[Freeswitch-users] ACLs through proxy

Metik freeswitch-users-list at metik.com
Sun Dec 20 13:58:52 PST 2009

Then it would appear that my original suggestion to use mod_xml_curl 
would be best for now and you may need to offer a bounty for this 
feature as others have suggested.  Based on the sofia related snippets 
presented--I would assume it would be trivial to implement since most of 
the functionality is already there it just needs to be enhanced for your 
purpose.  It would also be extremely easy to do this in OpenSIPS as well 
(using blacklists or avpops). 

Just so that I understand your dilemna, you want to reject an incoming 
REGISTER associated with a specific user unless it comes from a fixed 
location and if it does, you want to simply challenge it as usual to 
prevent toll fraud?

I have found that its best to mitigate an attack at ingress before it 
even makes it to critical infrastructure (media gateways, 
application/media servers, etc.).


Bill W. wrote:
> Hey Metik,
> Yes.  Well, actually, I can have the cidr in two places in the directory.
> <user cidr="" id="testphone01">
>    <params>
>      <param name="auth-acl" value=""></param>
> >From what I understand the cidr= parmeter is used in conjunction with
> the apply-inbound-acl parameter in the sofia profile to just allow
> someone to make calls from a certain IP without authenticating.
> And from what I understand the auth-acl= parameter is used to restrict a
> user to a particular cidr, but the user has to authenticate as well.
> *The second feature is the one I want to use.*  I want to force users to
> authenticate, but only allow that authentication from a particular cidr
> as an added measure against toll fraud.
> And this appears to be causing the issue.  Because once I specify the
> auth-acl parameter in the directory, sofia-reg enforces that acl.  And
> unfortunately it's using the IP of the proxy, not of the user-agent.
> I looked in sofia.c and found this comment:
> /*
>  * if network_ip is a proxy allowed to send calls, check for auth
>  * ip header and see if it matches against the inbound acl
> */
> And this coincides with my testing.
> I have <param name="apply-proxy-acl" value="ip_of_proxy"/> in my
> profile.  I have my proxy sending the X-AUTH-IP header (verified with
> tcpdump).  And yet the REGISTER is still being denied.
> So it appears that the apply-proxy-acl is set up to work with the
> apply-inbound-acl ( to allow users from an IP without authenticating)
> But that hasn't been carried over to sofia_reg.c, which appears to
> simply check the IP of who FreeSWITCH is talking to against the auth-acl
> cidr specified in the directory. (Line 1926)
> So I guess the question is, is my analysis correct?
> Thoughts anyone?
> Thanks,
> Bill
> Metik wrote:
>> Bill,
>> I think you would add this to the user profile in the directory. The 
>> "brian.xml" example (located in ${confdir}/directory/) provided with the 
>> default/sample configuration files demonstrates how to to do this by 
>> introducing a "cidr" attribute to the the "user" element.
>> Example:
>> <user id="7105551212" cidr="">
>>     <params>
>>       <param name="password" value="opensaysme"/>
>>       <param name="vm-password" value="14916"/>
>>     </params>
>>     <variables>
>>       <variable name="user_context" value="default"/>
>>     </variables>
>>   </user>
>> "http://wiki.freeswitch.org/wiki/Acl" contains some great info 
>> (including a relevant example).
>> -metik
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

More information about the FreeSWITCH-users mailing list