[Freeswitch-users] Reject SIP registrations

Kurtis Heimerl kheimerl at cs.berkeley.edu
Tue Jun 28 03:11:33 MSD 2011


Anyhow, here are those three config files:

internal.xml : http://pastebin.freeswitch.org/16609
acl.conf.xml : http://pastebin.freeswitch.org/16610
1300.xml : http://pastebin.freeswitch.org/16611

If anything else could help, I'd love to share it.

The basic story, so far as I see, is that I allow specific IPs through
the ACL. Somehow this is allowing ANY SIP username to register, rather
than just those defined (such as 1300). Any help would be appreciated.

On Mon, Jun 27, 2011 at 1:30 PM, Kurtis Heimerl
<kheimerl at cs.berkeley.edu> wrote:
> It's enabled in the acl.conf.xml file, using CIDR.
>
> What conf files do you consider relevant? acl.conf.xml, internal.xml,
> a profile or two, anything else?
>
> On Mon, Jun 27, 2011 at 1:26 PM, David Ponzone <david.ponzone at ipeva.fr> wrote:
>> The interesting question is then: why are you able to register without
>> password, if this feature is not enabled on the profile...
>> Perhaps you should recap your config once more, and put the relevant files
>> on PB.
>> David Ponzone  Direction Technique
>> email: david.ponzone at ipeva.fr
>> tel:      01 74 03 18 97
>> gsm:   06 66 98 76 34
>> Service Client IPeva
>> tel:      0811 46 26 26
>> www.ipeva.fr  -   www.ipeva-studio.com
>> Ce message et toutes les pièces jointes sont confidentiels et établis à
>> l'intention exclusive de ses destinataires. Toute utilisation ou diffusion
>> non autorisée est interdite. Tout message électronique est susceptible
>> d'altération. IPeva décline toute responsabilité au titre de ce message s'il
>> a été altéré, déformé ou falsifié. Si vous n'êtes pas destinataire de ce
>> message, merci de le détruire immédiatement et d'avertir l'expéditeur.
>>
>>
>>
>> Le 27/06/2011 à 20:36, Kurtis Heimerl a écrit :
>>
>> That would explain why removing them didn't do anything!
>>
>> Thanks.
>>
>> On Mon, Jun 27, 2011 at 6:25 AM, Steven Ayre <steveayre at gmail.com> wrote:
>>
>> Just so you know...
>>
>>      <param name="accept-blind-reg" value="true"/>
>>
>>      <param name="accept-blind-auth" value="true"/>
>>
>> These will have no effect in the user directory. They only apply to SIP
>>
>> profiles.
>>
>> -Steve
>>
>>
>>
>> On 27 June 2011 02:23, Kurtis Heimerl <kheimerl at cs.berkeley.edu> wrote:
>>
>> Hello FS Users!
>>
>> I'm trying to create the following setup. When a user registers, if
>>
>> they register on a known account (lets say X), they do not need a
>>
>> password. X's registration is immediately OK'd, and everything is
>>
>> great. I've gotten that working using the ACL. The IP address of our
>>
>> SIP clients are added through cidr and the clients do not need to give
>>
>> passwords.
>>
>> However, for some reason, if another account that does not exist in
>>
>> the directory (let's say Y) registers, FS returns with a 200 OK,
>>
>> instead of rejecting Y. I'm trying to figure out why this is the case,
>>
>> and how to remedy that fact.
>>
>> I have the following line in my internal.xml file, which I had assumed
>>
>> would force this function:
>>
>>   <!-- Force the user and auth-user to match. -->
>>
>>   <param name="inbound-reg-force-matching-username" value="true"/>
>>
>> However, it does not work. In my directory, each individual account as
>>
>> the following lines:
>>
>>  <user id="1303">
>>
>>    <params>
>>
>>      <param name="accept-blind-reg" value="true"/>
>>
>>      <param name="accept-blind-auth" value="true"/>
>>
>>      <param name="vm-password" value="1000"/>
>>
>>    </params>
>>
>> Though I've found that removing it (from all users in the directory)
>>
>> doesn't help.
>>
>> I'm primarily concerned with the line in internal.xml; it seems
>>
>> possible that the fact that we do not have an auth-user (because we do
>>
>> not require auth) means that this won't work. However, I have yet to
>>
>> test that hypothesis. The ACL has been the most confusing aspect of
>>
>> this installation, with a lot of undocumented aspects, and I get the
>>
>> nagging feeling this is another. I could very well be wrong though.
>>
>> Thanks for any direction.
>>
>> _______________________________________________
>>
>> Join us at ClueCon 2011, Aug 9-11, Chicago
>>
>> http://www.cluecon.com 877-7-4ACLUE
>>
>> FreeSWITCH-users mailing list
>>
>> FreeSWITCH-users at lists.freeswitch.org
>>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>
>> http://www.freeswitch.org
>>
>>
>> _______________________________________________
>>
>> Join us at ClueCon 2011, Aug 9-11, Chicago
>>
>> http://www.cluecon.com 877-7-4ACLUE
>>
>> FreeSWITCH-users mailing list
>>
>> FreeSWITCH-users at lists.freeswitch.org
>>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>
>> http://www.freeswitch.org
>>
>>
>>
>> _______________________________________________
>> Join us at ClueCon 2011, Aug 9-11, Chicago
>> http://www.cluecon.com 877-7-4ACLUE
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>> _______________________________________________
>> Join us at ClueCon 2011, Aug 9-11, Chicago
>> http://www.cluecon.com 877-7-4ACLUE
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>



More information about the FreeSWITCH-users mailing list