I found what I was missing. Since I don't authenticate callers, I use the external profile for everything, even calls from my LAN. I had never copied this setting from internal.xml:

<param name="apply-inbound-acl" value="domains"/>

I put that in sip_profiles/external.xml.

Now FreeSwitch sends 403 to any IPs not in acl.conf.xml.

-----------------------
Eric Z. Beard, CTO
Loop LLC
w (877) 850-2010 x9249
m (727) 776-2768
eric at loopfx.com<mailto:eric at loopfx.com>

From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Eric Beard
Sent: Wednesday, June 08, 2011 4:08 PM
To: FreeSWITCH Users Help
Subject: Re: [Freeswitch-users] IP Whitelist

Is it actually supposed to prevent calls from any IP's not in acl.conf.xml? With the settings I listed below, I can still make calls from different IP's to any number, which effectively makes my server an open relay. Do those settings only work if you are authenticating callers?

It seems like I'm going to have to set up IP-specific firewall rules for each SIP port, to allow only traffic from my gateways.

-----------------------
Eric Z. Beard, CTO
Loop LLC
w (877) 850-2010 x9249
m (727) 776-2768
eric at loopfx.com<mailto:eric at loopfx.com>

From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Steven Ayre
Sent: Wednesday, June 08, 2011 3:44 PM
To: FreeSWITCH Users Help
Subject: Re: [Freeswitch-users] IP Whitelist

ACLs control registrations and calls, not options requests.

You'd be best off blocking sipvicious with this iptables entry:

iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm

-Steve
On 8 June 2011 20:11, Eric Beard <eric at loopfx.com<mailto:eric at loopfx.com>> wrote:
It seems I misunderstand the purpose of the acl.conf.xml file.

What I want to do is create an IP whitelist, so only the IPs I designate get a response from FreeSwitch. I'd like to do this with FreeSwitch rather than a firewall.

I have this in acl.conf.xml:

<list name="domains" default="deny">
<!-- domain= is special it scans the domain from the directory to build the ACL -->
<node type="allow" domain="$${domain}"/>
<!-- use cidr= if you wish to allow ip ranges to this domains acl. -->
<node type="allow" cidr="10.1.0.0/24<http://10.1.0.0/24>"/>

<!-- Broadvox DID -->
<node type="allow" cidr="209.249.3.74/32<http://209.249.3.74/32>"/>
</list>

I was assuming that this would only allow traffic from my local network, 10.1.0.0, and from the single IP 209.249.3.74

But while watching sip traffic, I saw an OPTIONS request from a different IP (sipvicious scan). Freeswitch happily responded to the OPTIONS with an OK.

How can I configure it so that it ignores requests that are not on my whitelist?

Thanks!

-----------------------
Eric Z. Beard, CTO
Loop LLC
w (877) 850-2010 x9249
m (727) 776-2768
eric at loopfx.com<mailto:eric at loopfx.com>


_______________________________________________
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20110608/a70b43e2/attachment.html

As far as I know all (official) versions of sipvicious use the
friendly-scanner useragent, so will be spotted.

-Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20110609/e700ce7b/attachment.html