Skip to content

KAZOO Support Channels

This documentation is curated by 2600Hz as part of the KAZOO open source project. Join our community forums here for peer support. Only features in the docs.2600hz.com/supported space are included as part of our 2600Hz Support Services plan.

Acls

ACLs control whether to request username/password authentication from a source IP address or not. Kazoo maintains two lists of ACLs, one for the SBCs (typically Kamailio) and one for upstream carriers to send inbound traffic to Kazoo.

SBCs#

It is important to add your SBC IPs to the proper ACL list so that FreeSWITCH doesn't challenge incoming traffic from those SBCs.

The following SUP commands will allow you to manipulate the SBC ACL list:

  • sup -n ecallmgr ecallmgr_maintenance allow_sbc {SBC_NAME} {SBC_IP}

    This will accept traffic from {SBC_IP} without requiring authentication

  • sup -n ecallmgr ecallmgr_maintenance remove_acl {SBC_NAME}

    This will remove the ACL from the list

  • sup -n ecallmgr ecallmgr_maintenance deny_sbc {SBC_NAME} {SBC_IP}

    This will deny traffic from {SBC_IP}, if you need that for some reason

Carriers#

It is important to add your Carrier IPs to the proper ACL list so that FreeSWITCH doesn't challenge incoming traffic from those Carriers. Most carriers do not expect to be challenged.

The following SUP commands will allow you to manipulate the Carrier ACL list:

  • sup -n ecallmgr ecallmgr_maintenance allow_carrier {CARRIER_NAME} {CARRIER_IP}

    This will accept traffic from {CARRIER_IP} without requiring authentication

  • sup -n ecallmgr ecallmgr_maintenance remove_acl {CARRIER_NAME}

    This will remove the ACL from the list

  • sup -n ecallmgr ecallmgr_maintenance deny_carrier {CARRIER_NAME} {CARRIER_IP}

    This will deny traffic from {CARRIER_IP}, if you need that for some reason

Note: {CARRIER_IP} can also be a CIDR-formatted entry.

Update running ACLs#

To update all the FreeSWITCH servers' ACL lists:

  • sup -n ecallmgr ecallmgr_maintenance reload_acls

Test IP against ACLs#

You can test whether an IP would be accepted by the Carrier or SBC ACLs:

  • sup -n ecallmgr ecallmgr_maintenance test_carrier_ip {CARRIER_IP} [{FREESWITCH_NODE}]
  • sup -n ecallmgr ecallmgr_maintenance test_sbc_ip {SBC_IP} [{FREESWITCH_NODE}]

If you don't provide a FreeSWITCH node, all connected nodes will be queried. {FREESWITCH_NODE} should be formatted as the mod_kazoo node name (freeswitch@fs.server.com).