[Freeswitch-users] SBC

Tue Dec 13 05:25:49 MSK 2016

I also enable auth-calls and auth-all-packets.

On Tue, Dec 13, 2016 at 3:19 AM Valter Nogueira <valter at fastway.com.br>
wrote:

> Which parameter I use to enable a profile to registration?
>
> <param name="force-register-domain" value="$${domain}"/>
>
>
>
>
>
> Atenciosamente,
>
>
>
> 2016-12-12 23:30 GMT-02:00 David Villasmil <david.villasmil.work at gmail.com
> >:
>
> Hello,
>
> Every time fs receives a REGISTER it will look up the user trying to
> register (if the profile is configured to authenticate) in the directory
> path. You can register via any profile if configured. You can control what
> user may register where by enabling multi-domain as per
> https://wiki.freeswitch.org/wiki/Multiple_Companies.
>
> By default, the directory.xml is as follows:
>
> <include>
>    <!--the domain or ip (the right hand side of the @ in the addr-->
>    <domain name="$${domain}">
>      ...
>      <groups>
>        <group name="default">
>          <users>
>            <X-PRE-PROCESS cmd="include" data="default/*.xml"/>
>          </users>
>        </group>
> ...
>
> So, as you can see, there's only one domain directory ($${domain} which is
> the ip address of your server) which has only one group called "users"
> which *includes* any xml in "default/"
>
> hope this helps.
>
> David
> ᐧ
>
> Regards,
>
> David Villasmil
> email: david.villasmil.work at gmail.com
> phone: +34669448337 <+34%20669%2044%2083%2037>
>
> On Mon, Dec 12, 2016 at 9:42 PM, Valter Nogueira <valter at fastway.com.br>
> wrote:
>
> I am studying opensips and kamailio, but to be honest, I am a little
> affraid of them - just because I am not sure if I can figure out every
> situation in route.
>
> My environment is strictly controlled with iptables drop policy and just
> friendly traffic is allowed.
>
> What I understood by now is that I must have a profile for every NIC used
> to route traffic.
>
> What I don't get yet is how directory relates to profiles. In file
> directory/default/example.com.xml there is a user "joe" which have a
> gateway defined inside it and that sofia shows in every gateway availble
> (expect in internal)
>
> Just to make me more confused: https://wiki.freeswitch.org/wiki/SBC_Setup
>
> In which internal and external are binded to the same ip+port but to
> different vlans. How vlans tags are binded to internatl and external
> profiles?
>
>
>
>
>
> Atenciosamente,
>
>
>
> 2016-12-12 9:09 GMT-02:00 David Villasmil <david.villasmil.work at gmail.com>
> :
>
> At the very least start by looking at Homer (http://sipcapture.org/)
> which works beautifully with kamailio (i assume also openSIPS) and
> freeswitch. and it generates by default some nice graphs and alarms.
>
> Regards,
>
> David Villasmil
> email: david.villasmil.work at gmail.com
> phone: +34669448337 <+34%20669%2044%2083%2037>
>
> On Mon, Dec 12, 2016 at 10:19 AM, Stanislav Sinyagin <ssinyagin at gmail.com>
> wrote:
>
> but that's part of a job for an end-to-end system designer, it's not
> something specific to a particular piece of software.
>
> For the scenario that Valter has described, FreeSWITCH (or two servers
> in a cluster) will do the job just fine. But of course it needs to be
> designed, configured and tested properly, with security in mind.
>
> I would agree, it's good to place Kamailio as the first-hop Internet
> gateway if you need to process INVITEs from unknown sources in
> Internet. It has nice features that minimize the impact of various DOS
> attacks or hacking. Also if you need to scale up, Kamailio will serve
> nicely as a load-balancer. But there's nothing wrong in placing
> FreeSWITCH alone in the Internet if you know what you're doing.
>
>
>
>
>
>
>
>
> On Mon, Dec 12, 2016 at 4:43 AM, Kamil Nigmatullin
> <kamil.nigmatullin at gmail.com> wrote:
> > The first was the problem, where attacker somehow got login and password
> (i
> > think they broke thier ATA) from clinet and used it. But for this client
> > there was a limit of one line. I used limit module with local database.
> What
> > attacker actially did, is that they used REFER attack, where they put
> their
> > own number as a referrer, and opened unlimited lines to PSTN. So the,
> > solution was - to replace limit functunality to opensips.
> >
> > The second - it is not actually the FS issue. It is because Freeswitch is
> > not flexible enouph to work at the low level where Kamailio or opensips
> > operates. E.g, we programmed opensips to lookup for UserAgent database,
> we
> > add useragent for each client manually. And only using client's  IP and
> > user-agent we allow this user to call to PSTN. We watch for blacklists
> of IP
> > adresses, subnets. If it comes from Gaza, Panama, China we block it. And
> a
> > lot of other things. Most of them is not out-of-box in opensips, but it
> is
> > not hard to implement. All this functionality is very important. We lost
> > about $10k last time. This is very serious.
> >
> > 2016-12-12 8:56 GMT+06:00 Alex Balashov <abalashov at evaristesys.com>:
> >>
> >> On Mon, Dec 12, 2016 at 08:17:57AM +0600, Kamil Nigmatullin wrote:
> >>
> >> > I love freeswitch, but frankly I would not recomend to set it as SBC.
> I
> >> > personally faced two attacks where FS was not good at. And we lost a
> lot
> >> > of
> >> > money. It works perfectly as NAT between internal and extenal
> networks,
> >> > actually in everything but it is weak as a firewall. Stanislav knows
> >> > that,
> >> > he helped me to resolve the problem first time when it happend. I
> cannot
> >> > go
> >> > into details as this is open forum. You need to put either kamailio or
> >> > opensips in front of FS.
> >>
> >> Strongly agree.
> >>
> >> --
> >> Alex Balashov | Principal | Evariste Systems LLC
> >>
> >> Tel: +1-706-510-6800 (direct) / +1-800-250-5920 (toll-free)
> >> Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
> >>
> >>
> _________________________________________________________________________
> >> Professional FreeSWITCH Consulting Services:
> >> consulting at freeswitch.org
> >> http://www.freeswitchsolutions.com
> >>
> >> Official FreeSWITCH Sites
> >> http://www.freeswitch.org
> >> http://confluence.freeswitch.org
> >> http://www.cluecon.com
> >>
> >> FreeSWITCH-users mailing list
> >> FreeSWITCH-users at lists.freeswitch.org
> >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> >> UNSUBSCRIBE:
> http://lists.freeswitch.org/mailman/options/freeswitch-users
> >> http://www.freeswitch.org
> >
> >
> >
> >
> > --
> > Kamil Nigmatullin
> > Tel: 77272323748
> > mob: 7 (707) 2517003
> > Skype: kamil.nigmatullin
> >
> > _________________________________________________________________________
> > Professional FreeSWITCH Consulting Services:
> > consulting at freeswitch.org
> > http://www.freeswitchsolutions.com
> >
> > Official FreeSWITCH Sites
> > http://www.freeswitch.org
> > http://confluence.freeswitch.org
> > http://www.cluecon.com
> >
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > http://www.freeswitch.org
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20161213/c28ba989/attachment-0001.html 