FreeSWITCH:コマンドラインツールfs_cliと各種設定のポイント

Linux Server
#21

mod_event_socket configuration

fs_cliツールを利用する場合など、外部からfreeswitchを操作するためのホストやパスワードなどを記述したXML形式の設定ファイルです。

The XML configuration file is, as expected, in

/usr/local/freeswitch/conf/autoload_configs/event_socket.conf.xml

In demo configuration, mod_event_socket listens on port 8021 of all network interfaces, but its ACLaccepts incoming connections only from 127.0.0.1 (loopback interface on localhost). All other connections are answered with an “access denied” and shut down.

You can alter which connections are accepted by tuning two knobs:

  • listen-ip default is “::” for listening on all interfaces, ipv4 and ipv4. You can set this parameter to “0.0.0.0” for all interfaces, ipv4 only, or “127.0.0.1” for loopback interface on localhost, etc
  • apply-inbound-acl by default is “loopback.auto”, only loopback interface on localhost …
#22

内線IPと外線IPの設定

https://lists.freeswitch.org/pipermail/freeswitch-users/2015-December/117754.html

内線IP:ポート
内線IPは、FreeSwitchがインストールされているホストPCのローカルアドレス(NAT経由)とし、ポートはデフォルトの5060を指定。directoryフォルダ内で作成したユーザ(登録番号)間で通話可能。

外線IP:ポート
外部からアクセス、または内部から外線へコールするために必要なIPアドレスとポート。グローバルアドレスを適用出来ない場合は、STUNサーバ経由で2者間の接続を確立。ポートは5080(任意)を指定。NAT経由でホストマシンが接続されている場合、ルータのポートフォワーディング設定が必要。directoryフォルダ内で作成したユーザ(登録番号)間で通話可能。

同一ユーザでも、内線と外線でドメインが異なる場合、内線/外線用に其々ユーザ登録・認証する必要があります。また、通話モード(送受信)が制限されます。

以下3つのファイルにより設定します。

1.DNS(グローバルIP)を指定

freeswitch/conf/vars.xml

<!--  external_rtp_ip
       Can be an one of:
           ip address: "12.34.56.78"
           a stun server lookup: "stun:stun.server.com"
           a DNS name: "host:host.server.com"
       where fs.mydomain.com is a DNS A record-useful when fs is on
       a dynamic IP address, and uses a dynamic DNS updater.
       If unspecified, the bind_server_ip value is used.
       Used by: sofia.conf.xml dingaling.conf.xml
   -->
<!--  <X-PRE-PROCESS cmd="stun-set" data="external_rtp_ip=stun:stun.freeswitch.org"/>  -->
<X-PRE-PROCESS cmd="set" data="external_rtp_ip=host:sip.example.org"/>
<!--  external_sip_ip
      Used as the public IP address for SDP.
       Can be an one of:
           ip address: "12.34.56.78"
           a stun server lookup: "stun:stun.server.com"
           a DNS name: "host:host.server.com"
       where fs.mydomain.com is a DNS A record-useful when fs is on
       a dynamic IP address, and uses a dynamic DNS updater.
       If unspecified, the bind_server_ip value is used.
       Used by: sofia.conf.xml dingaling.conf.xml
   -->
<!--  <X-PRE-PROCESS cmd="stun-set" data="external_sip_ip=stun:stun.freeswitch.org"/>  -->
<X-PRE-PROCESS cmd="set" data="external_sip_ip=host:sip.example.org"/>

2.内線設定

freeswitch/conf/sip_profiles/internal.xml

<!--  external_sip_ip
         Used as the public IP address for SDP.
         Can be an one of:
         ip address            - "12.34.56.78"
         a stun server lookup  - "stun:stun.server.com"
         a DNS name            - "host:host.server.com"
         auto                  - Use guessed ip.
         auto-nat              - Use ip learned from NAT-PMP or UPNP
     -->
<param name="ext-rtp-ip" value="$${external_rtp_ip}"/>
<param name="ext-sip-ip" value="$${external_sip_ip}"/>

3.外線設定

各IPの設定はvars.xmlで指定。

freeswitch/conf/sip_profiles/external.xml

<param name="rtp-ip" value="$${local_ip_v4}"/>
<param name="sip-ip" value="$${local_ip_v4}"/>
<param name="ext-rtp-ip" value="$${external_rtp_ip}"/>
<param name="ext-sip-ip" value="$${external_sip_ip}"/>

fs_cliコンソールにより、内線、外線設定確認。

内線設定確認

> sofia status profile internal
=================================================================================================
Name             	internal
Domain Name      	N/A
Auto-NAT         	false
DBName           	sofia_reg_internal
Pres Hosts       	sip.example.org,192.168.x.xxx
Dialplan         	XML
Context          	public
Challenge Realm  	auto_from
RTP-IP           	192.168.x.xxx
Ext-RTP-IP       	host:sip.example.org
SIP-IP           	192.168.x.xxx
Ext-SIP-IP       	xxx.xx.xxx.xx
URL              	sip:mod_sofia@xxx.xx.xxx.xx:5060
BIND-URL         	sip:mod_sofia@xxx.xx.xxx.xx:5060;maddr=192.168.x.xxx;transport=udp,tcp
WS-BIND-URL     	sip:mod_sofia@192.168.x.xxx:5066;transport=ws
WSS-BIND-URL     	sips:mod_sofia@192.168.x.xxx:7443;transport=wss
HOLD-MUSIC       	local_stream://moh
OUTBOUND-PROXY   	N/A
CODECS IN        	OPUS,G722,PCMU,PCMA,H264,VP8
CODECS OUT       	OPUS,G722,PCMU,PCMA,H264,VP8
TEL-EVENT        	101
DTMF-MODE        	rfc2833
CNG              	13
SESSION-TO       	0
MAX-DIALOG       	0
NOMEDIA          	false
LATE-NEG         	true
PROXY-MEDIA      	false
ZRTP-PASSTHRU    	true
AGGRESSIVENAT    	false
CALLS-IN         	5
FAILED-CALLS-IN  	3
CALLS-OUT        	2
FAILED-CALLS-OUT 	2
REGISTRATIONS    	2

外線設定確認

> sofia status profile external
=================================================================================================
Name             	external
Domain Name      	N/A
Auto-NAT         	false
DBName           	sofia_reg_external
Pres Hosts       	
Dialplan         	XML
Context          	public
Challenge Realm  	auto_to
RTP-IP           	192.168.x.xxx
Ext-RTP-IP       	host:sip.example.org
SIP-IP           	192.168.x.xxx
Ext-SIP-IP       	xxx.xx.xxx.xx
URL              	sip:mod_sofia@xxx.xx.xxx.xx:5080
BIND-URL         	sip:mod_sofia@xxx.xx.xxx.xx:5080;maddr=192.168.x.xxx;transport=udp,tcp
TLS-URL          	sip:mod_sofia@xxx.xx.xxx.xx:5081
TLS-BIND-URL     	sips:mod_sofia@xxx.xx.xxx.xx:5081;maddr=192.168.x.xxx;transport=tls
WS-BIND-URL     	sip:mod_sofia@192.168.x.xxx:5066;transport=ws
WSS-BIND-URL     	sips:mod_sofia@192.168.x.xxx:7443;transport=wss
HOLD-MUSIC       	local_stream://moh
OUTBOUND-PROXY   	N/A
CODECS IN        	OPUS,G722,PCMU,PCMA,H264,VP8
CODECS OUT       	OPUS,G722,PCMU,PCMA,H264,VP8
TEL-EVENT        	101
DTMF-MODE        	info
CNG              	13
SESSION-TO       	0
MAX-DIALOG       	0
NOMEDIA          	false
LATE-NEG         	true
PROXY-MEDIA      	false
ZRTP-PASSTHRU    	true
AGGRESSIVENAT    	false
CALLS-IN         	3
FAILED-CALLS-IN  	3
CALLS-OUT        	5
FAILED-CALLS-OUT 	5
REGISTRATIONS    	1
#23

Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols

This document describes a protocol for Network Address Translator
(NAT) traversal for UDP-based multimedia sessions established with
the offer/answer model. This protocol is called Interactive
Connectivity Establishment (ICE). ICE makes use of the Session
Traversal Utilities for NAT (STUN) protocol and its extension,
Traversal Using Relay NAT (TURN). ICE can be used by any protocol
utilizing the offer/answer model, such as the Session Initiation
Protocol (SIP).

Session Traversal Utilities for NAT (STUN)

Session Traversal Utilities for NAT (STUN) is a protocol that serves
Session Traversal Utilities for NAT (STUN) is a protocol that serves
as a tool for other protocols in dealing with Network Address
Translator (NAT) traversal. It can be used by an endpoint to
determine the IP address and port allocated to it by a NAT. It can
also be used to check connectivity between two endpoints, and as a
keep-alive protocol to maintain NAT bindings. STUN works with many
existing NATs, and does not require any special behavior from them.
STUN is not a NAT traversal solution by itself. Rather, it is a tool
to be used in the context of a NAT traversal solution. This is an
important change from the previous version of this specification (RFC
3489), which presented STUN as a complete solution.

Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)

If a host is located behind a NAT, then in certain situations it can
be impossible for that host to communicate directly with other hosts
(peers). In these situations, it is necessary for the host to use
the services of an intermediate node that acts as a communication
relay. This specification defines a protocol, called TURN (Traversal
Using Relays around NAT), that allows the host to control the
operation of the relay and to exchange packets with its peers using
the relay. TURN differs from some other relay control protocols in
that it allows a client to communicate with multiple peers using a
single relay address.
The TURN protocol was designed to be used as part of the ICE
(Interactive Connectivity Establishment) approach to NAT traversal,
though it also can be used without ICE.

#24

:bangbang:

Firewall

Typical Ports

FireWall Ports Network Protocol Application Protocol Description
1719 UDP H.323 Gatekeeper RAS port
1720 TCP H.323 Call Signaling
2855-2856 TCP MSRP Used for call with messaging
3478 UDP STUN service Used for NAT traversal
3479 UDP STUN service Used for NAT traversal
5002 TCP MLP protocol server
5003 UDP Neighborhood service
5060 UDP & TCP SIP UAS Used for SIP signaling (Standard SIP Port, for default Internal Profile)
5070 UDP & TCP SIP UAS Used for SIP signaling (For default “NAT” Profile)
5080 UDP & TCP SIP UAS Used for SIP signaling (For default “External” Profile)
8021 TCP ESL Used for mod_event_socket *****
16384-32768 UDP RTP/ RTCP multimedia streaming Used for audio/video data in SIP, Verto, and other protocols
5066 TCP Websocket Used for WebRTC
7443 TCP Websocket Used for WebRTC
8081-8082 TCP Websocket Used for Verto

ESL SECURITY RISK

Think carefully about opening the ESL port to the external world and change the default password. ESL allows any system commands to be run or even to crash FreeSWITCH for call recovery testing. Allowing public access is therefore a security risk.

Amazon EC2

aws_inbound_rules
aws_inbound_rules1071×827 42.8 KB

:warning: ウェブソケットやSIPのTLS接続に必要な認証ファイルの作成については、以下WebRTCの記事も参照のこと(右下の ↑ をクリック)。