<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Alright, thank you! Domains ACL works
      BUT requires "users" to be in "groups". If "users" are directly in
      the "domain" section, ACL remains empty.<br>
      <br>
      This is contradictory to the WiKi saying that: "Using groups is
      optional -- you can put your users straight into the domain
      section if you desire". Should I file Jira or should I edit WiKi
      instead? :)<br>
      <br>
      With regards to directory, I intend to keep it minimalistic:<br>
      <br>
      &lt;user id="foo" cidr="1.2.3.4/32"&gt;<br>
      &nbsp; &lt;variables&gt;<br>
      &nbsp; &nbsp; &lt;variable name="accountcode" value="customer_1"/&gt;<br>
      &nbsp; &lt;/variables&gt;<br>
      &lt;/user&gt;<br>
      <br>
      Will someone from a different CIDR be able to place calls as user
      "foo" bypassing any authentication? Note that I don't set any
      password in params.<br>
      If so, how to secure this on the SIP profile level and keep user
      entries as concise as possible?<br>
      <br>
      Thanks again!<br>
      -Victor<br>
      <br>
      On 14-05-05 12:24 PM, Steven Ayre wrote:<br>
    </div>
    <blockquote
cite="mid:CAFiqYunitftd=hOuCkdHqTO5xqqzE+-XJqHad=AYh69s5i_hoA@mail.gmail.com"
      type="cite">
      <div dir="ltr">You need this:
        <div>&nbsp; &nbsp; &lt;param name="apply-inbound-acl" value="domains"/&gt;<br>
        </div>
        <div><br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On 5 May 2014 17:13, Victor
          Chukalovskiy <span dir="ltr">&lt;<a moz-do-not-send="true"
              href="mailto:victor.chukalovskiy@gmail.com"
              target="_blank">victor.chukalovskiy@gmail.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
            <br>
            Coming from wholesale background, my FS's run without any
            registrations.<br>
            So far everything was ACL-based using "apply-inbound-acl"
            and I did not<br>
            use any directory entries.<br>
            <br>
            The only problem with this is that once I have all IPs
            together in one<br>
            big ALC, I can't identify which customer the call came from.
            E.g. need<br>
            to set my_channel_variable=customer1 if a call came from
            particular IPs<br>
            and my_channel_variable=customer2 if a call came from other
            IPs.<br>
            <br>
            So I'm trying to move ACL logic into directory by means of
            defining a<br>
            user with cidr attribute. So far, no matter what I do FS
            challenges<br>
            INVITE with "407" even-though the INVITE comes from the IP
            that is<br>
            included in CIDR attribute for a user. I suppose for
            whatever reason<br>
            switch does not match INVITEs against CIDR's in the
            directory. Please<br>
            help me with that. WiKi is written from a somewhat different
            logic /<br>
            perspective, so it's hard to apply.<br>
            <br>
            My SIP profile is:<br>
            <br>
            &lt;profile name="test"&gt;<br>
            &nbsp; &nbsp;&lt;gateways&gt;<br>
            &nbsp; &nbsp;&lt;/gateways&gt;<br>
            &nbsp; &nbsp;&lt;domains&gt;<br>
            &nbsp; &nbsp;&lt;/domains&gt;<br>
            &nbsp; &nbsp;&lt;settings&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="parse-invite-tel-params"
            value="true"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="user-agent-string" value="test"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="debug" value="0"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="sip-trace" value="no"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="log-auth-failures" value="true"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="rfc2833-pt" value="101"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="sip-port" value="5060"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="dialplan" value="XML"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="context" value="test"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="country" value="e164"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="dtmf-duration" value="2000"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="inbound-codec-prefs"
            value="$${default_codec_prefs}"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="outbound-codec-prefs"
            value="$${default_codec_prefs}"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="caller-id-type" value="none"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="rtp-timer-name" value="soft"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="rtp-ip" value="192.168.1.2"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="sip-ip" value="192.168.1.2"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="manage-presence" value="false"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="manage-shared-appearance"
            value="false"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="inbound-codec-negotiation"
            value="greedy"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="disable-transcoding" value="true"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="manual-redirect" value="false"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="disable-transfer" value="true"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="disable-register" value="false"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="auth-calls" value="true"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="rtp-timeout-sec" value="300"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="rtp-hold-timeout-sec" value="1800"/&gt;<br>
            &nbsp; &nbsp; &nbsp;&lt;param name="pass-callee-id" value="false"/&gt;<br>
            &nbsp; &nbsp;&lt;/settings&gt;<br>
            &lt;/profile&gt;<br>
            <br>
            <br>
            Thanks!<br>
            -Victor<br>
            <br>
            <br>
            <br>
            <br>
_________________________________________________________________________<br>
            Professional FreeSWITCH Consulting Services:<br>
            <a moz-do-not-send="true"
              href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
            <a moz-do-not-send="true"
              href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
            <br>
            FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
            <a moz-do-not-send="true" href="http://www.cudatel.com"
              target="_blank">http://www.cudatel.com</a><br>
            <br>
            Official FreeSWITCH Sites<br>
            <a moz-do-not-send="true" href="http://www.freeswitch.org"
              target="_blank">http://www.freeswitch.org</a><br>
            <a moz-do-not-send="true" href="http://wiki.freeswitch.org"
              target="_blank">http://wiki.freeswitch.org</a><br>
            <a moz-do-not-send="true" href="http://www.cluecon.com"
              target="_blank">http://www.cluecon.com</a><br>
            <br>
            FreeSWITCH-users mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
            <a moz-do-not-send="true"
              href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users"
              target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
            UNSUBSCRIBE:<a moz-do-not-send="true"
              href="http://lists.freeswitch.org/mailman/options/freeswitch-users"
              target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
            <a moz-do-not-send="true" href="http://www.freeswitch.org"
              target="_blank">http://www.freeswitch.org</a><br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<a class="moz-txt-link-abbreviated" href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</a>

FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<a class="moz-txt-link-freetext" href="http://www.cudatel.com">http://www.cudatel.com</a>

Official FreeSWITCH Sites
<a class="moz-txt-link-freetext" href="http://www.freeswitch.org">http://www.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://wiki.freeswitch.org">http://wiki.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://www.cluecon.com">http://www.cluecon.com</a>

FreeSWITCH-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a>
UNSUBSCRIBE:<a class="moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a>
<a class="moz-txt-link-freetext" href="http://www.freeswitch.org">http://www.freeswitch.org</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>