[Freeswitch-users] Authenticating end points by IP
freeswitch at aastral.net
Tue Dec 22 14:38:10 PST 2009
You can apply any acl to any profile. What you should do really depends
on what you want to accomplish.
But let's take a simple example. Let's say you want to allow any phone
on your internal network (192.168.0.0/24) to connect to your internal
profile and make calls without having to provide a password.
Then you could simply put these entries in your internal sofia profile.
<param name="apply-inbound-acl" value="192.168.0.0/24"/>
<param name="apply-register-acl" value="192.168.0.0/24"/>
In that case, you do not need to include anything in the directory. The
cidr entries in the directory are for providing additional control for
each user id and what IPs they are allowed to make calls from.
For your external profile, you may not want to have any ACLs at all, as
you may not want to limit which IPs can connect to your switch to send
you incoming calls. BUT, you need to make sure the dialplan connected
to that external profile doesn't allow anyone to dial numbers that are
not hosted on your system without proper authentication or controls.
And believe me, people WILL try to do that. I've set up my system to
email me whenever this happens and I have logged over 100 attempts to
dial international numbers just since December 3rd.
Hope this helps,
Lars Zeb wrote:
> Thanks for your ACL Overview. Perhaps you can help me understand more
> If you include the "local-network-acl" and "apply-inbound-acl" params in the
> sip_profiles and setup the list for "localnet.auto" in acl.conf.xml, does
> this mean you do not have to include the cidr attribute for individual
> extensions in the directory/default folder?
> Is "apply-inbound-acl" supposed to exist in both internal and external
> profiles while "apply-inbound-acl" is only in the internal?
> Thanks, Lars
More information about the FreeSWITCH-users