[Freeswitch-users] Enabling extensions with passwords and limiting network access via acls (Was: Confusing SIP auth failure logging message?)

Simon J Mudd sjmudd at pobox.com
Wed Feb 9 02:06:43 MSK 2011 

sjmudd at pobox.com (Simon J Mudd) writes:

> I don't think I got a definitive answer to the question I posed before:
> 
> sjmudd at pobox.com (Simon J Mudd) writes:
> 
> ...
> 
> > That is I have an Asterisk configuration which I am trying to
> > migrate from and can easily configure in sip.conf:
> > 
> > [1000]
> > username=1000
> > type=friend
> > secret=1234567890
> > context=xxxxxx
> > host=dynamic
> > registersip=yes
> > deny=0.0.0.0/0.0.0.0
> > permit=88.100.50.0/255.255.255.0  -- this is not a real network range but you get the idea.
> > nat=yes
> > call-limit=1
> > ...
> > 
> > This specifies a user for registration who:
> > (1) must provide a password
> > (2) can only register from the given network range
> > (3) is only allowed to make 1 call at a time
> 
> I see that there are ways to implement (3) though it seems that's more on
> a per gateway basis than a per extension basis. That's ok.
> 
> What really interests me is implementing (1) _and_ (2) together.  Is this
> possible? If not it would certainly be a nice new feature.

Yes, it is. I finally figured that I need something like:

=== snip 1000.xml ===
<include>
  <user id="1000">
    <params>
      <param name="password" value="$${default_password}"/>
      <param name="vm-password" value="1000"/>
      <!-- limit this extension to be used from network 10.1.2.0/24 -->
      <!-- <param name="auth-acl" value="10.1.2.0/24"/> -->
    </params>
    <variables>
      <variable name="toll_allow" value="domestic,international,local"/>
      <variable name="accountcode" value="1000"/>
      <variable name="user_context" value="default"/>
      <variable name="effective_caller_id_name" value="Extension 1000"/>
      <variable name="effective_caller_id_number" value="1000"/>
      <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
      <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
      <variable name="callgroup" value="techsupport"/>
    </variables>
  </user>
</include>
==== snip ====

So thanks. That's good.

Can this somehow be done at a global level in directory/default.xml in
the <params> section?  Would be nice to comment these options in both
places so they are easier to find and apply if needed.

> Perhaps the default FreeSWITCH configuration should limit access to
> the default extensions to be registered only from the networks defined
> in localnet.auto.  This reduces exposure to external bad
> software.

So an option like <param name="auth-acl" value="localnet.auto"/> would
be a nice option to have as this is safe and "auto-configure" at the
same time. In fact it seems that this also works:

I have 2 phones configured to register one configured with the
ip-based acl, the other with the name-based acl.

2011-02-09 00:01:18.332336 [DEBUG] sofia_reg.c:2370 IP [10.1.2.35] passed ACL check [localnet.auto]
2011-02-09 00:01:18.361773 [DEBUG] sofia_reg.c:2370 IP [10.1.2.35] passed ACL check [10.1.2.0/24]

That's even better. _Please_ add this to the default configuration
files, even if it's commented out, as it makes it easy to see how to
tighten down on the config if that is wanted.

Simon

More information about the FreeSWITCH-users mailing list