Re: [Freeswitch-users] Authenticating end points by IP
Hello Lars, You can apply any acl to any profile. What you should do really depends on what you want to accomplish. But let's take a simple example. Let's say you want to allow any phone on your internal network (192.168.0.0/24) to connect to your internal profile and make calls without having to provide a password. Then you could simply put these entries in your internal sofia profile. In that case, you do not need to include anything in the directory. The cidr entries in the directory are for providing additional control for each user id and what IPs they are allowed to make calls from. For your external profile, you may not want to have any ACLs at all, as you may not want to limit which IPs can connect to your switch to send you incoming calls. BUT, you need to make sure the dialplan connected to that external profile doesn't allow anyone to dial numbers that are not hosted on your system without proper authentication or controls. And believe me, people WILL try to do that. I've set up my system to email me whenever this happens and I have logged over 100 attempts to dial international numbers just since December 3rd. Hope this helps, Bill Lars Zeb wrote: > Bill, > > Thanks for your ACL Overview. Perhaps you can help me understand more > clearly. > > If you include the "local-network-acl" and "apply-inbound-acl" params in the > sip_profiles and setup the list for "localnet.auto" in acl.conf.xml, does > this mean you do not have to include the cidr attribute for individual > extensions in the directory/default folder? > > Is "apply-inbound-acl" supposed to exist in both internal and external > profiles while "apply-inbound-acl" is only in the internal? > > Thanks, Lars > ___ FreeSWITCH-users mailing list FreeSWITCH-users@lists.freeswitch.org http://lists.freeswitch.org/mailman/listinfo/freeswitch-users UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users http://www.freeswitch.org
Re: [Freeswitch-users] Authenticating end points by IP
I recently added an overview to this wiki page to help make things more clear as to which ACL you need for different purposes. http://wiki.freeswitch.org/wiki/ACL#Overview Thanks, Bill W. Mathieu Rene wrote: > Check out: http://wiki.freeswitch.org/wiki/ACL#Users > > It'll automatically add users with a cidr= attribute to the ACL list. > This way you can set channel variables in the users and use them through > your dialplan, all authenticated by ip address. > > Cheers, > > Mathieu Rene > Avant-Garde Solutions Inc > Office: + 1 (514) 664-1044 x100 > Cell: +1 (514) 664-1044 x200 > mr...@avgs.ca <mailto:mr...@avgs.ca> ___ FreeSWITCH-users mailing list FreeSWITCH-users@lists.freeswitch.org http://lists.freeswitch.org/mailman/listinfo/freeswitch-users UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users http://www.freeswitch.org
Re: [Freeswitch-users] ACLs through proxy
Hey Metik,
Thank you so much for your assistance on this issue. I really
appreciate it.
Yes I agree with you on the mod_xml_curl solution. However, as I was
starting to pursue that, I ran into another issue. It appears as though
I don't have access to any variables in the xml_curl POST that contain
the IP of the UA.
The only two variables with IPs (other than the switch IP) are:
sip_contact_host=192.168.0.100
and
ip=64.135.119.105
where the .105 is my proxy. :( Do you know of any way to get additional
variables into the xml_curl POST?
As far as my current use case, yes, you understand my needs correctly,
with one slight modification, I want to use the IP acl+Auth with both
REGISTERs and INVITEs.
And yes, I agree with you that it is better to mitigate at the border,
but I don't have that kind of infrastructure available yet.
So do you have any other suggestions on a workaround with the xml_curl
issue? Or should I include that with my bounty?
Thanks,
Bill
Metik wrote:
> Then it would appear that my original suggestion to use mod_xml_curl
> would be best for now and you may need to offer a bounty for this
> feature as others have suggested. Based on the sofia related snippets
> presented--I would assume it would be trivial to implement since most of
> the functionality is already there it just needs to be enhanced for your
> purpose. It would also be extremely easy to do this in OpenSIPS as well
> (using blacklists or avpops).
>
> Just so that I understand your dilemna, you want to reject an incoming
> REGISTER associated with a specific user unless it comes from a fixed
> location and if it does, you want to simply challenge it as usual to
> prevent toll fraud?
>
> I have found that its best to mitigate an attack at ingress before it
> even makes it to critical infrastructure (media gateways,
> application/media servers, etc.).
>
> -metik
>
> Bill W. wrote:
>> Hey Metik,
>>
>> Yes. Well, actually, I can have the cidr in two places in the directory.
>>
>>
>>
>>
>>
>> >From what I understand the cidr= parmeter is used in conjunction with
>> the apply-inbound-acl parameter in the sofia profile to just allow
>> someone to make calls from a certain IP without authenticating.
>>
>> And from what I understand the auth-acl= parameter is used to restrict a
>> user to a particular cidr, but the user has to authenticate as well.
>>
>> *The second feature is the one I want to use.* I want to force users to
>> authenticate, but only allow that authentication from a particular cidr
>> as an added measure against toll fraud.
>>
>> And this appears to be causing the issue. Because once I specify the
>> auth-acl parameter in the directory, sofia-reg enforces that acl. And
>> unfortunately it's using the IP of the proxy, not of the user-agent.
>>
>> I looked in sofia.c and found this comment:
>> /*
>> * if network_ip is a proxy allowed to send calls, check for auth
>> * ip header and see if it matches against the inbound acl
>> */
>>
>> And this coincides with my testing.
>> I have in my
>> profile. I have my proxy sending the X-AUTH-IP header (verified with
>> tcpdump). And yet the REGISTER is still being denied.
>>
>> So it appears that the apply-proxy-acl is set up to work with the
>> apply-inbound-acl ( to allow users from an IP without authenticating)
>>
>> But that hasn't been carried over to sofia_reg.c, which appears to
>> simply check the IP of who FreeSWITCH is talking to against the auth-acl
>> cidr specified in the directory. (Line 1926)
>>
>> So I guess the question is, is my analysis correct?
>>
>> Thoughts anyone?
>>
>> Thanks,
>> Bill
>>
>>
>>
>>
>>
>>
>> Metik wrote:
>>
>>> Bill,
>>>
>>> I think you would add this to the user profile in the directory. The
>>> "brian.xml" example (located in ${confdir}/directory/) provided with the
>>> default/sample configuration files demonstrates how to to do this by
>>> introducing a "cidr" attribute to the the "user" element.
>>>
>>> Example:
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> "http://wiki.freeswitch.org/wiki/Acl"; contains some great info
>>> (including a relevant example).
>>>
>>> -metik
>>>
>>>
>> ___
>> FreeSWITCH-users
Re: [Freeswitch-users] ACLs through proxy
Hey Metik,
Yes. Well, actually, I can have the cidr in two places in the directory.
>From what I understand the cidr= parmeter is used in conjunction with
the apply-inbound-acl parameter in the sofia profile to just allow
someone to make calls from a certain IP without authenticating.
And from what I understand the auth-acl= parameter is used to restrict a
user to a particular cidr, but the user has to authenticate as well.
*The second feature is the one I want to use.* I want to force users to
authenticate, but only allow that authentication from a particular cidr
as an added measure against toll fraud.
And this appears to be causing the issue. Because once I specify the
auth-acl parameter in the directory, sofia-reg enforces that acl. And
unfortunately it's using the IP of the proxy, not of the user-agent.
I looked in sofia.c and found this comment:
/*
* if network_ip is a proxy allowed to send calls, check for auth
* ip header and see if it matches against the inbound acl
*/
And this coincides with my testing.
I have in my
profile. I have my proxy sending the X-AUTH-IP header (verified with
tcpdump). And yet the REGISTER is still being denied.
So it appears that the apply-proxy-acl is set up to work with the
apply-inbound-acl ( to allow users from an IP without authenticating)
But that hasn't been carried over to sofia_reg.c, which appears to
simply check the IP of who FreeSWITCH is talking to against the auth-acl
cidr specified in the directory. (Line 1926)
So I guess the question is, is my analysis correct?
Thoughts anyone?
Thanks,
Bill
Metik wrote:
> Bill,
>
> I think you would add this to the user profile in the directory. The
> "brian.xml" example (located in ${confdir}/directory/) provided with the
> default/sample configuration files demonstrates how to to do this by
> introducing a "cidr" attribute to the the "user" element.
>
> Example:
>
>
>
>
>
>
>
>
>
>
>
> "http://wiki.freeswitch.org/wiki/Acl"; contains some great info
> (including a relevant example).
>
> -metik
>
___
FreeSWITCH-users mailing list
FreeSWITCH-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Re: [Freeswitch-users] ACLs through proxy
Hey Metik,
Thanks so much for your insights and your help. And yes, I was able to
append the X-AUTH-IP header with no problem. But that didn't solve the
issue. After some more research, it appears that the problem isn't with
auth-calls at all.
I disabled all auth-call directives in every sip profile and the
registration through a proxy is still being rejected.
I looked in sofia_reg.c and if auth_acl is defined, sofia_reg checks the
ip variable against the auth_acl cidr.
if (auth_acl) {
if (!switch_check_network_list_ip(ip, auth_acl)) {
switch_log_printf(SWITCH_CHANNEL_LOG,
SWITCH_LOG_WARNING, "IP %s Rejected by user acl %s\n", ip, auth_acl);
ret = AUTH_FORBIDDEN;
goto end;
}
So I guess the question is, is it possible to control what gets put into
the ip variable?
Thanks,
Bill
Metik wrote:
> Honestly, several years ago I accomplished this by mod'ing SER (which
> became OpenSER which was then forked to OpenSIPS and Kamalio) and using
> one cluster of proxies for subscriber endpoints and another for
> infrastructure (so that I could keep RTP flows optimized yet support
> double NAT when required by an endpoint). Although the network looks
> different today.
>
> However, we were never quite happy about the lack of media failover
> (complicated NAT) and evaluated several commercial solutions until
> finding Covergence (which is now, for better or for worse since the jury
> is still out, owned by ACME Packet). At the time, they offered the best
> mix of security (their forte) yet scaled very well in comparison to
> their competitors that I had tested in our lab (ACME Packet, Kagoor,
> Netrake, NexTone, Kagoor, and Jasomi). In fact, they made a great
> decision, not unlike that of the FS developers, to implement a
> proven/stable SIP protocol stack. Nothing is perfect and that does not
> mean that we did not spend a considerable amount of time documenting
> bugs so that they could be addressed and it would work as it should
>
> We still use OpenSIPS for certain CSCF functionality (due to its speed
> and flexibility since it is not a B2BUA).
>
> Based on Mathieu's response (and he is definitely someone that would
> know), it looks like you should be able to easily append a X-AUTH-IP
> header (via OpenSIPS) containing the IP address of the endpoint and call
> it a day.
>
> -metik
>
>
> Bill W wrote:
>> Hey Metik,
>>
>> That's exactly what I'm trying to do... load balance across multiple FS
>> boxes, and have any machine in the cluster be able to reach a device
>> behind a NAT firewall. Hence the need for the proxy. Also, I'm trying
>> to keep the proxy relatively "dumb" and put all the logic in the FS boxes.
>>
>> True I could do the auth on the proxies as well, but then I'm setting up
>> another authentication scheme in addition to what is on the FS boxes,
>> and then integrating the databases so everything is consistent.
>>
>> I also have hosts that talk to the FS boxes directly, rather than
>> through the proxy. So I can't get rid of auth_acl on FS either, even if
>> I do implement it on the proxies. So my setup becomes much more
>> complex and potentially brittle.
>>
>> And all we're really talking about for FreeSWITCH, conceptually
>> speaking, is populating a variable with a different IP. We could even
>> make it configurable, as to which IP is to be used for the auth-acl.
>>
>> What are you using for SBCs? (if you are allowed to divulge that) I'm
>> currently using OpenSIPS for my proxy.
>>
>> Thanks,
>> Bill
>>
>> Metik wrote:
>>
>>> Why not simply implement this feature in the PROXY itself?
>>>
>>> FS has a pretty comprehensive security feature set for endpoints that
>>> directly register with it.
>>>
>>> Don't get me wrong, I do agree this is useful especially if you are
>>> going to be using your proxies to load balance across multiple FS boxes
>>> to create an ad-hoc cluster. I actually have session border controllers
>>> that have this feature and use it quite often.
>>>
>>> -metik
>>>
>>> Bill W wrote:
>>>
>>>> Hey Metik,
>>>>
>>>> Thanks for the reply, and the pointers for doing it with xml_curl.
>>>>
>>>> I'll guess have to do that in the short term, but in my opinion, having
>>>> auth-acl be able to work through a proxy is very important as it is a
>>>> vital part of a c
Re: [Freeswitch-users] ACLs through proxy
Hello Mathieu, I assumed that apply-proxy-acl was a modifier of auth-calls, so in my quick tests I just hard-coded the UA IP in the profile. And I get: 2009-12-18 09:14:28.250929 [WARNING] sofia_reg.c:1928 IP 64.135.119.105 Rejected by user acl 190.218.97.83/32 Where 64.135.119.105 is the IP of my proxy. And actually this is a REGISTER, not an INVITE. I did a tcpdump, and I'm not seeing the X-AUTH-IP header in the register packet. I will be incommunicado for the rest of today, but when I get back online, I'll see if I can get my proxy to add the X-AUTH-IP to the REGISTER packet and see if that makes a difference. Thanks for your help! Bill Mathieu Rene wrote: > From looking at sofia.c, if the ip address of the caller is in apply- > proxy-acl, it'll look for the X-AUTH-IP header in the INVITE packet, > and use that one for authentication. > Is that what you did in your previous tests? > > Mathieu Rene > Avant-Garde Solutions Inc > Office: + 1 (514) 664-1044 x100 > Cell: +1 (514) 664-1044 x200 > mr...@avgs.ca > > > > > On 17-Dec-09, at 11:02 PM, Bill W wrote: > >> Hey Metik, >> >> Thanks for the reply, and the pointers for doing it with xml_curl. >> >> I'll guess have to do that in the short term, but in my opinion, >> having >> auth-acl be able to work through a proxy is very important as it is a >> vital part of a comprehensive security feature set. And it would be >> much simpler to implement from an end-user perspective than the >> alternative of doing it in xml_curl. >> >> As a matter of fact, I'm considering offering a bounty for that >> feature. >> What is the going rate for that kind of thing? >> >> Is anyone out there interested in coding this feature? Or chipping in >> for the bounty? >> >> >> Thanks, >> Bill >> >> >> Metik wrote: >>> This may be difficult considering that ACL needs to consider the >>> original src IP/URI. To do that it, freeswitch would need to do so >>> using a header that retains that information (i.e. From, Via, >>> Contact, >>> etc.). Which I do not believe is currently possible using auth-acl or >>> apply-proxy-acl. >>> >>> However, you should be able to emulate the behavior using >>> mod_xml_curl >>> (and validating against appropriate variables available when using >>> it to >>> authenticate the request). >>> >>> see: http://wiki.freeswitch.org/wiki/Mod_xml_curl#Authorization >>> >>> -metik >>> >>> >>> Bill W wrote: >>>> Hey Brian, >>>> >>>> >>>> I've been doing some testing and I am unable to get auth-calls to >>>> work >>>> through a proxy the way I want them to, even with setting >>>> apply-proxy-acl to either the endpoint IP or the proxy IP. >>>> >>>> I have a multi-tenant system with multiple domains with multiple >>>> users >>>> in each domain. And I want to restrict a user to an arbitrary >>>> CIDR and >>>> challenge them for a password. The arbitrary CIDR will vary from >>>> UA to >>>> UA, and is specified in the directory via the auth-acl parameter. >>>> >>>> TL,DR; I want to get auth-calls to use the IP of the UA endpoint, >>>> not of >>>> the proxy. >>>> >>>> >>>> Thanks, >>>> Bill >>>> >>>> Brian West wrote: >>>> >>>>> it needs to be an ACL from acl.conf or a ip/cidr >>>>> >>>>> /b >>>>> >>>>> On Dec 17, 2009, at 5:41 AM, Bill W wrote: >>>>> >>>>> >>>>>> Okay, I added: to >>>>>> my sofia >>>>>> profile and restarted sofia, and still no joy. >>>>>> >>>>>> I'm on FreeSWITCH Version 1.0.trunk (15764) >>>>>> I've got >>>>> param> in >>>>>> the directory, but I'm still being rejected by the acl: >>>>>> >>>>>> 2009-12-17 06:04:59.920517 [WARNING] sofia_reg.c:1928 IP >>>>>> 64.135.119.105 >>>>>> Rejected by user acl 190.218.103.12/32 >>>>>> >>>>>> Here's what I believe is the appropriate snippet of the debug >>>>>> output: >>>>>> http://pastebin.freeswitch.org/11531 >>>>>> >>>>>
Re: [Freeswitch-users] ACLs through proxy
Hey Metik, That's exactly what I'm trying to do... load balance across multiple FS boxes, and have any machine in the cluster be able to reach a device behind a NAT firewall. Hence the need for the proxy. Also, I'm trying to keep the proxy relatively "dumb" and put all the logic in the FS boxes. True I could do the auth on the proxies as well, but then I'm setting up another authentication scheme in addition to what is on the FS boxes, and then integrating the databases so everything is consistent. I also have hosts that talk to the FS boxes directly, rather than through the proxy. So I can't get rid of auth_acl on FS either, even if I do implement it on the proxies. So my setup becomes much more complex and potentially brittle. And all we're really talking about for FreeSWITCH, conceptually speaking, is populating a variable with a different IP. We could even make it configurable, as to which IP is to be used for the auth-acl. What are you using for SBCs? (if you are allowed to divulge that) I'm currently using OpenSIPS for my proxy. Thanks, Bill Metik wrote: > Why not simply implement this feature in the PROXY itself? > > FS has a pretty comprehensive security feature set for endpoints that > directly register with it. > > Don't get me wrong, I do agree this is useful especially if you are > going to be using your proxies to load balance across multiple FS boxes > to create an ad-hoc cluster. I actually have session border controllers > that have this feature and use it quite often. > > -metik > > Bill W wrote: >> Hey Metik, >> >> Thanks for the reply, and the pointers for doing it with xml_curl. >> >> I'll guess have to do that in the short term, but in my opinion, having >> auth-acl be able to work through a proxy is very important as it is a >> vital part of a comprehensive security feature set. And it would be >> much simpler to implement from an end-user perspective than the >> alternative of doing it in xml_curl. >> >> As a matter of fact, I'm considering offering a bounty for that feature. >> What is the going rate for that kind of thing? >> >> Is anyone out there interested in coding this feature? Or chipping in >> for the bounty? >> >> >> Thanks, >> Bill >> >> >> Metik wrote: >> >>> This may be difficult considering that ACL needs to consider the >>> original src IP/URI. To do that it, freeswitch would need to do so >>> using a header that retains that information (i.e. From, Via, Contact, >>> etc.). Which I do not believe is currently possible using auth-acl or >>> apply-proxy-acl. >>> >>> However, you should be able to emulate the behavior using mod_xml_curl >>> (and validating against appropriate variables available when using it to >>> authenticate the request). >>> >>> see: http://wiki.freeswitch.org/wiki/Mod_xml_curl#Authorization >>> >>> -metik >>> >>> >>> Bill W wrote: >>> >>>> Hey Brian, >>>> >>>> >>>> I've been doing some testing and I am unable to get auth-calls to work >>>> through a proxy the way I want them to, even with setting >>>> apply-proxy-acl to either the endpoint IP or the proxy IP. >>>> >>>> I have a multi-tenant system with multiple domains with multiple users >>>> in each domain. And I want to restrict a user to an arbitrary CIDR and >>>> challenge them for a password. The arbitrary CIDR will vary from UA to >>>> UA, and is specified in the directory via the auth-acl parameter. >>>> >>>> TL,DR; I want to get auth-calls to use the IP of the UA endpoint, not of >>>> the proxy. >>>> >>>> >>>> Thanks, >>>> Bill >>>> >>>> Brian West wrote: >>>> >>>> >>>>> it needs to be an ACL from acl.conf or a ip/cidr >>>>> >>>>> /b >>>>> >>>>> On Dec 17, 2009, at 5:41 AM, Bill W wrote: >>>>> >>>>> >>>>> >>>>>> Okay, I added: to my sofia >>>>>> profile and restarted sofia, and still no joy. >>>>>> >>>>>> I'm on FreeSWITCH Version 1.0.trunk (15764) >>>>>> I've got in >>>>>> the directory, but I'm still being rejected by the acl: >>>>>> >>>>>> 2009-12-17 06
Re: [Freeswitch-users] ACLs through proxy
Hey Metik, Thanks for the reply, and the pointers for doing it with xml_curl. I'll guess have to do that in the short term, but in my opinion, having auth-acl be able to work through a proxy is very important as it is a vital part of a comprehensive security feature set. And it would be much simpler to implement from an end-user perspective than the alternative of doing it in xml_curl. As a matter of fact, I'm considering offering a bounty for that feature. What is the going rate for that kind of thing? Is anyone out there interested in coding this feature? Or chipping in for the bounty? Thanks, Bill Metik wrote: > This may be difficult considering that ACL needs to consider the > original src IP/URI. To do that it, freeswitch would need to do so > using a header that retains that information (i.e. From, Via, Contact, > etc.). Which I do not believe is currently possible using auth-acl or > apply-proxy-acl. > > However, you should be able to emulate the behavior using mod_xml_curl > (and validating against appropriate variables available when using it to > authenticate the request). > > see: http://wiki.freeswitch.org/wiki/Mod_xml_curl#Authorization > > -metik > > > Bill W wrote: >> Hey Brian, >> >> >> I've been doing some testing and I am unable to get auth-calls to work >> through a proxy the way I want them to, even with setting >> apply-proxy-acl to either the endpoint IP or the proxy IP. >> >> I have a multi-tenant system with multiple domains with multiple users >> in each domain. And I want to restrict a user to an arbitrary CIDR and >> challenge them for a password. The arbitrary CIDR will vary from UA to >> UA, and is specified in the directory via the auth-acl parameter. >> >> TL,DR; I want to get auth-calls to use the IP of the UA endpoint, not of >> the proxy. >> >> >> Thanks, >> Bill >> >> Brian West wrote: >> >>> it needs to be an ACL from acl.conf or a ip/cidr >>> >>> /b >>> >>> On Dec 17, 2009, at 5:41 AM, Bill W wrote: >>> >>> >>>> Okay, I added: to my sofia >>>> profile and restarted sofia, and still no joy. >>>> >>>> I'm on FreeSWITCH Version 1.0.trunk (15764) >>>> I've got in >>>> the directory, but I'm still being rejected by the acl: >>>> >>>> 2009-12-17 06:04:59.920517 [WARNING] sofia_reg.c:1928 IP 64.135.119.105 >>>> Rejected by user acl 190.218.103.12/32 >>>> >>>> Here's what I believe is the appropriate snippet of the debug output: >>>> http://pastebin.freeswitch.org/11531 >>>> >>>> Thoughts? >>>> Thanks, >>>> Bill >>>> >>> >>> >>> ___ >>> FreeSWITCH-users mailing list >>> FreeSWITCH-users@lists.freeswitch.org >>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users >>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users >>> http://www.freeswitch.org >>> >> ___ >> FreeSWITCH-users mailing list >> FreeSWITCH-users@lists.freeswitch.org >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users >> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users >> http://www.freeswitch.org >> >> > > > ___ > FreeSWITCH-users mailing list > FreeSWITCH-users@lists.freeswitch.org > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users > http://www.freeswitch.org ___ FreeSWITCH-users mailing list FreeSWITCH-users@lists.freeswitch.org http://lists.freeswitch.org/mailman/listinfo/freeswitch-users UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users http://www.freeswitch.org
Re: [Freeswitch-users] ACLs through proxy
Hey Brian, I've been doing some testing and I am unable to get auth-calls to work through a proxy the way I want them to, even with setting apply-proxy-acl to either the endpoint IP or the proxy IP. I have a multi-tenant system with multiple domains with multiple users in each domain. And I want to restrict a user to an arbitrary CIDR and challenge them for a password. The arbitrary CIDR will vary from UA to UA, and is specified in the directory via the auth-acl parameter. TL,DR; I want to get auth-calls to use the IP of the UA endpoint, not of the proxy. Thanks, Bill Brian West wrote: > it needs to be an ACL from acl.conf or a ip/cidr > > /b > > On Dec 17, 2009, at 5:41 AM, Bill W wrote: > >> Okay, I added: to my sofia >> profile and restarted sofia, and still no joy. >> >> I'm on FreeSWITCH Version 1.0.trunk (15764) >> I've got in >> the directory, but I'm still being rejected by the acl: >> >> 2009-12-17 06:04:59.920517 [WARNING] sofia_reg.c:1928 IP 64.135.119.105 >> Rejected by user acl 190.218.103.12/32 >> >> Here's what I believe is the appropriate snippet of the debug output: >> http://pastebin.freeswitch.org/11531 >> >> Thoughts? >> Thanks, >> Bill > > > > > ___ > FreeSWITCH-users mailing list > FreeSWITCH-users@lists.freeswitch.org > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users > http://www.freeswitch.org ___ FreeSWITCH-users mailing list FreeSWITCH-users@lists.freeswitch.org http://lists.freeswitch.org/mailman/listinfo/freeswitch-users UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users http://www.freeswitch.org
Re: [Freeswitch-users] ACLs through proxy
Okay, I added: to my sofia profile and restarted sofia, and still no joy. I'm on FreeSWITCH Version 1.0.trunk (15764) I've got in the directory, but I'm still being rejected by the acl: 2009-12-17 06:04:59.920517 [WARNING] sofia_reg.c:1928 IP 64.135.119.105 Rejected by user acl 190.218.103.12/32 Here's what I believe is the appropriate snippet of the debug output: http://pastebin.freeswitch.org/11531 Thoughts? Thanks, Bill Brian West wrote: > use "apply-proxy-acl" on the sofia profile. > > /b > > On Dec 15, 2009, at 10:58 PM, Bill W wrote: > >> However, having the proxy in the path effectively negates using IP >> based >> ACLS. > > > ___ > FreeSWITCH-users mailing list > FreeSWITCH-users@lists.freeswitch.org > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users > http://www.freeswitch.org ___ FreeSWITCH-users mailing list FreeSWITCH-users@lists.freeswitch.org http://lists.freeswitch.org/mailman/listinfo/freeswitch-users UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users http://www.freeswitch.org
Re: [Freeswitch-users] ACLs through proxy
That's fantastic! FreeSWITCH ROCKS! I'll update the wiki. Thanks, Bill Brian West wrote: > use "apply-proxy-acl" on the sofia profile. > > /b > > On Dec 15, 2009, at 10:58 PM, Bill W wrote: > >> However, having the proxy in the path effectively negates using IP >> based >> ACLS. > > > ___ > FreeSWITCH-users mailing list > FreeSWITCH-users@lists.freeswitch.org > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users > http://www.freeswitch.org ___ FreeSWITCH-users mailing list FreeSWITCH-users@lists.freeswitch.org http://lists.freeswitch.org/mailman/listinfo/freeswitch-users UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users http://www.freeswitch.org
[Freeswitch-users] ACLs through proxy
Hi All, I have a FreeSWITCH cluster behind an OpenSIPS proxy/load balancer, and I'd like to be able to use the auth-calls feature in my sip profile in conjunction with the parameter in the directory. In addition to running the INVITEs through the load balancer, I also need to run the REGISTERs through the load balancer because some of my endpoints are behind NAT firewalls, and therefore won't accept incoming calls from IPs other than the IP they registered to. INVITEs from the cluster going to registered endpoints are sent back through the proxy, thereby solving the NAT problem. However, having the proxy in the path effectively negates using IP based ACLS. The functionality I require is as follows: 1. Only allow registration if the endpoint IP matches it's own unique acl CIDR (specified in the directory). 2. Only accept INVITEs from endpoints that authenticate AND match the acl CIDR (again, specified in the directory). Does anyone have any recommendations on the best way to get the auth-calls functionality using an IP other than the IP of the last hop? If not, how hard would it be to add a feature to the auth-calls parameter to accept a channel variable from which to obtain the actual endpoint IP? Thanks! Bill ___ FreeSWITCH-users mailing list FreeSWITCH-users@lists.freeswitch.org http://lists.freeswitch.org/mailman/listinfo/freeswitch-users UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users http://www.freeswitch.org
