Freeswitch ACL configuration for remote event socket

Question

I have a FS server running on one server and on a remote server I have a Node JS instance controlling it using node_esl (a Node JS Event Socket library for FS).

Every time I'm sending a request to the server I have the following error:

[WARNING] mod_event_socket.c:2603 IP ::ffff:192.168.59.3 Rejected by acl "loopback.auto"

FS server has 2 interfaces: one is using a public IP and the second one is on a private network (192.168.59.0/24).

I checked the acl.conf.xml file and event_socket.con.xml and I do not see anything special so far.

One last thing: this is a dev environment and FS is running in a VM (VirtualBox). The interface used for the VM is 192.168.59.103 and the GW is 192.168.59.3 So this might be a NAT issue if not an ACL issue (or both).

Do you have any idea of what the ACL configuration should be?

Answer 1

You must go to FreeSWITCH/conf/autoload_configs/event_socket.conf.xml and uncoment and edit acl line: <param name="apply-inbound-acl" value="loopback.auto"/> you must write something like my_acl instead of loopback.auto

After that you must go to FreeSWITCH/conf/autoload_configs/acl.conf.xml and there write something like this:

<list name="my_acl" default="deny">
 <node type="allow" cidr="xxx.xxx.xxx.xxx/32"/>
 <node type="allow" cidr="xxx.xxx.xxx.0/24"/>
</list>

After this go to fs_cli and tape command:

reloadacl

Enjoy!

EDIT:

Make sure following:

<list name="my_acl" default="deny">
 <node type="allow" cidr="xxx.xxx.xxx.xxx/32"/>
 <node type="allow" cidr="xxx.xxx.xxx.0/24"/>
</list>

becomes:

<list name="my_acl" default="deny">
 <node type="allow" cidr="xxx.xxx.xxx.xxx/32"/>
 <node type="allow" cidr="xxx.xxx.xxx.0/24"/>


  <node type="allow" cidr="192.168.42.42/32"/>
  <node type="allow" domain="$${domain}"/>
  <!-- this allow fs_cli to connect else fs_cli wont work --!>
  <node type="allow" cidr="127.0.0.1/32" />
</list>

Answer 2

I found out why: ACL was not really that well configured. The one used was not opening the right connection for event_socket. So either Event_Socket was opened for local use only or for external use only. Had to recreate a new ACL with local access opened (necessary if you want to use fs_cli) and adding the IPs of the controlling servers.

Thx for your suggestion regarding IPv6, I tested it earlier and found out it has no effect on my "issue"

Answer 3

There's some info on how to get it to work here: https://wiki.freeswitch.org/wiki/Mod_event_socket#Configuration

After a bit of trial and error, all I had to do to get rid of the error was the following:

1. Open FreeSWITCH/conf/autoload_configs/event_socket.conf.xml
2. Uncomment the following line:

<param name="apply-inbound-acl" value="loopback.auto"/>

Here's my working event_socket.conf.xml file:

<configuration name="event_socket.conf" description="Socket Client">
  <settings>
    <param name="nat-map" value="false"/>
    <param name="listen-ip" value="::"/>
    <param name="listen-port" value="8021"/>
    <param name="password" value="ClueCon"/>
    <param name="apply-inbound-acl" value="loopback.auto"/>
    <!--<param name="stop-on-bind-error" value="true"/>-->
  </settings>
</configuration>