Allmon3 has Allow/Deny lists for node connections.
Is there an Allow/Deny list for Web Transceiver connections?
If not is there another method for making a whitelist/blacklist for web transceiver connections?
I think you are referring to asl3, not almon3
A Webtransiver has no node number. It is call sign.
To deny all web transceiver connections, disable in self service portal for that node.
While I have never tried it,
I think you can put the callsign in the deny/allow list.
I guess it depends on if a deny list handles the call sign
as a callerid(name) or cid(number)
Have you tried it ?
I'd like to hear something official on this.
I have a whitelist node running on ASL3, which still accepts WT connections.
Yes, I know I can disable WT entirely by removing the allstar-public context or just having it hang up (this is more affective than turning off WT support in the portal, because some clients ignore that, but it would affect all nodes on a system.)
In my particular case, I actually do want a node that normal ASL users can't connect to, such that all the WT related stuff is sent to this node, but I think most people would expect whitelists and blacklists to work the same way they normally do regardless of the context.
If I have an open node, but I want to blacklist a call sign (WT uses calls, not node numbers,) to my knowledge, I can't do it without modifying the existing dialplan when the blacklist is enabled for that node. Sure, I can add the call to the blacklist for that node, in all caps, as it is shown in the node list, but it doesn't seem to work for WT connections.
The dialplan for the allstar-public context suggests that it should work, but I don't understand the logic well enough to know why it doesn't.
Using the Asterisk CLI (asterisk -r) I watched the messages of an incoming WT connection. As you noted, all looks to flow through [allstar-public] and while there is a ;exten => ... ; Not in whitelist comment I didn't see any access list checks.
So, to my eyes, it looks like changes would be needed to extend the allow/deny checks to the WT connections.
It would be good for someone to create a GitHub : app_rpt issue. Even better would be a pull request with the needed changes 
I think all you need is a change of the dialpan
for the deny list, add a line under this one
same => n(denylist),GotoIf(${DB_EXISTS(denylist/${EXTEN}/${CALLERID(num)})}?:connect) ;don't goto connect
That uses the cid (NAME) and not cid (NUMBER) as cid (num) would be blank.
same => n(denylist),GotoIf(${DB_EXISTS(denylist/${EXTEN}/${CALLERID(name)})}?:connect) ;don't goto connect
And put those callsigns in the list.
Did not test it. Not set-up for WT at home.
So, still only a theory.
Yes that is twice the work checking the same list with different methods, but it should work till some amends can be made in the code.
At the same time this goto label would need to change in that added line. Perhaps removed.
Perhaps should read
same => n,GotoIf(${DB_EXISTS(denylist/${EXTEN}/${CALLERID(name)})}?:connect) ;don't goto connect
The whole thing might look like this... for allow/deny checks with callsign from WT
[radio-secure]
;exten => ${NODE},1,rpt(${EXTEN})
exten => _XXXX!,1,NoOp(Connect from node: ${CALLERID(num)})
same => n,NoOp(Connect to: ${EXTEN})
;same => n,NoOp(The IAXPEER is ${IAXPEER(CURRENTCHANNEL)})
same => n,NoOp(The Channel IP is ${CHANNEL(peerip)})
;If channel IP eq localhost go to connect
same => n,GotoIf($["${CHANNEL(peerip)}" = "127.0.0.1"]?connect)
;If allowlist/extension doesn't exist check the denylist
same => n,GotoIf($[${DB_KEYCOUNT(allowlist/${EXTEN})} = 0]?denylist) ;goto denylist
;If allowlist/extension/callerid exists go to connect
same => n,GotoIf(${DB_EXISTS(allowlist/${EXTEN}/${CALLERID(num)})}?connect) ;goto connect
same => n,GotoIf(${DB_EXISTS(allowlist/${EXTEN}/${CALLERID(name)})}?connect) ;goto connect-WT
same => n,NoOp(${EXTEN} not in allowlist, Hangup)
same => n,Hangup
;If denylist/extension/callerID doesn't exist goto connect
same => n(denylist),GotoIf(${DB_EXISTS(denylist/${EXTEN}/${CALLERID(num)})}?:connect) ;don't goto connect
same => n,GotoIf(${DB_EXISTS(denylist/${EXTEN}/${CALLERID(name)})}?:connect) ;don't goto connect WT
same => n,NoOp(${EXTEN} is in denylist, Hangup)
same => n,Hangup
same => n(connect),rpt(${EXTEN})
same => n,Hangup
If anyone cares to test this.
Did you mean to share [radio-secure] ? or a revised [allstar-public] ?
I got the current from git
The dialplan was all I was concerned with no matter the current stanze.
OR
post it as corrected. If it has been verified to work anyway.
Something else to be aware of is that the asl3-menu, node edit submenu for editing the allow or deny lists only allows numeric values to be entered. The node-setup script needs to change to allow A-Z, etc characters to be entered. In the meantime, one can manually add/del entries using the asterisk database command.
Echolink node numbers can also be managed in the allow/deny lists, since echolink.conf specifies context = radio-secure.
My modified [allstar-public] segment in extensions.conf for web transceiver access is below. It is somewhat based on [radio-secure].
David, WD5M
[allstar-public]
exten => s,1,Ringing
same => n,Set(RESP=${CURL(https://register.allstarlink.org/cgi-bin/authwebphone.pl?${CALLERID(name)})})
same => n,Set(NODENUM=${CALLERID(number)})
same => n,GotoIf($["${RESP:0:1}" = "?"]?hangit)
same => n,GotoIf($["${RESP:0:1}" = ""]?hangit)
same => n,GotoIf($["${RESP:0:5}" != "OHYES"]?hangit)
same => n,Set(CALLSIGN=${RESP:5})
same => n,Set(CALLERID(name)=${CALLSIGN})
same => n,Set(CALLERID(num)=0)
;If allowlist/extension dosen't exist check the denylist
same => n,GotoIf($[${DB_KEYCOUNT(allowlist/${NODENUM})} = 0]?denylist) ;goto denylist
;If allowlist/extension/callerid exists go to connect
same => n,GotoIf(${DB_EXISTS(allowlist/${NODENUM}/${CALLERID(name)})}?connect) ;goto connect
same => n,NoOp(${CALLERID(name)} not in allowlist, Hangup)
same => n,Hangup
;If denylist/extension/callerID doesn't exist goto connect
same => n(denylist),GotoIf(${DB_EXISTS(denylist/${NODENUM}/${CALLERID(name)})}?:connect) ;don't goto connect
same => n,NoOp(${CALLERID(name)} is in denylist, Hangup)
same => n,Hangup
same => n(connect),Rpt(${NODENUM}|X)
same => n,Hangup
same => n(hangit),Answer
same => n,Wait(1)
same => n,Hangup
Yea, I would not have thought of that since I dont use the menus.
Yes, the asl3-menu / node-setup menus will need to modified to allow using WT (and EL) callsigns in the allow / block lists.
Nice. Has this been tested? and have you tested a config that allows (or blocks) both an ASL node and a WT callsign?