And here's my project for tomorrow. Hoping Google's Gemini AI got it right...
You're looking for a way to dynamically add a client's IP address to an Access Control List (ACL) in FusionPBX/FreeSWITCH
after they successfully authenticate (register) their extension.
This is a more advanced scenario than simply setting NAT options, as it implies you want to restrict initial connection attempts but then loosen the restriction once the device is proven legitimate.
While FusionPBX's GUI doesn't have a direct "whitelist on successful login" checkbox, you can achieve this through a combination of:
- Strict ACLs on your SIP Profile: Initially restrict who can connect.
- FreeSWITCH Event Socket Library (ESL) scripting: This is the most direct way to dynamically manipulate FreeSWITCH configurations.
- External scripting (e.g., Python, PHP) or FreeSWITCH Lua scripts: To listen for registration events and issue ACL commands.
Here's a conceptual outline and how you might approach it:
Understanding the Challenge
- Initial Connection: When a phone first tries to register, FreeSWITCH checks its apply-register-acl (if configured on the SIP Profile) and its firewall rules. If the IP isn't allowed, the registration fails before authentication.
- Dynamic Whitelisting: You want to add the IP to an allow list only after the REGISTER request successfully authenticates.
Proposed Solution: Using ESL and a Script
This method involves a custom script that monitors FreeSWITCH events and updates ACLs.
Step 1: Set up a Restricted ACL for Registrations
First, create an ACL that is initially very restrictive.
- Create a New ACL:
- Go to Advanced > Access Controls.
- Click the + button.
- Name: dynamic_registration_acl (or similar)
- Default: Set this to deny (this is crucial).
- Nodes: You might add allow for 127.0.0.1/32 (localhost) and 192.168.x.x/xx (your internal PBX network if phones are on it) so that your server can always manage itself and internal LAN phones.
- Save.
- Apply this ACL to your SIP Profile:
- Go to Advanced > SIP Profiles.
- Edit your "internal" SIP Profile (or the one your extensions register to).
- Find the parameter apply-register-acl and set its value to dynamic_registration_acl.
- Save the SIP Profile.
- Reload the SIP Profile (Status > SIP Status > "internal" > Rescan/Restart).
Now, by default, only IPs explicitly allowed in dynamic_registration_acl can register.
Step 2: Create a Script to Monitor Registrations and Update ACL
You'll need a script that connects to FreeSWITCH via the Event Socket Library (ESL), monitors for successful registration events, extracts the client's IP, and then issues a command to add that IP to your dynamic_registration_acl.
This script could be written in Python, Node.js, PHP, or even a FreeSWITCH Lua script. For simplicity, let's conceptualize a Python script using the ESL library.
Prerequisites for Scripting:
- Enable mod_event_socket: This module is usually enabled by default in FusionPBX. Verify in /etc/freeswitch/autoload_configs/modules.conf.xml.
- FreeSWITCH ESL password: You'll need the password for ESL (usually defined in /etc/freeswitch/autoload_configs/event_socket.conf.xml). The default is ClueCon.
- Python ESL library: pip install ESL
Conceptual Python Script (dynamic_acl_updater.py):
Python
see code in next post
Step 3: Run the Script
- Save the script (e.g., dynamic_acl_updater.py) on your FusionPBX server.
- Make it executable: chmod +x dynamic_acl_updater.py
- Run it: python3 dynamic_acl_updater.py
- For production, use a process manager like systemd or supervisord to keep it running in the background and restart on failure.
How it Works:
- The script connects to FreeSWITCH's Event Socket.
- It subscribes to <span>sofia::register</span> custom events, which are generated when a SIP registration occurs.
- When a successful registration happens, the script extracts the Network-IP (the public IP address the phone is seen coming from).
- It then uses the ESL api command to issue acl add YOUR_ACL_NAME CLIENT_IP/32 to add the IP to your dynamic_registration_acl.
- Immediately after, it issues reloadacl to apply the change in FreeSWITCH.
Important Considerations and Caveats:
- Security:
- ESL Password: CHANGE THE DEFAULT ClueCon PASSWORD! This is a critical security vulnerability if left default.
- ACL default deny: The default deny on dynamic_registration_acl is your first line of defense.
- Fail2ban: Ensure Fail2ban is still running and active for brute-force attacks before registration. This dynamic whitelisting is for after a successful (authenticated) registration.
- IP Changes: If the client's IP changes frequently (which is the premise), this script will continuously add new /32 entries to your ACL. Over time, this could lead to a very large ACL. FreeSWITCH handles large ACLs reasonably well, but it's something to monitor.
- Old Entries: This script doesn't automatically remove old IP addresses. You might need a separate mechanism (e.g., a cron job) to periodically clear old, stale entries from the dynamic_registration_acl based on registration expiry times or inactivity.
- Race Conditions: There's a tiny window between an IP changing and the script updating the ACL where an inbound call might fail. NAT keep-alives (as discussed in the previous answer) help minimize this by making IPs stable for longer.
- Persistent ACL: ACL changes made via the acl add command are not persistentacross FreeSWITCH restarts. If FreeSWITCH restarts, your dynamically added IPs will be lost.
- To make them persistent, you'd need the script to either:
- Write to the acl.conf.xml file directly (not recommended for robustness).
- Or, more practically, regenerate the ACL entries from a persistent database of currently registered devices (which FusionPBX itself manages). This is significantly more complex and would involve querying FusionPBX's database directly or using its API.
Alternative (Simpler but Less Secure if Not Managed): Event Guard
FusionPBX has an
Event Guard application (
Status > Event Guard). While its primary purpose is to block abusive registrations, it "uses the Advanced -> Access Control allowed nodes as a white list." You might explore if Event Guard can be configured to achieve this dynamic whitelisting in a more managed way within FusionPBX itself. However, it's generally more focused on
blocking than
allowing dynamically after successful auth.
Conclusion:
Dynamically whitelisting a client IP after a successful login is a custom solution in FusionPBX/FreeSWITCH. The most effective way is through ESL scripting to monitor registration events and update ACLs. Be mindful of the security implications and the management of dynamically growing ACLs. For most common dynamic IP scenarios, robust NAT settings on the SIP profile and phone, combined with disabling SIP ALG, are usually sufficient and less complex.