execute this in your shell before you start Application

ulimit -c unlimited
ulimit -d unlimited
ulimit -f unlimited
ulimit -i unlimited
ulimit -n 999999
ulimit -q unlimited
ulimit -u unlimited
ulimit -v unlimited
ulimit -x unlimited
ulimit -s 244
ulimit -l unlimited

Here is the link:

http://www.research.att.com/~ttsweb/tts/demo.php

The following link contains list of TCP and UDP ports:

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

FreeSWITCH supports the encryption of SIP signaling traffic via SSL and/or TLS. The convention is to run the SIPS on port 5061. More complex configurations are possible, however they will not be covered in this documentation.

You will need the following in order to compile FreeSWITCH with TLS encryption support:

• OpenSSL-Dev package installed.

If you do not have the OpenSSL-Dev package installed the problem is the sip_profile that contains the encryption configuration directives specified below in Step 2 will fail to start. If you’ve compiled FreeSWITCH without this package installed, there will be no support for encryption and you will need to re-compile it after you install the OpenSSL-Dev package.

For debian do aptitude install libssl and then compile.

Step 1 – Generate the CA Certificate

To use TLS you need at least two certificates: the root certificate (CA) and a certificate for every server. There is a script at /{prefix}/freeswitch/bin/gentls_cert or within the source tarball {tarball}/scripts/gentls_cert that helps generate these files. With

   ./gentls_cert setup

You can create a new root certificate that will be stored at /{prefix}/freeswitch/conf/ssl/cafile.pem. It will be used to digitally sign all server certificates and must normally be installed also on every phone.

Step 2 – Generate the Server Certificate

The command:

   ./gentls_cert create -cn freeswitch.org -alt DNS:freeswitch.org

creates the server certificate at /{prefix}/freeswitch/conf/ssl/agent.pem. This file contains the certificate and the private key. It should contain the domain name in the common and alternate name.

To set up new CA and create new certificate under Windows go here.

In order for the new certificate to take effect only way for FS to use it to restart FS.

Step 3 – Sofia Profile Configuration

On your vars.xml.

ATTENTION: TLS is disabled by default, set internal_ssl_enable and/or external_ssl_enable to “true” to enable.

Step 4 – Securing the RTP Channels (optional)

Calls that originate from the phone have sip_secure_media set if tls is setup. Check the global extension. There is a section commented that out will require SRTP on the outbound leg if the inbound leg is encrypted. Enabling this will be problematic with most ITSPs since they do not support tls.

For calls that originate from FreeSWITCH (or routed through) and are terminated on the user/ endpoint (eg: calls to a phone), the following change will enable srtp if the endpoint registered with tls. Note that it is a valid configuration to register with tls but not require srtp. This disables that valid configuration option for user/ endpoints. It would also require further refinement to support ZRTP on user/ endpoints that connect with tls. In that case, a better approach would be to set something on the user’s directory entry that specifies which RTP encryption to support. (in other words, there is a reason this is not the default setting)

Edit conf/directory/default.xml and change the dial-string param to:

 <param name="dial-string" value="{sip_secure_media=${regex(${sofia_contact(${dialed_user}@${dialed_domain})}|transport=tls)},presence_id=${dialed_user}@${dialed_domain}}${sofia_contact(${dialed_user}@${dialed_domain})}" />

Why it’s a good idea

In the SIP Encryption Primer above we discussed why encrypting the RTP data may be a good idea. This is largely done in the Dialplan and has it’s own page dedicated to it’s functionality.

SRTP by itself without TLS is not secure since the keys are exchanged between the two endpoints in the clear over SIP, which is insecure without TLS or SSL.

See Secure RTP page of the FreeSWITCH Wiki for how to deploy SRTP.

For completely secure connection (signaling + media) use TLS + SRTP. TLS without SRTP secures SIP. SRTP without TLS does not really secure RTP !

  <!--
      SIP and TLS settings.
  -->
  <X-PRE-PROCESS cmd="set" data="sip_tls_version=tlsv1"/>

  <!-- Internal SIP Profile -->
  <X-PRE-PROCESS cmd="set" data="internal_auth_calls=true"/>
  <X-PRE-PROCESS cmd="set" data="internal_sip_port=5060"/>
  <X-PRE-PROCESS cmd="set" data="internal_tls_port=5061"/>
  <X-PRE-PROCESS cmd="set" data="internal_ssl_enable=false"/>
  <X-PRE-PROCESS cmd="set" data="internal_ssl_dir=$${base_dir}/conf/ssl"/>

  <!-- External SIP Profile -->
  <X-PRE-PROCESS cmd="set" data="external_auth_calls=false"/>
  <X-PRE-PROCESS cmd="set" data="external_sip_port=5080"/>
  <X-PRE-PROCESS cmd="set" data="external_tls_port=5081"/>
  <X-PRE-PROCESS cmd="set" data="external_ssl_enable=false"/>
  <X-PRE-PROCESS cmd="set" data="external_ssl_dir=$${base_dir}/conf/ssl"/>

The rlm_acct_unique module creates a unique accounting session Id.

Many NAS vendors have their equipment supply an Acct-Session-Id attribute which is not unique over reboots. This makes accounting difficult, as there will be many independent sessions with the same Acct-Session-Id attribute. This module uses the Acct-Session-Id attribute, along with other attributes in the request, to create a more unique session ID, called Acct-Unique-Session-Id.

The main configuration items to be aware of are:

keyA list of the attributes used in calculating an MD5 hash which is used as the value for the unique session id.

Configuration

modules { …
acct_unique {

key = “User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Port”

}
…
}
…
preacct { …
acct_unique …
}After generating the MD5 hash, the module adds it to the accounting request packet received from the client. It will look something like this in your detail file:

Acct-Unique-Session-Id = “c66ef57e480b9d26″

NOTE: Any attribute you specify that is not found in the ‘dictionary’ file will cause the server to fail and exit with an error.NOTE: If you want the Acct-Unique-Session-Id of the Start and the Stop packet of a particular session to match, you must use values for the key that will stay the same for the Start and Stop. The above example is a good start. Adding ‘Acct-Session-Time’, for example, would cause a mismatch because that value is not the same on the Start and Stop accounting packets.

Opensips is one of the best solution that are present in opensource, it provide you ITSP level services on good hardware box, Single box configure with opensips can supports 5000-10000 calls at time, which it make any teleco to operate with more then 5-10 billion mins per year. Anyone can use it to support their bussiness which is incuring lot of cost due high hardware cost such as iSoftSwitch.

REQUIRMENTS:

1. gcc / suncc / icc : gcc >= 2.9x; 4.[012] recommended (it will work with older version but it might require some options tweaking for best performance)
2. bison or yacc (Berkley yacc)
3. flex
4. GNU make (on Linux this is the standard “make”, on FreeBSD and Solaris is called “gmake”) version >= 3.79.
5. sed and tr (used in the makefiles)
6. GNU tar (”gtar” on Solaris) and gzip if you want “make tar” to work
7. GNU install or BSD install (on Solaris “ginstall”) if you want “make install”, “make bin”, “make sunpkg” to work
8. openssl if you want to compile the TLS support
9. libsctp if you want to compile the SCTP support
10. libmysqlclient & libz (zlib) -libs and devel headers- if you want mysql DB support (the db_mysql module)
11. libpq / postgresql -libs and devel headers- if you want postgres DB support (the db_postgres module)
12. unixodbc -libs and devel headers- if you want unixodbc DB support (the db_unixodbc module)
13. libexpat if you want the jabber gateway support (the jabber module) or the XMPP gateway support
14. libxml2 if you want to use the cpl-c (Call Processing Language) or the presence modules (presence and pua*)
15. libradius-ng -libs and devel headers- if you want to use functionalities with radius support – authentication, accounting, group support, etc
16. unixodbc – libs and devel headers – if you want UNIXODBC support as DB underlayer
17. libxmlrpc-c3 – libs and devel headers – if you want to have XML-RPC support for the Management interface (MI)
18. libperl – libs and devel headers – if you want PERL connector to support perl scripting from you config file (perl module)
19. libsnmp9 – libs and devel headers – if you want SNMP client functionality (SNMP AgentX subagent) for opensips
20. libldap libs and devel headers v2.1 or greater – if you want LDAP support
21. libconfuse and devel headers – if you want to compile the carrierroute module

INSTALLATION

1. cd /usr/src/
2. Download opensips (Opensips 1.5 wget http://opensips.org/pub/opensips/1.5.0/src/opensips-1.5.0-tls_src.tar.gz)
3. tar -xzf  opensips-1.5.0-tls_src.tar.gz
4. make all
5. make install

Introduction

The field of application of a NAT Gateway is in example a private LAN consisting of several PC with an Internet connection with one public IP address.

• The goal is to share the Internet connection among the LAN PCs.
• The problem is that there is only one public IP for outbound traffic.
• The solution is “Network Address Translation” (or NAT for short).

The Gateway (GW) is equipped with two network interfaces. One gets assigned the public IP, the second a private IP (i.e. 192.168.0.1). Every other LAN PCs has it’s own private IP (i.e. 192.168.0.2). If an outbound connection is requested the LAN PC talks to the gateway which masquerades the outbound traffic using the public IP. So every external connection looks like if it is coming from only one PC.

The basic firewalling will prevent all connections from outside with the exception of SSH (port 22) which we leave open for service purposes (i.e.).

System preparation

The following assumes that the gateway has two network interfaces:

• eth0 will be the external and
• eth1 the internal interface.

To use iptables you need to have at least the following kernel components compiled in or as modules

• ip_tables
• ip_conntrack and ip_conntrack_ftp

IP forwarding needs to be active (echo 1 > /proc/sys/net/ipv4/ip_forward</userdefined).

Setup the external interface using the necessary data from your provider (IP and standard gateway). The internal interface (eth1) needs to get a private IP address, like 10.174.254.197. The routing table of the gateway will be set up automatically during network initialization.

Every LAN PC will use the NAT-Gateways internal IP (192.168.0.1 in our example) as standard gateway in its networking setup.

Firewall script

#!/bin/sh ipt=/sbin/iptables extip=192.168.2.243 # replace with your EXTERNAL IP lan=10.174.254.197/27 # your LAN< # start firewall start_firwall { echo “Enabling IP forwarding.” echo 1 > /proc/sys/net/ipv4/ip_forward echo “Enabling iptables firewall.” # default policies $ipt -P INPUT DROP $ipt -P FORWARD DROP # NAT $ipt -t nat -A POSTROUTING -o eth0 -j SNAT –to-source $extip # INPUT chain $ipt -A INPUT -i lo -j ACCEPT $ipt -A INPUT -i eth1 -s $lan -j ACCEPT $ipt -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT $ipt -A INPUT -p tcp –destination-port 22 -j ACCEPT # FORWARD chain $ipt -A FORWARD -i eth1 -s $lan -j ACCEPT $ipt -A FORWARD -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT } # stop firewall stop_firwall { $ipt -P INPUT DROP $ipt -P OUTPUT DROP $ipt -P FORWARD DROP # allow internal traffic $ipt -A INPUT -i eth1 -j ACCEPT $ipt -A OUTPUT -o eth1 -j ACCEPT } # flushing, removing and zeroing tables
reset_firwall { chains=`cat /proc/net/ip_tables_names` for i in $chains; do $debug $ipt -t $i -F $debug $ipt -t $i -X $debug $ipt -t $i -Z done } case “$1″ in start|restart|reload) reset_firewall start_firewall  ;; stop) reset_firewall stop_firewall  ;; *) echo “Usage: $0 {start|stop|restart|reload}” exit 1  ;; esac exit 0

#!/bin/bash
# get ip
/sbin/ifconfig $1 | grep inet | awk ‘{print $2}’ | sed ‘s/^addr://g’

To get your Internet address if you are behind a NAT:

## The -n option retrieves the Internet IP address

## if you are behind a NAT

if [ "$1" = "-n" ]

then ip=$(lynx -dump http://cfaj.freeshell.org/ipaddr.cgi)

else if=$1 ## specify which interface, e.g. eth0, fxp0

system=$(uname)

case $system in FreeBSD)

sep=”inet “ ;;

Linux) sep=”addr:” ;;

esac temp=$(ifconfig $if)

temp=${temp#*”$sep”}

 ip=${temp%% *}

fi

printf “%s\n” “$ip”

### CFAJ ###

Create two ACL one for Time slot and one for file extensions.

#vi /etc/squid/squid.conf

Add the followings

acl filetime time 09:00-13:00 #(filetime is ACL name)

acl blockfile url_regex -i .iso$ .exe$ .ini$ .gz$ .tar$ .zip$ .tgz .bz2$ .bin$ .rar$ .bin$ #(“blockfile” is ACL for file types which need to be restricted)

http_access deny blockfile filetime (# Now deny the ACL blockfile with filetime )

#/etc/init.d/squid reload

Add the following line on /etc/network/interfaces

up route add -net 172.22.0.0 netmask 255.255.254.0 gw 192.168.15.101 dev eth0 (The connected Hardware interface.)

Now restart the network service by

#/etc/init.d/networking restart