Freeswitch will consider a customer's IP address as trusted even if not present in ACL

244 views
Skip to first unread message

Yannick Guay

unread,
May 19, 2016, 4:29:38 PM5/19/16
to 2600hz-users
Hi 2600hz-users,

I'm witnessing a very very strange behaviour that only started a few days ago. Freeswitch appears to consider one of our customer's ip address as though it was one of our carriers. The consequence if this is that no calls are routed because they don't get sent to our carrier.

Below is some tracelog from Freeswitch.

Not trusted, therefore will issue a challenge (expected behaviour)

2016-05-19 15:56:36.266801 [DEBUG] sofia.c:8825 1 acls to check for proxy

2016-05-19 15:56:36.266801 [DEBUG] sofia.c:8830 checking aaa.aaa.aaa.aaa against acl authoritative

2016-05-19 15:56:36.266801 [INFO] sofia.c:8832 aaa.aaa.aaa.aaa is a proxy according to the authoritative acl

2016-05-19 15:56:36.266801 [DEBUG] sofia.c:8842 network ip is a proxy

2016-05-19 15:56:36.266801 [DEBUG] sofia.c:8846 found auth ip [X-AUTH-IP] header of [bbb.bbb.bbb.bbb]

2016-05-19 15:56:36.266801 [DEBUG] sofia.c:8870 IP aaa.aaa.aaa.aaa Rejected by acl "trusted". Falling back to Digest auth.


Trusted, therefore will not issue a challenge (bad behaviour)

2016-05-19 15:42:03.666627 [DEBUG] sofia.c:8825 1 acls to check for proxy

2016-05-19 15:42:03.666627 [DEBUG] sofia.c:8830 checking aaa.aaa.aaa.aaa against acl authoritative

2016-05-19 15:42:03.666627 [INFO] sofia.c:8832 aaa.aaa.aaa.aaa is a proxy according to the authoritative acl

2016-05-19 15:42:03.666627 [DEBUG] sofia.c:8842 network ip is a proxy

2016-05-19 15:42:03.666627 [DEBUG] sofia.c:8846 found auth ip [X-AUTH-IP] header of [bbb.bbb.bbb.bbb]

2016-05-19 15:42:03.666627 [DEBUG] sofia.c:8878 IP bbb.bbb.bbb.bbb Approved by acl "trusted[]". Access Granted.


Where aaa.aaa.aaa.aaa is Kamailio's IP Adress and bbb.bbb.bbb.bbb is our customer's IP Address.


Another observation is that both tracelogs are not going the same path in sofia.c (line 8870 VS line 8878) which means Kazoo rejects Kamailio's IP on the first example whereas it is the customer's IP on the second one.


Note that none of sup -necallmgr ecallmgr_maintenance carrier_acls list_acls nor sup -necallmgr ecallmgr_maintenance sbc_acls list_acls will list bbb.bbb.bbb.bbb as part of kazoo's ACL.



Let me know if more trace/details are required.


Any clue on that issue? This is very weird. Thanks


Best Regards,

-Yannick

Darren Schreiber

unread,
May 19, 2016, 4:30:03 PM5/19/16
to 2600hz...@googlegroups.com

Your ACLs must be wrong. What’s the output of “reloadacl”

--
You received this message because you are subscribed to the Google Groups "2600hz-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to 2600hz-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Yannick Guay

unread,
May 19, 2016, 8:29:46 PM5/19/16
to 2600hz-users, dschr...@2600hz.com
Darren,

It shows no evidence of that customer's IP address, I carefully looked at it no later than yesterday. Here it is (I obfuscated the IP addresses obviously):

freeswitch@internal> reloadacl
+OK acl reloaded

2016-05-19 19:22:55.466653 [ERR] switch_xml.c:1380 Couldnt open /etc/freeswitch/gateways/*.xml (No such file or directory)
2016-05-19 19:22:55.466653 [ERR] switch_xml.c:1380 Couldnt open /etc/kazoo/freeswitch/dialplan/*.xml (No such file or directory)
2016-05-19 19:22:55.466653 [ERR] switch_xml.c:1380 Couldnt open /etc/kazoo/freeswitch/chatplan/*.xml (No such file or directory)
2016-05-19 19:22:55.466653 [ERR] switch_xml.c:1380 Couldnt open /etc/kazoo/freeswitch/directory/*.xml (No such file or directory)
2016-05-19 19:22:55.486628 [NOTICE] switch_core.c:1258 Created ip list rfc1918.auto default (deny)
2016-05-19 19:22:55.486628 [NOTICE] switch_utils.c:324 Adding 10.0.0.0/8 (allow) [] to list rfc1918.auto
2016-05-19 19:22:55.486628 [NOTICE] switch_utils.c:324 Adding 172.16.0.0/12 (allow) [] to list rfc1918.auto
2016-05-19 19:22:55.486628 [NOTICE] switch_utils.c:324 Adding 192.168.0.0/16 (allow) [] to list rfc1918.auto
2016-05-19 19:22:55.486628 [NOTICE] switch_core.c:1266 Created ip list wan.auto default (allow)
2016-05-19 19:22:55.486628 [NOTICE] switch_utils.c:324 Adding 0.0.0.0/8 (deny) [] to list wan.auto
2016-05-19 19:22:55.486628 [NOTICE] switch_utils.c:324 Adding 10.0.0.0/8 (deny) [] to list wan.auto
2016-05-19 19:22:55.486628 [NOTICE] switch_utils.c:324 Adding 172.16.0.0/12 (deny) [] to list wan.auto
2016-05-19 19:22:55.486628 [NOTICE] switch_utils.c:324 Adding 192.168.0.0/16 (deny) [] to list wan.auto
2016-05-19 19:22:55.486628 [NOTICE] switch_utils.c:324 Adding 169.254.0.0/16 (deny) [] to list wan.auto
2016-05-19 19:22:55.486628 [NOTICE] switch_core.c:1276 Created ip list nat.auto default (deny)
2016-05-19 19:22:55.486628 [NOTICE] switch_core.c:1278 Adding a.b.c.d/255.255.255.0 (deny) to list nat.auto
2016-05-19 19:22:55.486628 [NOTICE] switch_utils.c:324 Adding 10.0.0.0/8 (allow) [] to list nat.auto
2016-05-19 19:22:55.486628 [NOTICE] switch_utils.c:324 Adding 172.16.0.0/12 (allow) [] to list nat.auto
2016-05-19 19:22:55.486628 [NOTICE] switch_utils.c:324 Adding 192.168.0.0/16 (allow) [] to list nat.auto
2016-05-19 19:22:55.486628 [NOTICE] switch_core.c:1287 Created ip list loopback.auto default (deny)
2016-05-19 19:22:55.486628 [NOTICE] switch_utils.c:324 Adding 127.0.0.0/8 (allow) [] to list loopback.auto
2016-05-19 19:22:55.486628 [NOTICE] switch_core.c:1293 Created ip list localnet.auto default (deny)
2016-05-19 19:22:55.486628 [NOTICE] switch_core.c:1296 Adding a.b.c.d/255.255.255.0 (allow) to list localnet.auto
2016-05-19 19:22:55.486628 [DEBUG] kazoo_fetch_agent.c:216 Sending configuration XML request (9db22b48-1e18-11e6-960e-57cf0f28412a) to ecal...@mydomain.com <1.6072.1265>
2016-05-19 19:22:55.486628 [DEBUG] kazoo_fetch_agent.c:216 Sending configuration XML request (9db224d6-1e18-11e6-960d-57cf0f28412a) to ecal...@mydomain.com <1.6072.1265>
2016-05-19 19:22:55.526608 [DEBUG] kazoo_node.c:1100 Sent erlang message to ecal...@mydomain.com <1.6072.1265>
2016-05-19 19:22:55.526608 [DEBUG] kazoo_node.c:1100 Sent erlang message to ecal...@mydomain.com <1.6072.1265>
2016-05-19 19:22:55.526608 [DEBUG] kazoo_fetch_agent.c:277 Received configuration XML (9db224d6-1e18-11e6-960d-57cf0f28412a) after 39ms: <document type="freeswitch/xml"><section name="result" description="Route Not Found"><result status="not found"/></section></document>
2016-05-19 19:22:55.526608 [DEBUG] kazoo_fetch_agent.c:216 Sending configuration XML request (9db4a30a-1e18-11e6-960f-57cf0f28412a) to ecal...@mydomain.com <1.6072.1265>
2016-05-19 19:22:55.726620 [DEBUG] kazoo_node.c:1100 Sent erlang message to ecal...@mydomain.com <1.6072.1265>
freeswitch@internal> 2016-05-19 19:22:55.726620 [DEBUG] kazoo_fetch_agent.c:277 Received configuration XML (9db4a30a-1e18-11e6-960f-57cf0f28412a) after 200ms: <document type="freeswitch/xml"><section name="result" description="Route Not Found"><result status="not found"/></section></document>
2016-05-19 19:22:55.726620 [INFO] switch_time.c:1369 Timezone reloaded 530 definitions
2016-05-19 19:22:56.006612 [DEBUG] kazoo_fetch_agent.c:277 Received configuration XML (9db22b48-1e18-11e6-960e-57cf0f28412a) after 519ms: <document type="freeswitch/xml"><section name="configuration"><configuration name="acl.conf" description="kazoo generated ACL lists"><network-lists><list name="authoritative" default="deny"><node type="allow" cidr="a.b.c.d/32"/></list><list name="trusted" default="deny"><node type="allow" cidr="a.b.c.d/32"/><node type="allow" cidr="a.b.c.d/32"/><node type="allow" cidr="a.b.c.d/3"/><node type="allow" cidr="a.b.c.d/3"/><node type="allow" cidr="a.b.c.d/32"/><node type="allow" cidr="a.b.c.d/32"/><node type="allow" cidr="a.b.c.d/32"/><node type="allow" cidr="a.b.c.d/32"/><node type="allow" cidr="a.b.c.d/32"/></list></network-lists></configuration></section></document>
2016-05-19 19:22:56.006612 [NOTICE] switch_core.c:1321 Created ip list authoritative default (deny)
2016-05-19 19:22:56.006612 [NOTICE] switch_utils.c:324 Adding a.b.c.d/32 (allow) [] to list authoritative
2016-05-19 19:22:56.006612 [NOTICE] switch_core.c:1396 Adding a.b.c.d/32 (allow) to list authoritative
2016-05-19 19:22:56.006612 [NOTICE] switch_core.c:1321 Created ip list trusted default (deny)
2016-05-19 19:22:56.006612 [NOTICE] switch_utils.c:324 Adding a.b.c.d/32 (allow) [] to list trusted
2016-05-19 19:22:56.006612 [NOTICE] switch_core.c:1396 Adding a.b.c.d/32 (allow) to list trusted
2016-05-19 19:22:56.006612 [NOTICE] switch_utils.c:324 Adding a.b.c.d/32 (allow) [] to list trusted
2016-05-19 19:22:56.006612 [NOTICE] switch_core.c:1396 Adding a.b.c.d/32 (allow) to list trusted
2016-05-19 19:22:56.006612 [NOTICE] switch_utils.c:324 Adding a.b.c.d/3 (allow) [] to list trusted
2016-05-19 19:22:56.006612 [NOTICE] switch_core.c:1396 Adding a.b.c.d/3 (allow) to list trusted
2016-05-19 19:22:56.006612 [NOTICE] switch_utils.c:324 Adding a.b.c.d/3 (allow) [] to list trusted
2016-05-19 19:22:56.006612 [NOTICE] switch_core.c:1396 Adding a.b.c.d/3 (allow) to list trusted
2016-05-19 19:22:56.006612 [NOTICE] switch_utils.c:324 Adding a.b.c.d/32 (allow) [] to list trusted
2016-05-19 19:22:56.006612 [NOTICE] switch_core.c:1396 Adding a.b.c.d/32 (allow) to list trusted
2016-05-19 19:22:56.006612 [NOTICE] switch_utils.c:324 Adding a.b.c.d/32 (allow) [] to list trusted
2016-05-19 19:22:56.006612 [NOTICE] switch_core.c:1396 Adding a.b.c.d/32 (allow) to list trusted
2016-05-19 19:22:56.006612 [NOTICE] switch_utils.c:324 Adding a.b.c.d/32 (allow) [] to list trusted
2016-05-19 19:22:56.006612 [NOTICE] switch_core.c:1396 Adding a.b.c.d/32 (allow) to list trusted
2016-05-19 19:22:56.006612 [NOTICE] switch_utils.c:324 Adding a.b.c.d/32 (allow) [] to list trusted
2016-05-19 19:22:56.006612 [NOTICE] switch_core.c:1396 Adding a.b.c.d/32 (allow) to list trusted
2016-05-19 19:22:56.006612 [NOTICE] switch_utils.c:324 Adding a.b.c.d/32 (allow) [] to list trusted
2016-05-19 19:22:56.006612 [NOTICE] switch_core.c:1396 Adding a.b.c.d/32 (allow) to list trusted

One question comes to mind though, why are each address added twice? ie: Adding a.b.c.d/32 (allow) [] to list trusted and then Adding a.b.c.d/32 (allow) to list trusted. Is this expected?

Can you find anything obvious? Thanks.
-Yannick

Darren Schreiber

unread,
May 20, 2016, 1:22:41 AM5/20/16
to 2600hz-users

2016-05-19 19:22:56.006612 [NOTICE] switch_utils.c:324 Adding a.b.c.d/3 (allow) [] to list trusted

2016-05-19 19:22:56.006612 [NOTICE] switch_core.c:1396 Adding a.b.c.d/3 (allow) to list trusted

2016-05-19 19:22:56.006612 [NOTICE] switch_utils.c:324 Adding a.b.c.d/3 (allow) [] to list trusted

2016-05-19 19:22:56.006612 [NOTICE] switch_core.c:1396 Adding a.b.c.d/3 (allow) to list trusted

 

 

Is this an error from your copy/paste? If not, it says /3

 

That’s the majority of the internet you are allowing. Looks like a typo

Yannick Guay

unread,
May 20, 2016, 8:29:38 AM5/20/16
to 2600hz-users, dschr...@2600hz.com
Darn, indeed a typo.

sup -necallmgr ecallmgr_maintenance carrier_acls list_acls command truncates longer CIDR fields in the output. This started when I recreated this list using the output. Hence the typo.

Thanks a lot Darren. I was really sratching my head :)
Reply all
Reply to author
Forward
0 new messages