Previously, we discussed preventing outbound calls from FreePBX by using two methods: Misc Applications and outbound routes. There is also (at least) two ways to allow outgoing calls using a whitelist, i.e. allowing calls only to the numbers specified.
The first one is extremely simple, and I can already hear you saying "Duh!". But sometimes the answer to a problem is staring us right in the face and we miss it anyway. So at the risk of insulting some of you, and hopefully enlightening some of you, here it is: Password protect your outbound routes. Yes, extremely primitive - but it works! Password protect those routes that you don't want your users calling, and just leave the others unprotected. This will allow for an environment where you have very tight control over outbound calls.
The second way to restrict outbound calls is much more sophisticated and allows for refined control of which extensions/user are restricted and which aren't (obviously without the use of a password). One of the goals of this method are to restrict the outbound calls but nothing else. This method will keep all other FreePBX applications available to the restricted user: Voice Mail, Conferences, Paging, Call Forwarding, etc. - will all be available. The only thing restricted will be outgoing calls.
The first step is to segregate the restricted context form the other users. Start by opening
The next step is to make sure asterisk will 'follow' the 'exec'. Open
Finally, from the linux cli, type amportal chown and reload the asterisk dialplan in your usual way, either by clicking the orange reload bar in FreePBX or by entering dialplan reload from the asterisk cli.
Now, try to place a call from your restricted context - it should be blocked! The way this works is as follows: when you reload asterisk, it executes the restricted.sh scrip and includes its output in the dialplan (dynamically). The scipt reads the FreePBX generated dialplan and copys the entire from-internal-additional dialplan in to our custom context (well, not the entire dialplan per se - just the includes. For more on how this works see my previous articles on this site). It then reads the numbers listed in your whitelist file and creates routes for them as Local channels (which are callable by restricted extensions as they can call all internal extensions).Cool, eh?
Got another way to restrict outgoing calls? Lets hear about them in the comments!
Moshe Brevda, FreePBX Development Team
lazytt - FreePBX forums
hi365 - IRC
Found this tip useful? Don't forget to donate by click the donate button to the right!
The first one is extremely simple, and I can already hear you saying "Duh!". But sometimes the answer to a problem is staring us right in the face and we miss it anyway. So at the risk of insulting some of you, and hopefully enlightening some of you, here it is: Password protect your outbound routes. Yes, extremely primitive - but it works! Password protect those routes that you don't want your users calling, and just leave the others unprotected. This will allow for an environment where you have very tight control over outbound calls.
The second way to restrict outbound calls is much more sophisticated and allows for refined control of which extensions/user are restricted and which aren't (obviously without the use of a password). One of the goals of this method are to restrict the outbound calls but nothing else. This method will keep all other FreePBX applications available to the restricted user: Voice Mail, Conferences, Paging, Call Forwarding, etc. - will all be available. The only thing restricted will be outgoing calls.
The first step is to segregate the restricted context form the other users. Start by opening
/etc/asterisk/extensions_custom.conf and adding the following context:[from-internal-restricted]
#exec /var/lib/asterisk/bin/restricted.shThe next step is to make sure asterisk will 'follow' the 'exec'. Open
/etc/asterisk/asterisk.conf and make sure you have a line that reads:execincludes=yes ; support #exec in config files
(specifically, ensure there is no ; at the begging of the line). Next download this script, and save it to /var/lib/asterisk/bin/restricted.sh . Now, create /etc/asterisk/whitelist and add a list of numbers that you want whitelisted. Here a helpful hint: you can a space and a description after the number so that you remember who's number it is and why its there. Here's an example:2125551212 bob
6565552121 marry
4264441212 bill
The last step is to place any extension that you want restricted in to the restricted context. In FreePBX, click Extensions -> select the extension -> and scroll down to the context option. Append -restricted to the text and click submit.Finally, from the linux cli, type amportal chown and reload the asterisk dialplan in your usual way, either by clicking the orange reload bar in FreePBX or by entering dialplan reload from the asterisk cli.
Now, try to place a call from your restricted context - it should be blocked! The way this works is as follows: when you reload asterisk, it executes the restricted.sh scrip and includes its output in the dialplan (dynamically). The scipt reads the FreePBX generated dialplan and copys the entire from-internal-additional dialplan in to our custom context (well, not the entire dialplan per se - just the includes. For more on how this works see my previous articles on this site). It then reads the numbers listed in your whitelist file and creates routes for them as Local channels (which are callable by restricted extensions as they can call all internal extensions).Cool, eh?
Got another way to restrict outgoing calls? Lets hear about them in the comments!
Moshe Brevda, FreePBX Development Team
lazytt - FreePBX forums
hi365 - IRC
Found this tip useful? Don't forget to donate by click the donate button to the right!
18 comments:
moshe, just a quick observation - in the code fragment you show the context as [from-internal-restricted] but in the "last step" you tell folks to append -custom to the existing from-internal context. from-internal-restricted is not the same as from-internal-custom, therefore unless my comprehension is totally shot due to lack of sleep, I suspect you may want to change one of those.
Also, I was wondering, can you add patterns to the whitelist as well as numbers, or can you only whitelist individual numbers?
wiseoldowl: Thanks! Ive updated the post. To answer your question: if you change this line in the script:
echo "exten => $number,1,Dial(Local/$number@from-internal)"
to:
echo "exten => $number,1,Dial(Local/${EXTEN}@from-internal)"
You *should* be able to use pattern matching. Let us know if it works for you!
moshe: My alternative to doing this is described in this post: http://www.freepbx.org/forum/freepbx/users/a-different-approach-to-placing-outgoing-calling-restrictions-on-certain-extensi
But i have a feeling some users will prefer your way of doing it, while others might prefer mine. And in any case, I could not have got mine to work without your tip re: variable inheritance
Actually, I wish they'd incorporate something like this in FreePBX. Seems like it would be simple (well, simple if you know anything about the innards of FreePBX, which I don't). In the extension setup you could include a field called "restriction group" (similar to pickup group, etc.) which would take a number. In the route setup you could add a similar field except it would take multiple entries (more than one number). If a call was placed from a restricted extension it would set a variable equal to the restriction group number. The route processing logic would then check to see if any of the restriction groups specified for it matched the restriction group of the calling extension, if you have a match then the call gets blocked.
For whitelisting you'd then just create another outbound route, listing only the whitelisted numbers in the Dial Patterns, and not specifying any restriction groups (and you'd place that route higher in priority).
Possibly you could include a checkbox, "Skip route if restricted", allowing the possibility of the extension "falling through" to a lower priority route if restrictions are in effect on the first route tried. I don't know if this would be possible under existing FreePBX logic.
One interesting thing I found on my method of doing this: If the restriction is in effect and you play a message to the caller, such as:
exten => _.,n,playback(feature-not-avail-line)
exten => _.,n,Hangup
Then the message plays and the hangup takes place. But if you add the ,noanswer option to the playback statemen, e.g.
exten => _.,n,playback(feature-not-avail-line,noanswer)
Then it completely blows by the Hangup statement and goes on to complete the call! It's not a big issue to omit the .noanswer tag (I don't think) but once again it's something I don't understand. I wonder what is ambiguous about Hangup?
Moshe,
I've followed your exact instructions in order to restrict some extensions from making outgoing calls, However i didnt succeed. Infact, what happened is, iam unable to apply any changes at all. This occured when i executed the amportal chown command. on the freepbx i get : [FATAL] Cannot write Queues configurations Failed creating/overwriting Queues extensions file: /etc/asterisk
/queues_additional.conf
My knowledge in Linux Sucks. Would you please guide me thru. I guess its a permission issue.
P.S i log in as root to the system.
Regards,
BigJay
Jonatan
While your issue is better sutited for the FreePBX forums (as it is unreleated to the blog post), I would suggest you try one of the following:
chown asterisk:asterisk /etc/asterisk
/queues_additional.conf
or
rm -f /etc/asterisk/queues_additional.conf
followed by a reload of FreePBX.
I hope that helps. Otherwise try posting here: http://freepbx.org/forums . Good luck!
Hello and thanks for the great info on the Blog.
I'm using FreePBX 2.5.1.0 and fluent in LINUX
I followed the instruction and could not get this to work. The extension works until I set the context to from-internal-restricted I monitor the asterisk CLI with asterisk -vvvvvvvvr and nothing happens with the context set to from-internal-restricted. It appears like the extension context can only be set to from-internal and NOT from-internal-restricted
My extensions_custom.conf contains the following:
[from-internal-custom]
include => from-internal-restricted
[from-internal-restricted]
#exec /var/lib/asterisk/bin/restricted.sh
Thanks Mark S
Mark, thank you for you comment. You need to remove
[from-internal-custom]
include => from-internal-restricted
also, you need to change the extensions context from the FreePBX gui.
Good luck!
Moshe,
Thanks, this looks great. The thing is that the moment i put an extension in the context: from-internal-restricted. No outgoing calls are possible and in the logfile i see:
NOTICE[10492] chan_sip.c: Call from '1260' to extension '1060' rejected because extension not found.
Dont forget to reload asterisk
Moshe,
Thanks, but i checked and rechecked all settings, but the moment i put an extension in "from-internal-restricted" ALL phonecalls from that extension give the error "NOTICE[10492] chan_sip.c: Call from '1260' to extension '1060' rejected because extension not found." But i am still able to call the extension.
What can i do?
Henk, I would suggest that you remove any dialplan that you added, and try again.
Moshe, Thanks again. Took all outbound routes out, butt still no dice.
I now tried what wiseoldowl wrote on: http://www.freepbx.org/forum/freepbx/users/a-different-approach-to-placing-outgoing-calling-restrictions-on-certain-extensi and that seems to do the trick.
I get the same error as henk:
[Jul 6 08:27:41] NOTICE[4337] chan_sip.c: Call from '300' to extension '201' rejected because extension not found.
Anyone have any ideas?
Hello Moshe,
Could you please verify if the same instructions are valid for Trixbox 2.8.0 ?
I have followed your instructions however found that they work on the 2.6 trixbox but not the 2.8.
Need your kind assistance to make them work for 2.8 TB as well.
toufic: These instructions are for FreePBX.
Moshe,
That explains why it is working on TB 2.6 (FreePBX) and not on TB 2.8.
How can we make it work for the 2.8? They are using asterisk 1.6
You would probably need to hire a developer to have a look at it for you
Moshe....I followed the steps above BUT, the phone that I test can't dial out at all, I get a "404 error not found" for ANY number that I dial.
I tried the unsupported CUSTOM CONTEXTS module, and found that it works BEAUTIFULLY, but is restricted in the DIAL RULES box to 104 numbers....and I find that this is more of a WHITELIST module for OUTBOUND ROUTES rather than specific numbers (as WISEOLDOWL had pointed out to me).....now I'm trying to see if I can simply put 1,000 or so numbers in the DIAL plan and see if that works.....
might you have any suggestions, or should I just go ahead and put the numbers in the DIAL PLAN? and test for some sort of limitation? I am using Trixbox 2.6.1...
Post a Comment