Access Control List (ACL)

Vengeful_Blade · September 30, 2023, 12:53pm

hello, I need help with ACL configuration of extensions

I want to accept remote extension register only for certain extensions

I have tried to fill Match (Permit) seсtion of extension but it didn’t affect anything

I have tried to manually add in pjsip.identify_custom.conf deny=0.0.0.0/0.0.0.0
permit=1.1.1.1/32 but the same

how can I realise that ?

Current Asterisk Version: 16.30.0
Current PBX Version: 16.0.40.4
Current System Version: 12.7.8-2306-1.sng7

david55 · September 30, 2023, 3:28pm

The Permit part of Match (Permit) is misleading. You are actually matching extensions by user name, and that is ORed with any IP address match; FreePBX PJSIP extensions never need Match (Permit).

As far as I know, the GUI doesn’t support specifying ACLs, so you would need to use custom configuration. Note that ACLs are not endpoint specific, so will give little benefit over the firewall:

github.com

asterisk/asterisk/blob/91e368c4858bd578b07a70f98f961f3f85e41195/configs/samples/pjsip.conf.sample#L410-L458


      
          ;============EXAMPLE ACL CONFIGURATION==========================================
          ;
          ; The ACL or Access Control List section defines a set of permissions to permit
          ; or deny access to various address or addresses. Alternatively it references an
          ; ACL configuration already set in acl.conf.
          ;
          ; The ACL configuration is independent of individual endpoint configuration and
          ; operates on all inbound SIP communication using res_pjsip.
          
          ; Reference an ACL defined in acl.conf.
          ;
          ;[acl]
          ;type=acl
          ;acl=example_named_acl1
          
          ; Reference a contactacl specifically.
          ;
          ;[acl]
          ;type=acl
          ;contact_acl=example_contact_acl1

This file has been truncated. show original

Note that there are known vulnerabilities in 16.30.0 and security fixes for Asterisk 16 will cease entirely some time in October.

Vengeful_Blade · September 30, 2023, 3:47pm

I saw “EXAMPLE ACL CONFIGURATION” but I cant understand how to apply this,

for example in wich _custom.conf file and section need to add deny=209.16.236.1 to restrict register even log/pass are correct ?

david55 · September 30, 2023, 4:10pm

As I read ti the section name doesn’t matter, and it can probably go in any custom file for pjsp.conf.

Note that it will apply to INVITE as well as REGISTER, which is probably what you want, as there is no requirement for an extension to REGISTER before it originates a call.

I can’t imagine many people use this. They are more likely to block using the firewall than ACL.

Vengeful_Blade · October 1, 2023, 2:56am

firewall doesn’t allow restrict access based on externsions, ACL does

I have tried add ACL to identifi section but doesnt working
[100-identify]
type=identify
endpoint=100
deny=0.0.0.0/0.0.0.0
permit=192.168.100.100/32

same with adding acl=myacl (myacl defined in acl.conf, acl show displays the list)
what am I doing wrong ?

david55 · October 1, 2023, 7:11am

The example clearly shows that it goes in a type=acl section and its effect is global. Your original example was a single deny, which might be meaningful. A single allow is unlikely to be useful.

system · November 2, 2023, 1:11pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.