailio or
>>>> >> > opensips in front of FS.
>>>> >>
>>>> >> Strongly agree.
>>>> >>
>>>> >> --
>>>> >> Alex Balashov | Principal | Evariste Systems LLC
>>>> >>
>>>> >> Tel: +1-706-510-6800 (direct) / +1-800-250-5920 (toll-free)
>>>> >> Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
>>>> >>
>>>> >> ____________________________________________________________
>>>> _____________
>>>> >> Professional FreeSWITCH Consulting Services:
>>>> >> consulting at freeswitch.org
>>>> >> http://www.freeswitchsolutions.com
>>>> >>
>>>> >> Official FreeSWITCH Sites
>>>> >> http://www.freeswitch.org
>>>> >> http://confluence.freeswitch.org
>>>> >> http://www.cluecon.com
>>>> >>
>>>> >> FreeSWITCH-users mailing list
>>>> >> FreeSWITCH-users at lists.freeswitch.org
>>>> >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> >> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>> switch-users
>>>> >> http://www.freeswitch.org
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Kamil Nigmatullin
>>>> > Tel: 77272323748
>>>> > mob: 7 (707) 2517003
>>>> > Skype: kamil.nigmatullin
>>>> >
>>>> > ____________________________________________________________
>>>> _____________
>>>> > Professional FreeSWITCH Consulting Services:
>>>> > consulting at freeswitch.org
>>>> > http://www.freeswitchsolutions.com
>>>> >
>>>> > Official FreeSWITCH Sites
>>>> > http://www.freeswitch.org
>>>> > http://confluence.freeswitch.org
>>>> > http://www.cluecon.com
>>>> >
>>>> > FreeSWITCH-users mailing list
>>>> > FreeSWITCH-users at lists.freeswitch.org
>>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>> switch-users
>>>> > http://www.freeswitch.org
>>>>
>>>> ____________________________________________________________
>>>> _____________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>> switch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>> ____________________________________________________________
>>> _____________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20161213/4b94dd97/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list