Restricting outbound calls in FreePBX (whitelist)

Previously, we discussed preventing outbound calls from FreePBX by using two methods: Misc Applications and outbound routes. There is also (at least) two ways to allow outgoing calls using a whitelist, i.e. allowing calls only to the numbers specified.

The first one is extremely simple, and I can already hear you saying “Duh!”. But sometimes the answer to a problem is staring us right in the face and we miss it anyway. So at the risk of insulting some of you, and hopefully enlightening some of you, here it is: Password protect your outbound routes. Yes, extremely primitive - but it works! Password protect those routes that you don’t want your users calling, and just leave the others unprotected. This will allow for an environment where you have very tight control over outbound calls.

The second way to restrict outbound calls is much more sophisticated and allows for refined control of which extensions/user are restricted and which aren’t (obviously without the use of a password). One of the goals of this method are to restrict the outbound calls but nothing else. This method will keep all other FreePBX applications available to the restricted user: Voice Mail, Conferences, Paging, Call Forwarding, etc. - will all be available. The only thing restricted will be outgoing calls.

The first step is to segregate the restricted context form the other users. Start by opening /etc/asterisk/extensions_custom.conf and adding the following context:

#exec /var/lib/asterisk/bin/

The next step is to make sure asterisk will ‘follow’ the ‘exec’. Open /etc/asterisk/asterisk.conf and make sure you have a line that reads:

execincludes=yes ; support #exec in config files

(specifically, ensure there is no ; at the begging of the line). Next download this script, and save it to /var/lib/asterisk/bin/ Now, create /etc/asterisk/whitelist and add a list of numbers that you want whitelisted. Here a helpful hint: you can a space and a description after the number so that you remember who’s number it is and why its there. Here’s an example:

2125551212 bob
6565552121 marry
4264441212 bill

The last step is to place any extension that you want restricted in to the restricted context. In FreePBX, click Extensions -> select the extension -> and scroll down to the context option. Append -restricted to the text and click submit.

Finally, from the linux cli, type amportal chown and reload the asterisk dialplan in your usual way, either by clicking the orange reload bar in FreePBX or by entering dialplan reload from the asterisk cli.

Now, try to place a call from your restricted context - it should be blocked!

The way this works is as follows: when you reload asterisk, it executes the scrip and includes its output in the dialplan (dynamically). The scipt reads the FreePBX generated dialplan and copys the entire from-internal-additional dialplan in to our custom context (well, not the entire dialplan per se - just the includes. For more on how this works see my previous articles). It then reads the numbers listed in your whitelist file and creates routes for them as Local channels (which are callable by restricted extensions as they can call all internal extensions).Cool, eh?

Got another way to restrict outgoing calls? Lets hear about them in the comments!

Moshe Brevda, FreePBX Development Team
lazytt - FreePBX forums
hi365 - IRC

The Usersets contributed module provides call restrictions based on a whitelist

The Usersets contributed module is similar in operation to the Pinsets module that provides passwords to outbound routes (see Method 1). The difference is that it provides a whitelist of users rather than a list of PINs. Users that are not in the whitelist are blocked. The users can be of two types:
(i) a trusted user has immediate access to the outbound route from their phone
(ii)an auth user needs to provide the voicemail password to get access from their phone to the outbound route (this is suited to open plan office environments)

The module can be downloaded from:

Hi lazytt,
Although i tried to restrict the extensions as ur post ,
#exec /var/lib/asterisk/bin/ to /etc/asterisk/extensions_customer.conf

there is no "execincludes=yes ; support #exec in config files " in the /etc/asterisk/asterisk.conf

So could u give me some suggestion “how to restric the specific extensions not through Outbound Route” .

deeply hope ur reply


So add it

Hi Moshe,

My solution was to set up various Classes of Service using the Custom Contexts Module with a separate context for each type of service.
For example: internal-only, local-only, local-LD-Cellphone, etc etc.
Within each context, I used Allow Rules to limit which digits can be dialed, and also specified which trunks could be used.

Internal access to certain extensions is controlled in ext-local by applying rules here as well, for example I have doorphones with electric locks that I don’t want just anybody operating.

Most of the extension feature codes are disabled as well in these contexts.
This may look a bit control-freaky, but its what you have to do when the general public use your phones…

Is there a way to restrict extensions so they can call another extension but not use the trunks?

The iPad news

And thanks for this too!

Can the whitelist file contain pattern matching, like this (or anything else)?

972NXXXXXX Dallas area
724NXXXXXX New Castle area

sure. Any valid dialpattern should work.

Looks like it’s so linux. What about windows user?

@urkelle - Can you specify what you mean by “open offices” … I am not sure I understand what you are saying.

And maybe one of these will answer your question about passwords:

How can I download the script?