[Freeswitch-users] ACL: auth_calls + apply-inbound-acl/auth-acl

[Anatoli]

Hi Vallimamod,

Thanks a lot for your detailed explanation, sure it helps! It would be 
great to add these details to the documentation (not sure whom to ask 
about this). IMO the behavior you describe can't be inferred from the 
current documentation and it deals with security/authentication.

Could you please explain what would be the effect of auth-calls=true + 
auth-acl=<ip_range>?
I suppose if the IP matches, it goes through the digest auth. If the IP 
doesn't match, sofia responds with 403 forbidden, right?

Thanks,
Anatoli

*From:* Vallimamod Abdullah
*Sent:* Tuesday, November 21, 2017 09:35
*To:* Freeswitch Users Help
*Subject:* Re: [Freeswitch-users] ACL: auth_calls + 
apply-inbound-acl/auth-acl

Hi,

Your mail is dense, I will try to answer at my best from my understanding of the source code:

- the default value for auth-call is false.

- When a call arrives, the apply-inbound-acl is checked first:
   * If the IP is approved by the acl, the access is granted
   * If the IP is rejected by the acl and auth-call is false, sofia responds with 403 forbidden (I skip the proxy-acl and X-AUTH-IP checks for simplicity)
   * If the IP is rejected by the acl and auth-call is true, it falls back to digest auth.

- If accept-blind-auth is set with auth-call, freeswitch only checks if the From user is defined in directory. If so, user is authorized (without any password check)

- If auth-cal is set without the acl, the call go through digest authentication

- If neither is set, the call is accepted.

In your case, even if you can define directly a cidr in the apply-inbound-acl param value, it would be best to set it to a list name defined in autoload_configs/acl.conf.xml.

Hope this helps!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20171123/1c1902a5/attachment.html>