[Freeswitch-users] ACLs through proxy

Bill W freeswitch at aastral.net
Mon Dec 21 08:47:17 PST 2009 

Hey Metik,

Thank you so much for your assistance on this issue.  I really 
appreciate it.

Yes I agree with you on the mod_xml_curl solution.  However, as I was 
starting to pursue that, I ran into another issue.  It appears as though 
I don't have access to any variables in the xml_curl POST that contain 
the IP of the UA.

The only two variables with IPs (other than the switch IP) are:
sip_contact_host=192.168.0.100
and
ip=64.135.119.105
where the .105 is my proxy. :( Do you know of any way to get additional 
variables into the xml_curl POST?

As far as my current use case, yes, you understand my needs correctly, 
with one slight modification, I want to use the IP acl+Auth with both 
REGISTERs and INVITEs.

And yes, I agree with you that it is better to mitigate at the border, 
but I don't have that kind of infrastructure available yet.

So do you have any other suggestions on a workaround with the xml_curl 
issue?  Or should I include that with my bounty?

Thanks,
Bill


Metik wrote:
> Then it would appear that my original suggestion to use mod_xml_curl 
> would be best for now and you may need to offer a bounty for this 
> feature as others have suggested.  Based on the sofia related snippets 
> presented--I would assume it would be trivial to implement since most of 
> the functionality is already there it just needs to be enhanced for your 
> purpose.  It would also be extremely easy to do this in OpenSIPS as well 
> (using blacklists or avpops). 
> 
> Just so that I understand your dilemna, you want to reject an incoming 
> REGISTER associated with a specific user unless it comes from a fixed 
> location and if it does, you want to simply challenge it as usual to 
> prevent toll fraud?
> 
> I have found that its best to mitigate an attack at ingress before it 
> even makes it to critical infrastructure (media gateways, 
> application/media servers, etc.).
> 
> -metik
> 
> Bill W. wrote:
>> Hey Metik,
>>
>> Yes.  Well, actually, I can have the cidr in two places in the directory.
>>
>> <user cidr="190.218.97.83/32" id="testphone01">
>>    <params>
>>      <param name="auth-acl" value="190.218.97.83/32"></param>
>>
>> >From what I understand the cidr= parmeter is used in conjunction with
>> the apply-inbound-acl parameter in the sofia profile to just allow
>> someone to make calls from a certain IP without authenticating.
>>
>> And from what I understand the auth-acl= parameter is used to restrict a
>> user to a particular cidr, but the user has to authenticate as well.
>>
>> *The second feature is the one I want to use.*  I want to force users to
>> authenticate, but only allow that authentication from a particular cidr
>> as an added measure against toll fraud.
>>
>> And this appears to be causing the issue.  Because once I specify the
>> auth-acl parameter in the directory, sofia-reg enforces that acl.  And
>> unfortunately it's using the IP of the proxy, not of the user-agent.
>>
>> I looked in sofia.c and found this comment:
>> /*
>>  * if network_ip is a proxy allowed to send calls, check for auth
>>  * ip header and see if it matches against the inbound acl
>> */
>>
>> And this coincides with my testing.
>> I have <param name="apply-proxy-acl" value="ip_of_proxy"/> in my
>> profile.  I have my proxy sending the X-AUTH-IP header (verified with
>> tcpdump).  And yet the REGISTER is still being denied.
>>
>> So it appears that the apply-proxy-acl is set up to work with the
>> apply-inbound-acl ( to allow users from an IP without authenticating)
>>
>> But that hasn't been carried over to sofia_reg.c, which appears to
>> simply check the IP of who FreeSWITCH is talking to against the auth-acl
>> cidr specified in the directory. (Line 1926)
>>
>> So I guess the question is, is my analysis correct?
>>
>> Thoughts anyone?
>>
>> Thanks,
>> Bill
>>
>>
>>
>>
>>
>>
>> Metik wrote:
>>   
>>> Bill,
>>>
>>> I think you would add this to the user profile in the directory. The 
>>> "brian.xml" example (located in ${confdir}/directory/) provided with the 
>>> default/sample configuration files demonstrates how to to do this by 
>>> introducing a "cidr" attribute to the the "user" element.
>>>
>>> Example:
>>>
>>> <user id="7105551212" cidr="127.0.0.0/8//">
>>>     <params>
>>>       <param name="password" value="opensaysme"/>
>>>       <param name="vm-password" value="14916"/>
>>>     </params>
>>>     <variables>
>>>       <variable name="user_context" value="default"/>
>>>     </variables>
>>>   </user>
>>>
>>> "http://wiki.freeswitch.org/wiki/Acl" contains some great info 
>>> (including a relevant example).
>>>
>>> -metik
>>>
>>>     
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>   
> 
> 
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

More information about the FreeSWITCH-users mailing list