<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body smarttemplateinserted="true" text="#000000" bgcolor="#FFFFFF">
<div id="smartTemplate4-quoteHeader">
<div style="font-size:10.0pt;font-family:Verdana,Arial">Could
someone please shed light on this topic?<br>
<br>
</div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm
0cm;font-size:10.0pt;font-family:"Tahoma","sans-serif""><b>From:</b>
Anatoli<br>
<b>Sent:</b> Wednesday, November 08, 2017 18:12<br>
<b>To:</b> Freeswitch-users<br>
<b>Subject:</b> [Freeswitch-users] ACL: auth_calls +
apply-inbound-acl/auth-acl<br>
</div>
<br>
</div>
<span type="cite"
cite="mid:8fc35d90-f845-0ad2-d641-34a3b7506920@anatoli.ws"
style="display: block; word-break: break-all; margin: 7px 0 0 0;
padding: 0; line-height:0"></span>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
Hi all,<br>
<br>
I'm trying to understand FreeSWITCH's ACL concepts, but I find the
documentation not clear with respect to a combined effect of various
*acl* params with <font face="Courier New">auth-calls</font>. Could
you please provide your comments on the following?<br>
<br>
The documentation (<a class="moz-txt-link-freetext"
href="https://freeswitch.org/confluence/display/FREESWITCH/ACL"
moz-do-not-send="true">https://freeswitch.org/confluence/display/FREESWITCH/ACL</a>)
says:<br>
<br>
<i>auth-calls: Can be set to true/false forcing users to
authenticate or no on the profile. Only allow users from a
specific cidr to register/make calls.</i><i><br>
</i><br>
First of all, it's not clear what's the default value of the <font
face="Courier New">auth-calls</font> param. If it's not explicitly
defined, is it true or false? (BTW, same happens with a lot of other
params, i.e. no default value specified in the docs, and for some
params I couldn't even find the default values in the sources.)<br>
<br>
Then, if <font face="Courier New">auth-calls</font> is set to true,
will it ignore all *acl* params and always force auth? Or will it
force auth only for those not specified in the *acl* params (e.g.
IPs in <font face="Courier New">apply-inbound-acl</font> won't be
forced to auth, all others will be). Similar doubt with the false
value: will it always ignore auth or will it ignore auth for the IPs
in the *acl* params and still require it for everything else?<br>
<br>
<br>
Then the documentation specifies:<br>
<br>
<i>apply-inbound-acl: Allow users to make calls from a particular
cidr without authenticating. Phones having IPs within these ACLs
will be able to perform calls (apply-inbound-acl) or register
(apply-register-acl) without having to provide a password (i.e.
without getting a "401 Unauthorized" challenge message).</i><i><br>
</i><br>
So if I understand it correctly, if I want a particular host (e.g.
my SIP trunk provider) to make inbound calls without auth, but
everyone else to be rejected with Unauthorized, I should specify in
the corresponding sip profile:<br>
<br>
<font face="Courier New"><param name="apply-inbound-acl"
value="1.2.3.4/32"/></font><br>
<br>
The documentation adds: <i>The ACL behavior is modified by
auth-calls, accept-blind-reg, and accept-blind-auth.</i><br>
<br>
So what should be the value for auth-calls in this case? How would
it modify the behavior of <font face="Courier New">apply-inbound-acl</font>
(i.e. apply-inbound-acl + auth-calls=false and apply-inbound-acl +
auth-calls=true)?<br>
<br>
<br>
Then, the documentation says:<br>
<br>
<i>auth-calls: Users in the directory can have "auth-acl" parameters
applied to them so as to restrict users access to a predefined ACL
or a CIDR. Note: this will require "auth-calls" to be set to true
in your sip (sofia) profile.</i><i><br>
</i><br>
So, if I want to restrict my internal users to be able to register
(providing their passwords) only from a specific range and be
rejected with Unauthorized for other IPs or if not providing auth,
should I configure the profile this way?<br>
<br>
<font face="Courier New"><param name="auth-calls"
value="true"/><br>
<param name="auth-acl" value="1.2.3.0/24"/> </font><br>
<br>
My doubt here is: would <font face="Courier New">auth-acl</font>
add an additional level of restriction without altering the default
behavior of <font face="Courier New">auth-calls</font> (that is to
request auth from everyone) or would it somehow relax the default
behavior for some cases?<br>
<br>
Thanks,<br>
Anatoli <br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<a class="moz-txt-link-abbreviated" href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</a>
Official FreeSWITCH Sites
<a class="moz-txt-link-freetext" href="http://www.freeswitch.org">http://www.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://confluence.freeswitch.org">http://confluence.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://www.cluecon.com">http://www.cluecon.com</a>
FreeSWITCH-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a>
UNSUBSCRIBE:<a class="moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a>
<a class="moz-txt-link-freetext" href="http://www.freeswitch.org">http://www.freeswitch.org</a></pre>
<br>
</body>
</html>