[Freeswitch-users] Private IP used for audio even though ACL should block it

David P davidswalkabout at gmail.com
Mon Nov 18 23:16:15 UTC 2019


In the log snippet below, a private IP is chosen for the audio connection
(6th line from bottom) even though our acl.conf.xml should reject it. How
can we be sure our ACL is enforced?

Our version on debian9: FreeSWITCH Version 20.19.4-release-12-fc9d51c~64bit
(-release-12-fc9d51c 64bit)

Our autoload_configs/acl.conf.xml contains:
    <!-- Adapted from
https://freeswitch.org/confluence/display/FREESWITCH/ACL#ACL-Sampledeny -->
    <list name="companyname-disallow-privateIPv4" default="allow">
        <node type="deny" host="10.0.0.0" mask="255.255.255.0"/>
        <node type="deny" host="192.168.0.0" mask="255.255.0.0"/>
    </list>

And our verto.conf.xml's "default-v4" profile references it:
    <param name="apply-candidate-acl"
value="companyname-disallow-privateIPv4"/>

(Also, strangely, we get a relay candidate from our TURN server for video
but not audio.)

8e2ab29f-cdc8-84d8-a804-cabb3d0a474e m=audio 57658 UDP/TLS/RTP/SAVPF 111
103 9 102 0 8 105 13 110 113 126
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e c=IN IP4 10.0.0.90
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e a=rtcp:9 IN IP4 0.0.0.0
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e a=candidate:2964267771 1 udp
2113937151 10.0.0.90 57658 typ host generation 0 network-cost 999
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e a=candidate:2509878665 1 udp
2113939711 2601:ipv6:address 57659 typ host generation 0 network-cost 999

8e2ab29f-cdc8-84d8-a804-cabb3d0a474e m=video 12769 UDP/TLS/RTP/SAVPF 96 97
98 99 100 101 127 125 104
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e c=IN IP4 52.public.turn.addr
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e a=rtcp:9 IN IP4 0.0.0.0
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e a=candidate:2964267771 1 udp
2113937151 10.0.0.90 52903 typ host generation 0 network-cost 999
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e a=candidate:2509878665 1 udp
2113939711 2601:ipv6:address 52904 typ host generation 0 network-cost 999
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e a=candidate:2563966249 1 udp 16785151
52.public.turn.addr 12769 typ relay raddr 73.user.public.ip rport 49605
generation 0 network-cost 999

8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_core_codec.c:111
verto.rtc/0300_db262ee9-b897-4ece-83f6-ca4507489bc9_v-1*c-1*f-1 Original
read codec set to opus:116
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_core_media.c:4233 Save audio Candidate cid: 1 proto: udp type: host
addr: 10.0.0.90:57658
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_core_media.c:4227 Drop audio Candidate cid: 1 proto: udp type: host
addr: 2601:ipv6:address:57659 (no network path)

8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_vpx.c:703 VPX VER:v1.7.0 VPX_IMAGE_ABI_VERSION:4
VPX_CODEC_ABI_VERSION:8
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_vpx.c:703 VPX VER:v1.7.0 VPX_IMAGE_ABI_VERSION:4
VPX_CODEC_ABI_VERSION:8
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_core_media.c:3598 Set VIDEO Codec
verto.rtc/0300_db262ee9-b897-4ece-83f6-ca4507489bc9_v-1*c-1*f-1 VP8/90000 0
ms
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_core_media.c:4233 Save video Candidate cid: 1 proto: udp type: host
addr: 10.0.0.90:52903
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_core_media.c:4227 Drop video Candidate cid: 1 proto: udp type: host
addr: 2601:ipv6:address:52904 (no network path)
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_core_media.c:4233 Save video Candidate cid: 1 proto: udp type: relay
addr: 52.public.turn.addr:12769
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_core_media.c:4278 Searching for rtp candidate.
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_core_media.c:4278 Searching for rtcp candidate.
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_core_media.c:4325 Look for Relay Candidates as last resort
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_core_media.c:4278 Searching for rtp candidate.
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_core_media.c:4287 Choose rtp candidate, index 1,
52.public.turn.addr:12769
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_core_media.c:4053
verto.rtc/0300_db262ee9-b897-4ece-83f6-ca4507489bc9_v-1*c-1*f-1 choosing
family v4
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_core_media.c:4298 Choose same candidate, index 0, for rtcp based on
rtcp-mux attribute 52.public.turn.addr:12769
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_core_media.c:4350 setting remote video ice addr to index 1
52.public.turn.addr:12769 based on candidate
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_core_media.c:4385 Setting remote rtcp video addr to
52.public.turn.addr:12769 based on candidate
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_core_media.c:8600 AUDIO RTP
[verto.rtc/0300_db262ee9-b897-4ece-83f6-ca4507489bc9_v-1*c-1*f-1]
10.0.0.192 port 26664 -> 10.0.0.90 port 57658 codec: 111 ms: 20
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_rtp.c:4480 Starting timer [soft] 960 bytes per 20ms
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_core_media.c:8819 Activating RTCP PORT 57658
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [DEBUG]
switch_rtp.c:4880 RTCP send rate is: 1000 and packet rate is: 20000 Remote
Port: 57658
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [INFO]
switch_rtp.c:3808 Activate RTP/RTCP audio DTLS client
8e2ab29f-cdc8-84d8-a804-cabb3d0a474e 2019-11-15 06:14:09.477153 [INFO]
switch_rtp.c:3975 Changing audio DTLS state from OFF to HANDSHAKE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20191118/5cf6a9b5/attachment-0001.html>


More information about the FreeSWITCH-users mailing list