<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body smarttemplateinserted="true" text="#000000" bgcolor="#FFFFFF">
Hi all,<br>
<br>
I'm trying to understand FreeSWITCH's ACL concepts, but I find the
documentation not clear with respect to a combined effect of various
*acl* params with <font face="Courier New">auth-calls</font>. Could
you please provide your comments on the following?<br>
<br>
The documentation
(<a class="moz-txt-link-freetext" href="https://freeswitch.org/confluence/display/FREESWITCH/ACL">https://freeswitch.org/confluence/display/FREESWITCH/ACL</a>) says:<br>
<br>
<i>auth-calls: Can be set to true/false forcing users to
authenticate or no on the profile. Only allow users from a
specific cidr to register/make calls.</i><i><br>
</i><br>
First of all, it's not clear what's the default value of the <font
face="Courier New">auth-calls</font> param. If it's not explicitly
defined, is it true or false? (BTW, same happens with a lot of other
params, i.e. no default value specified in the docs, and for some
params I couldn't even find the default values in the sources.)<br>
<br>
Then, if <font face="Courier New">auth-calls</font> is set to true,
will it ignore all *acl* params and always force auth? Or will it
force auth only for those not specified in the *acl* params (e.g.
IPs in <font face="Courier New">apply-inbound-acl</font> won't be
forced to auth, all others will be). Similar doubt with the false
value: will it always ignore auth or will it ignore auth for the IPs
in the *acl* params and still require it for everything else?<br>
<br>
<br>
Then the documentation specifies:<br>
<br>
<i>apply-inbound-acl: Allow users to make calls from a particular
cidr without authenticating. Phones having IPs within these ACLs
will be able to perform calls (apply-inbound-acl) or register
(apply-register-acl) without having to provide a password (i.e.
without getting a "401 Unauthorized" challenge message).</i><i><br>
</i><br>
So if I understand it correctly, if I want a particular host (e.g.
my SIP trunk provider) to make inbound calls without auth, but
everyone else to be rejected with Unauthorized, I should specify in
the corresponding sip profile:<br>
<br>
<font face="Courier New"><param name="apply-inbound-acl"
value="1.2.3.4/32"/></font><br>
<br>
The documentation adds: <i>The ACL behavior is modified by
auth-calls, accept-blind-reg, and accept-blind-auth.</i><br>
<br>
So what should be the value for auth-calls in this case? How would
it modify the behavior of <font face="Courier New">apply-inbound-acl</font>
(i.e. apply-inbound-acl + auth-calls=false and apply-inbound-acl +
auth-calls=true)?<br>
<br>
<br>
Then, the documentation says:<br>
<br>
<i>auth-calls: Users in the directory can have "auth-acl" parameters
applied to them so as to restrict users access to a predefined ACL
or a CIDR. Note: this will require "auth-calls" to be set to true
in your sip (sofia) profile.</i><i><br>
</i><br>
So, if I want to restrict my internal users to be able to register
(providing their passwords) only from a specific range and be
rejected with Unauthorized for other IPs or if not providing auth,
should I configure the profile this way?<br>
<br>
<font face="Courier New"><param name="auth-calls"
value="true"/><br>
<param name="auth-acl" value="1.2.3.0/24"/> </font><br>
<br>
My doubt here is: would <font face="Courier New">auth-acl</font>
add an additional level of restriction without altering the default
behavior of <font face="Courier New">auth-calls</font> (that is to
request auth from everyone) or would it somehow relax the default
behavior for some cases?<br>
<br>
Thanks,<br>
Anatoli
</body>
</html>