[Freeswitch-users] ACLs through proxy

Bill W. freeswitch at aastral.net
Sat Dec 19 15:16:28 PST 2009 

Hey Metik,

Yes.  Well, actually, I can have the cidr in two places in the directory.

<user cidr="190.218.97.83/32" id="testphone01">
   <params>
     <param name="auth-acl" value="190.218.97.83/32"></param>

>From what I understand the cidr= parmeter is used in conjunction with
the apply-inbound-acl parameter in the sofia profile to just allow
someone to make calls from a certain IP without authenticating.

And from what I understand the auth-acl= parameter is used to restrict a
user to a particular cidr, but the user has to authenticate as well.

*The second feature is the one I want to use.*  I want to force users to
authenticate, but only allow that authentication from a particular cidr
as an added measure against toll fraud.

And this appears to be causing the issue.  Because once I specify the
auth-acl parameter in the directory, sofia-reg enforces that acl.  And
unfortunately it's using the IP of the proxy, not of the user-agent.

I looked in sofia.c and found this comment:
/*
 * if network_ip is a proxy allowed to send calls, check for auth
 * ip header and see if it matches against the inbound acl
*/

And this coincides with my testing.
I have <param name="apply-proxy-acl" value="ip_of_proxy"/> in my
profile.  I have my proxy sending the X-AUTH-IP header (verified with
tcpdump).  And yet the REGISTER is still being denied.

So it appears that the apply-proxy-acl is set up to work with the
apply-inbound-acl ( to allow users from an IP without authenticating)

But that hasn't been carried over to sofia_reg.c, which appears to
simply check the IP of who FreeSWITCH is talking to against the auth-acl
cidr specified in the directory. (Line 1926)

So I guess the question is, is my analysis correct?

Thoughts anyone?

Thanks,
Bill






Metik wrote:
> Bill,
> 
> I think you would add this to the user profile in the directory. The 
> "brian.xml" example (located in ${confdir}/directory/) provided with the 
> default/sample configuration files demonstrates how to to do this by 
> introducing a "cidr" attribute to the the "user" element.
> 
> Example:
> 
> <user id="7105551212" cidr="127.0.0.0/8//">
>     <params>
>       <param name="password" value="opensaysme"/>
>       <param name="vm-password" value="14916"/>
>     </params>
>     <variables>
>       <variable name="user_context" value="default"/>
>     </variables>
>   </user>
> 
> "http://wiki.freeswitch.org/wiki/Acl" contains some great info 
> (including a relevant example).
> 
> -metik
>

More information about the FreeSWITCH-users mailing list