[Freeswitch-users] Authenticating end points by IP

[Bill W]

Hello Lars,

You can apply any acl to any profile.  What you should do really depends 
on what you want to accomplish.

But let's take a simple example.  Let's say you want to allow any phone 
on your internal network (192.168.0.0/24) to connect to your internal 
profile and make calls without having to provide a password.

Then you could simply put these entries in your internal sofia profile.

<param name="apply-inbound-acl" value="192.168.0.0/24"/>
<param name="apply-register-acl" value="192.168.0.0/24"/>

In that case, you do not need to include anything in the directory.  The 
cidr entries in the directory are for providing additional control for 
each user id and what IPs they are allowed to make calls from.

For your external profile, you may not want to have any ACLs at all, as 
you may not want to limit which IPs can connect to your switch to send 
you incoming calls.  BUT, you need to make sure the dialplan connected 
to that external profile doesn't allow anyone to dial numbers that are 
not hosted on your system without proper authentication or controls.

And believe me, people WILL try to do that.  I've set up my system to 
email me whenever this happens and I have logged over 100 attempts to 
dial international numbers just since December 3rd.

Hope this helps,
Bill






Lars Zeb wrote:
> Bill,
> 
> Thanks for your ACL Overview. Perhaps you can help me understand more
> clearly.
> 
> If you include the "local-network-acl" and "apply-inbound-acl" params in the
> sip_profiles and setup the list for "localnet.auto" in acl.conf.xml, does
> this mean you do not have to include the cidr attribute for individual
> extensions in the directory/default folder?
> 
> Is "apply-inbound-acl" supposed to exist in both internal and external
> profiles while "apply-inbound-acl" is only in the internal?
> 
> Thanks, Lars
>