<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Courier;
panose-1:2 7 4 9 2 2 5 2 4 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Times New Roman","serif";
color:#1F497D;}
..MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Thanks for the
reply, Michael.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>I tried the
digest authentication using the cidr and copying the conf/sip_profiles/internal.xml
from the distribution, where<o:p></o:p></span></p>
<p class=MsoNormal style='text-indent:.5in'><span style='font-size:11.0pt;
color:#1F497D'><param name="apply-inbound-acl" value=”domains”/><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>As a result,
one endpoint could not register and another was unauthorized.</span><span
style='font-size:11.0pt;color:#1F497D'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt'><a
href="http://pastebin.freeswitch.org/11634">http://pastebin.freeswitch.org/11634</a><o:p></o:p></span></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Then I went
changed the context in internal.xml from public to default and<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'> <param
name="apply-inbound-acl" value="<a href="http://192.168.0.0/24"
target="_blank"><span style='font-size:12.0pt;color:#1F497D;text-decoration:
none'>192.168.10.0/24</span></a>"/> <param
name="apply-register-acl" value="<a href="http://192.168.0.0/24"
target="_blank"><span style='font-size:12.0pt;color:#1F497D;text-decoration:
none'>192.168.10.0/24</span></a>"/><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>And the phones
registered OK. So my confusion persists.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Lars<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> freeswitch-users-bounces@lists.freeswitch.org
[mailto:freeswitch-users-bounces@lists.freeswitch.org] <b>On Behalf Of </b>Michael
Collins<br>
<b>Sent:</b> Thursday, December 24, 2009 11:00 AM<br>
<b>To:</b> freeswitch-users@lists.freeswitch.org<br>
<b>Subject:</b> Re: [Freeswitch-users] Local call uses public context?<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>Lars,<br>
<br>
Since this question has come up a few times I'm going to write up a nice wiki
article on it explaining the differences between letting someone in via an ACL
and actually doing digest authentication. In a nutshell, though, it's this: if
the user does digest authentication (with the whole REGISTER, 401, REGISTER,
200 OK exchange) then whatever value is in user_context is the context for the
calls made by that user. In conf/directory/default/1000.xml (and 1001.xml,
etc.) they all have user_context = "default" so when those users
register the calls they make are handled in the default context. OTOH, if you
let a user in via an ACL they aren't really registered, you've simply opened
the door for anyone coming from a particular IP address or IP address range. In
that case the calls are handled in the context specified by the context
parameter of the sip profile where the calls come in. By default the internal
sip profile uses the public context. This is for security reasons. "Paranoid
by default" is how you might describe it. You are welcome to change that
value to "default" so that calls let in by the ACL are handled just
like auth'd calls.<br>
<br>
Play around with it and let us know how it goes. I think you'll get it once you
start modifying settings and making test calls.<br>
<br>
-MC<o:p></o:p></p>
<div>
<p class=MsoNormal>On Thu, Dec 24, 2009 at 8:16 AM, Lars Zeb <<a
href="mailto:larclap@yahoo.com">larclap@yahoo.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>Brian,</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>Please forgive my slowness, but I’m
still having problems with this. When you say that I “really didn’t auth the
user”, did you mean the endpoint/extension?</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>If you did, I upped to svn1 16055 and
placed a cidr attribute on the extension and reran the test, resulting in the
same output, going to context public.</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>Further, I’m confused about your
response about ACL compared with Billy W in an email of 12/22/2009.</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
margin-left:.5in'><span style='font-size:11.0pt;color:#1F497D'>“…you could
simply put these entries in your internal sofia profile.</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
margin-left:.5in'><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
margin-left:.5in'><span style='font-size:11.0pt;color:#1F497D'><param
name="apply-inbound-acl" value="<a href="http://192.168.0.0/24"
target="_blank">192.168.0.0/24</a>"/> <param
name="apply-register-acl" value="<a href="http://192.168.0.0/24"
target="_blank">192.168.0.0/24</a>"/></span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
margin-left:.5in'><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
margin-left:.5in'><span style='font-size:11.0pt;color:#1F497D'>In that case,
you do not need to include anything in the directory. The cidr entries in
the directory are for providing additional control for each user id and what
IPs they are allowed to make calls from.”</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
margin-left:.5in'><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a
href="http://pastebin.freeswitch.org/11633" target="_blank">http://pastebin.freeswitch.org/11633</a><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>Linux fs 2.6.18-128.1.10.el5 #1 SMP Thu
May 7 10:39:21 EDT 2009 i686 i686 i386 GNU/Linux</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>Thanks Lars</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-left:solid windowtext 1.5pt;padding:0in 0in 0in 4.0pt;
border-color:-moz-use-text-color -moz-use-text-color -moz-use-text-color blue'>
<div>
<div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;
border-color:-moz-use-text-color -moz-use-text-color'>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span
style='font-size:10.0pt'>From:</span></b><span style='font-size:10.0pt'> <a
href="mailto:freeswitch-users-bounces@lists.freeswitch.org" target="_blank">freeswitch-users-bounces@lists.freeswitch.org</a>
[mailto:<a href="mailto:freeswitch-users-bounces@lists.freeswitch.org"
target="_blank">freeswitch-users-bounces@lists.freeswitch.org</a>] <b>On Behalf
Of </b>Brian West<br>
<b>Sent:</b> Wednesday, December 23, 2009 6:03 PM<br>
<b>To:</b> <a href="mailto:freeswitch-users@lists.freeswitch.org"
target="_blank">freeswitch-users@lists.freeswitch.org</a><br>
<b>Subject:</b> Re: [Freeswitch-users] Local call uses public context?</span><o:p></o:p></p>
</div>
</div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:8.5pt;font-family:"Courier New";color:#333333'>2009-12-23 15:00:01.955357 [DEBUG] sofia.c:5322 IP 192.168.10.105 Approved
by acl "192.168.10.0/24[]". Access Granted.</span><o:p></o:p></p>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:8.5pt;font-family:Courier;color:#333333'>Because the context
is set on the profile as public... and you really didn't auth the user so
user_context was never set.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:8.5pt;font-family:Courier;color:#333333'>/b</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
<div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On
Dec 23, 2009, at 7:49 PM, Lars Zeb wrote:<o:p></o:p></p>
</div>
<p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><o:p> </o:p></p>
<div>
<div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt'>I am trying to setup a second FS box from scratch
using v16048.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt'>What can cause a local call (81002, or 9996) to use
context public? It’s a standard vanilla install.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt'><a href="http://pastebin.freeswitch.org/11629"
target="_blank">http://pastebin.freeswitch.org/11629</a></span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt'>Thanks, Lars</span><o:p></o:p></p>
</div>
</div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:13.5pt'>_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users"
target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a
href="http://lists.freeswitch.org/mailman/options/freeswitch-users"
target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a></span><o:p></o:p></p>
</div>
</div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users"
target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a
href="http://lists.freeswitch.org/mailman/options/freeswitch-users"
target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>