Access Controls Defaults

Status
Not open for further replies.

InTeleSync

New Member
Feb 9, 2020
11
7
3
www.intelesync.com
Fresh install on AWS Debian 9.

When installing on AWS it'll be in your AWS Virtual Private Cloud by default, thus installing with an IP address of something like 172.30.0.10. So even though the instance will have a static IP address (Elastic IP with AWS), it's still NAT'ed. Following guidance from here and here, am able to get local and remote in and out to work fine and dandy with little fuss. Did not do anything (yet) with the SIP ALG or the removing of "-nonat". So far so good.

My question or curiousity, as I learn this system, is with the default installed Access Control lists. For lan, there is a default entry of:
allow CIDR: 192.168.42.42/32

What is that and where did it come from? Is it just something simple as changing it to my actual local IP of 172.30.10? Does it even need to be messed with at all as things seem to work so far? There will be zero actual local LAN connections since it's in a VPC at AWS.

For domains, there is a default entry of:
allow Domain: 172.30.0.10

I don't know what it means by "Domain" here. To me, domain means something like youtwitface.com, not an IP address. When the ACL is loaded, there will be a log such as:
2020-02-10 19:59:03.268041 [WARNING] switch_core.c:1627 Cannot locate domain 172.30.0.10

So what's going on here, and should I be concerned? How is this "Domain" column actually used, if at all?

Finally, is there a way to whitelist domain or DNS entries, or is it all IP based?

Thanks.
 

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,038
556
113
The only thing you need to add to the ACLs is your carrier IPs. They go in the Domains ACL and you only ever fill in the CIDR column and NEVER a domain name.
 
  • Like
Reactions: stin

sokalsondha

Member
Nov 6, 2019
37
1
8
The only thing you need to add to the ACLs is your carrier IPs. They go in the Domains ACL and you only ever fill in the CIDR column and NEVER a domain name.
hello sir
my carrier for DID number they use hostname like sip.domain.com
i asked them is their SIP server IP is remain same all the time or can be change time to time.
they replied they can't give guarantee that IP will be never changed. so i am just scare if they change the ip at any time and i will not receive calls

is there any way around not use IP address . use the hostname instead?
this is actually a user/pass based SIP account

if i directly put this account to zoiper i can receive incoming call to that DID number. it just fusionpbx i cant receive the calls without putting his IP address in the access control

hope i explained properly

thanks
 

stin

New Member
Jun 19, 2020
28
0
1
43
the Docs explain pretty clearly
I would tend to disagree with that, too. IMHO, occasionally, the documentation inspires more questions than it answers.

Such as "What is the 'lan' ACL for? Why shouldn't I put phone and public IPs in there? And what would that mean to FreeSWITCH? What is the 'domain' field for? Why would the ACL affect extension to extension calls? What's with the host IP as a domain in the 'domains' ACL?

It seems even more so with FreeSWITCH's documentation. Not trying to be rude. As a user of this software, the documentation is a worry to me.

is there any way around not use IP address . use the hostname instead?
I agree, it would be awesome to be able to specify a DNS name, even if it's only evaluated at boot, periodically or on each incoming call. There may be other complications, though and DNS queries are not always terribly quick. You'd also be stuck whilst a DNS update propagates through the Internet. And that's if they don't change their domain name, too.

Would they be open to sending you an e-mail if they do ever change their config?
 
Last edited:

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,038
556
113
hello sir
my carrier for DID number they use hostname like sip.domain.com
i asked them is their SIP server IP is remain same all the time or can be change time to time.
they replied they can't give guarantee that IP will be never changed. so i am just scare if they change the ip at any time and i will not receive calls

is there any way around not use IP address . use the hostname instead?
this is actually a user/pass based SIP account

if i directly put this account to zoiper i can receive incoming call to that DID number. it just fusionpbx i cant receive the calls without putting his IP address in the access control

hope i explained properly

thanks

Most reasonable sized carrier will have more than one sip server that traffic comes from, I think my carrier has about 5 and then a whole bunch of separate media servers. Carriers should give you plenty of notice in advance if they are going to change the SIP ips. That is the question you should have been asking of the carrier, "Will we be informed in advance of any change of IP?". That said it should be a given that this will be the case.

"What is the 'lan' ACL for? Why shouldn't I put phone and public IPs in there? And what would that mean to FreeSWITCH? What is the 'domain' field for? Why would the ACL affect extension to extension calls? What's with the host IP as a domain in the 'domains' ACL?

You could equally ask the question, "Why do some SIP transactions have a tag in the TO field and some don't?". The point of this is that currently, you do not need to know the answers to these questions in order to get a working PBX. These are much more advanced use cases and can be learnt about over time.
 
  • Like
Reactions: markjcrane
Status
Not open for further replies.