VoIP Mailing List Archives

[diego.viola at gmail.com]

Hey guys,

I'm currently testing FS inside a LAN. FreeSWITCH is running on 192.168.0.101 and my softphone is on 192.168.0.100.

I can register and make calls just fine, but I want to deny everything in order to learn how the ACL works.

I have this on the internal profile:

    <param name="apply-nat-acl" value="rfc1918"/>
    <param name="apply-inbound-acl" value="domains"/>
    <param name="apply-register-acl" value="domains"/>

And this is how my acl.conf.xml looks, it's all set to deny:

<configuration name="acl.conf" description="Network Lists">
  <network-lists>

    <list name="dl-candidates" default="deny">
      <node type="deny" cidr="10.0.0.0/8"/>
      <node type="deny" cidr="172.16.0.0/12"/>
      <node type="deny" cidr="192.168.0.0/16"/>
    </list>

    <list name="rfc1918" default="deny">
      <node type="deny" cidr="10.0.0.0/8"/>
      <node type="deny" cidr="172.16.0.0/12"/>
      <node type="deny" cidr="192.168.0.0/16"/>
    </list>

    <list name="lan" default="deny">
      <node type="deny" cidr="192.168.42.0/24"/>
      <node type="deny" cidr="192.168.42.42/32"/>
    </list>

    <list name="strict" default="deny">
      <node type="deny" cidr="208.102.123.124/32"/>
    </list>
    <!--
        This will traverse the directory adding all users
        with the cidr= tag to this ACL, when this ACL matches
        the users variables and params apply as if they
        digest authenticated.
    -->
    <list name="domains" default="deny">
      <node type="deny" domain="$${domain}"/>
      <node type="deny" cidr="192.168.0.0/24"/>
    </list>

  </network-lists>
</configuration>

But I'm still allowed to register with the 1000 user and make calls, to the conference extension, etc... I can't understand this, if it's all to deny and the cidr is set to 192.168.0.0/24 on the "domains" context, which is what hte profile uses, shouldn't the registration/call be denied. I have tried many conbinations but whenever I change something it wont make any difference.

Please help me.

Thanks,

Diego

[diego.viola at gmail.com]

More info:

  <X-PRE-PROCESS cmd="set" data="internal_auth_calls=true"/>
    <!-- <param name="accept-blind-reg" value="true"/> -->
    <!-- <param name="accept-blind-auth" value="true"/> -->

So any ideas?

On Tue, Apr 21, 2009 at 5:08 AM, Diego Viola <diego.viola@gmail.com (diego.viola@gmail.com)> wrote:

[diego.viola at gmail.com]

If I make any changes on the acl.conf.xml, it doesn't take any effect.

Why is that? What am I doing wrong?

Diego

On Tue, Apr 21, 2009 at 5:29 AM, Diego Viola <diego.viola@gmail.com (diego.viola@gmail.com)> wrote:

[diego.viola at gmail.com]

freeswitch@internal> acl
false


On Tue, Apr 21, 2009 at 5:08 AM, Diego Viola <diego.viola@gmail.com (diego.viola@gmail.com)> wrote:

[diego.viola at gmail.com]

Ok I just remade the config and now it's working as it should, it's not letting me register.

2009-04-21 07:06:03 [WARNING] sofia_reg.c:1283 sofia_reg_handle_sip_i_register() IP 192.168.0.100 Rejected by acl "domains"

However, I have this:

    <param name="apply-inbound-acl" value="domains"/>

And this:

    <list name="domains" default="deny">
            <!--      <node type="allow" domain="$${domain}"/>-->
        <node type="deny" cidr="192.168.0.100/32"/>
        <node type="deny" cidr="192.168.0.0/24"/>
    </list>

And I can still call the conference (3030) without being registered. Why is this?

Thanks.


On Tue, Apr 21, 2009 at 6:43 AM, Diego Viola <diego.viola@gmail.com (diego.viola@gmail.com)> wrote:

[diego.viola at gmail.com]

Oh it was because I had auth-calls set to true, now I turned it false and it works as I expect!

Silly me, thanks everyone anyway =D

Diego

On Tue, Apr 21, 2009 at 7:08 AM, Diego Viola <diego.viola@gmail.com (diego.viola@gmail.com)> wrote:

[brian at freeswitch.org]

Do you want to allow these IP ranges?

/b

On Apr 21, 2009, at 6:08 AM, Diego Viola wrote:

[diego.viola at gmail.com]

Nope, I just wanted to allow 1 ip, 192.168.0.100.

Diego

On Tue, Apr 21, 2009 at 9:27 AM, Brian West <brian@freeswitch.org (brian@freeswitch.org)> wrote:

[msc at freeswitch.org]

On Tue, Apr 21, 2009 at 1:15 PM, Diego Viola <diego.viola@gmail.com (diego.viola@gmail.com)> wrote:

[diego.viola at gmail.com]

I was just trying to deny everything, and I got confused at what the "default" in the <list> made, but I got it now.

So I have     <list name="domains" default="deny"> and that alone denies the registration, which is what I want, but I can still make calls.

And I have this:     <param name="apply-inbound-acl" value="domains"/>

Shouldn't the "domains" which is defaulted to "deny" block the inbound calls?

Thanks, I hope this doesn't make anyone nervous, just trying to learn

Regards,

Diego



On Tue, Apr 21, 2009 at 5:34 PM, Michael Collins <msc@freeswitch.org (msc@freeswitch.org)> wrote:

[diego.viola at gmail.com]

If I turn internal_auth_calls to false it blocks... but why I can't do it with internal_auth_calls=true?

On Tue, Apr 21, 2009 at 8:45 PM, Diego Viola <diego.viola@gmail.com (diego.viola@gmail.com)> wrote:

[diego.viola at gmail.com]

This alone should be able to block inbound calls right?:

internal.xml:

    <param name="apply-inbound-acl" value="domains"/>

acl.conf.xml:

    <list name="domains" default="deny">
      <node type="allow" domain="$${domain}"/>
    </list>

vars.xml:

  <X-PRE-PROCESS cmd="set" data="internal_auth_calls=true"/>



On Tue, Apr 21, 2009 at 8:04 PM, Diego Viola <diego.viola@gmail.com (diego.viola@gmail.com)> wrote:

[diego.viola at gmail.com]

I'm trying to block inbound calls with internal_auth_calls=true.

On Tue, Apr 21, 2009 at 8:46 PM, Diego Viola <diego.viola@gmail.com (diego.viola@gmail.com)> wrote:

[diego.viola at gmail.com]

I got it, thanks people

On Tue, Apr 21, 2009 at 8:57 PM, Diego Viola <diego.viola@gmail.com (diego.viola@gmail.com)> wrote:

[brian at freeswitch.org]

Diego, I highly recommend you seek professional help... You seem to be talking to yourself A LOT! just kidding... good you understand it now!


/b

On Apr 21, 2009, at 8:44 PM, Diego Viola wrote: