Freeswitch ACL configuration for remote event socket

G

5

8

I have a FS server running on one server and on a remote server I have a Node JS instance controlling it using node_esl (a Node JS Event Socket library for FS).

Every time I'm sending a request to the server I have the following error:

[WARNING] mod_event_socket.c:2603 IP ::ffff:192.168.59.3 Rejected by acl "loopback.auto"

FS server has 2 interfaces: one is using a public IP and the second one is on a private network (192.168.59.0/24).

I checked the acl.conf.xml file and event_socket.con.xml and I do not see anything special so far.

One last thing: this is a dev environment and FS is running in a VM (VirtualBox). The interface used for the VM is 192.168.59.103 and the GW is 192.168.59.3 So this might be a NAT issue if not an ACL issue (or both).

Do you have any idea of what the ACL configuration should be?

Gaultheria answered 12/7, 2015 at 3:22 Comment(0)

G

3

I found out why: ACL was not really that well configured. The one used was not opening the right connection for event_socket. So either Event_Socket was opened for local use only or for external use only. Had to recreate a new ACL with local access opened (necessary if you want to use fs_cli) and adding the IPs of the controlling servers.

Thx for your suggestion regarding IPv6, I tested it earlier and found out it has no effect on my "issue"

Gaultheria answered 13/7, 2015 at 4:20 Comment(2)

Do you have a copy to hand of what you had to do. I am in the same position. – Vraisemblance 4/3, 2016 at 14:26

@TheHumbleRat No. I moved to an other project and do not have access to this one anymore. But it was an IPv6 configuration issue – Gaultheria 5/3, 2016 at 19:51

D

10

You must go to FreeSWITCH/conf/autoload_configs/event_socket.conf.xml and uncoment and edit acl line: <param name="apply-inbound-acl" value="loopback.auto"/> you must write something like my_acl instead of loopback.auto

After that you must go to FreeSWITCH/conf/autoload_configs/acl.conf.xml and there write something like this:

<list name="my_acl" default="deny">
 <node type="allow" cidr="xxx.xxx.xxx.xxx/32"/>
 <node type="allow" cidr="xxx.xxx.xxx.0/24"/>
</list>

After this go to fs_cli and tape command:

reloadacl

Enjoy!

EDIT:

Make sure following:

<list name="my_acl" default="deny">
 <node type="allow" cidr="xxx.xxx.xxx.xxx/32"/>
 <node type="allow" cidr="xxx.xxx.xxx.0/24"/>
</list>

becomes:

<list name="my_acl" default="deny">
 <node type="allow" cidr="xxx.xxx.xxx.xxx/32"/>
 <node type="allow" cidr="xxx.xxx.xxx.0/24"/>


  <node type="allow" cidr="192.168.42.42/32"/>
  <node type="allow" domain="$${domain}"/>
  <!-- this allow fs_cli to connect else fs_cli wont work --!>
  <node type="allow" cidr="127.0.0.1/32" />
</list>

Diatomite answered 8/5, 2016 at 3:17 Comment(2)

Segmentation fault when i do reload mod_acl – Cheesecloth 21/11, 2016 at 21:39

It seems to me that you should also run reload mod_event_socket – Hemimorphite 30/11, 2020 at 16:47

G

3

I found out why: ACL was not really that well configured. The one used was not opening the right connection for event_socket. So either Event_Socket was opened for local use only or for external use only. Had to recreate a new ACL with local access opened (necessary if you want to use fs_cli) and adding the IPs of the controlling servers.

Thx for your suggestion regarding IPv6, I tested it earlier and found out it has no effect on my "issue"

Gaultheria answered 13/7, 2015 at 4:20 Comment(2)

Do you have a copy to hand of what you had to do. I am in the same position. – Vraisemblance 4/3, 2016 at 14:26

@TheHumbleRat No. I moved to an other project and do not have access to this one anymore. But it was an IPv6 configuration issue – Gaultheria 5/3, 2016 at 19:51

M

3

I manually created loopback.auto list under acl.conf.xml

<list name="loopback.auto" default="allow">
    <node type="allow" cidr="172.31.0.0/16"/>
    <node type="allow" cidr="52.67.85.153/32"/> 
</list>

Where 172.31.0.0/16 is Freeswitch local IP address.

In event_socket.conf.xml file I leave loopback.auto:

<param name="apply-inbound-acl" value="loopback.auto"/>

Then run reloadacl and reloadxml. In my case I needed to restart Freeswitch to make it work.

Manheim answered 12/2, 2018 at 4:37 Comment(0)

A

2

There's some info on how to get it to work here: https://wiki.freeswitch.org/wiki/Mod_event_socket#Configuration

After a bit of trial and error, all I had to do to get rid of the error was the following:

Open FreeSWITCH/conf/autoload_configs/event_socket.conf.xml
Uncomment the following line:

<param name="apply-inbound-acl" value="loopback.auto"/>

Here's my working event_socket.conf.xml file:

<configuration name="event_socket.conf" description="Socket Client">
  <settings>
    <param name="nat-map" value="false"/>
    <param name="listen-ip" value="::"/>
    <param name="listen-port" value="8021"/>
    <param name="password" value="ClueCon"/>
    <param name="apply-inbound-acl" value="loopback.auto"/>
    <!--<param name="stop-on-bind-error" value="true"/>-->
  </settings>
</configuration>

Anthem answered 18/4, 2016 at 18:44 Comment(0)

A

0

It could happen because of IPv6 issue: https://freeswitch.org/jira/browse/FS-7638

As a workaround, you can try to change event_socket bind address from :: to 192.168.59.x in autoload_configs/event_socket.conf.xml

Art answered 13/7, 2015 at 2:35 Comment(1)

No, I tested this, but this was not the root cause of this issue. I found it in the ACL configuration as explained in my comment. – Gaultheria 13/7, 2015 at 4:21

Recommended topics

Hot tags