Hey Metik, Yes. Well, actually, I can have the cidr in two places in the directory.
<user cidr="190.218.97.83/32" id="testphone01"> <params> <param name="auth-acl" value="190.218.97.83/32"></param> >From what I understand the cidr= parmeter is used in conjunction with the apply-inbound-acl parameter in the sofia profile to just allow someone to make calls from a certain IP without authenticating. And from what I understand the auth-acl= parameter is used to restrict a user to a particular cidr, but the user has to authenticate as well. *The second feature is the one I want to use.* I want to force users to authenticate, but only allow that authentication from a particular cidr as an added measure against toll fraud. And this appears to be causing the issue. Because once I specify the auth-acl parameter in the directory, sofia-reg enforces that acl. And unfortunately it's using the IP of the proxy, not of the user-agent. I looked in sofia.c and found this comment: /* * if network_ip is a proxy allowed to send calls, check for auth * ip header and see if it matches against the inbound acl */ And this coincides with my testing. I have <param name="apply-proxy-acl" value="ip_of_proxy"/> in my profile. I have my proxy sending the X-AUTH-IP header (verified with tcpdump). And yet the REGISTER is still being denied. So it appears that the apply-proxy-acl is set up to work with the apply-inbound-acl ( to allow users from an IP without authenticating) But that hasn't been carried over to sofia_reg.c, which appears to simply check the IP of who FreeSWITCH is talking to against the auth-acl cidr specified in the directory. (Line 1926) So I guess the question is, is my analysis correct? Thoughts anyone? Thanks, Bill Metik wrote: > Bill, > > I think you would add this to the user profile in the directory. The > "brian.xml" example (located in ${confdir}/directory/) provided with the > default/sample configuration files demonstrates how to to do this by > introducing a "cidr" attribute to the the "user" element. > > Example: > > <user id="7105551212" cidr="127.0.0.0/8//"> > <params> > <param name="password" value="opensaysme"/> > <param name="vm-password" value="14916"/> > </params> > <variables> > <variable name="user_context" value="default"/> > </variables> > </user> > > "http://wiki.freeswitch.org/wiki/Acl" contains some great info > (including a relevant example). > > -metik > _______________________________________________ FreeSWITCH-users mailing list FreeSWITCH-users@lists.freeswitch.org http://lists.freeswitch.org/mailman/listinfo/freeswitch-users UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users http://www.freeswitch.org