[Freeswitch-users] Local call uses public context?

Lars Zeb larclap at yahoo.com
Thu Dec 24 12:31:51 PST 2009 

Thanks for the reply, Michael.

 

I tried the digest authentication using the cidr and copying the
conf/sip_profiles/internal.xml from the distribution, where

<param name="apply-inbound-acl" value="domains"/>

As a result, one endpoint could not register and another was unauthorized.

 

http://pastebin.freeswitch.org/11634

 

Then I went changed the context in internal.xml from public to default and

            <param name="apply-inbound-acl" value=" <http://192.168.0.0/24>
192.168.10.0/24"/> <param name="apply-register-acl" value="
<http://192.168.0.0/24> 192.168.10.0/24"/>

 

And the phones registered OK. So my confusion persists.

 

Lars

 

From: freeswitch-users-bounces at lists.freeswitch.org
[mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Michael
Collins
Sent: Thursday, December 24, 2009 11:00 AM
To: freeswitch-users at lists.freeswitch.org
Subject: Re: [Freeswitch-users] Local call uses public context?

 

Lars,

Since this question has come up a few times I'm going to write up a nice
wiki article on it explaining the differences between letting someone in via
an ACL and actually doing digest authentication. In a nutshell, though, it's
this: if the user does digest authentication (with the whole REGISTER, 401,
REGISTER, 200 OK exchange) then whatever value is in user_context is the
context for the calls made by that user. In conf/directory/default/1000.xml
(and 1001.xml, etc.) they all have user_context = "default" so when those
users register the calls they make are handled in the default context. OTOH,
if you let a user in via an ACL they aren't really registered, you've simply
opened the door for anyone coming from a particular IP address or IP address
range. In that case the calls are handled in the context specified by the
context parameter of the sip profile where the calls come in. By default the
internal sip profile uses the public context. This is for security reasons.
"Paranoid by default" is how you might describe it. You are welcome to
change that value to "default" so that calls let in by the ACL are handled
just like auth'd calls.

Play around with it and let us know how it goes. I think you'll get it once
you start modifying settings and making test calls.

-MC

On Thu, Dec 24, 2009 at 8:16 AM, Lars Zeb <larclap at yahoo.com> wrote:

Brian,

 

Please forgive my slowness, but I'm still having problems with this. When
you say that I "really didn't auth the user", did you mean the
endpoint/extension?

 

If you did, I upped to svn1 16055 and placed a cidr attribute on the
extension and reran the test, resulting in the same output, going to context
public.

 

Further, I'm confused about your response about ACL compared with Billy W in
an email of 12/22/2009.

 

".you could simply put these entries in your internal sofia profile.

 

<param name="apply-inbound-acl" value="192.168.0.0/24"/> <param
name="apply-register-acl" value="192.168.0.0/24"/>

 

In that case, you do not need to include anything in the directory.  The
cidr entries in the directory are for providing additional control for each
user id and what IPs they are allowed to make calls from."

 

http://pastebin.freeswitch.org/11633

Linux fs 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:39:21 EDT 2009 i686 i686
i386 GNU/Linux

 

Thanks Lars

 

From: freeswitch-users-bounces at lists.freeswitch.org
[mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Brian
West
Sent: Wednesday, December 23, 2009 6:03 PM
To: freeswitch-users at lists.freeswitch.org
Subject: Re: [Freeswitch-users] Local call uses public context?

 

2009-12-23 15:00:01.955357 [DEBUG] sofia.c:5322 IP 192.168.10.105 Approved
by acl "192.168.10.0/24[]". Access Granted.

 

Because the context is set on the profile as public... and you really didn't
auth the user so user_context was never set.

 

/b

 

On Dec 23, 2009, at 7:49 PM, Lars Zeb wrote:

 

I am trying to setup a second FS box from scratch using v16048.

 

What can cause a local call (81002, or 9996) to use context public? It's a
standard vanilla install.

 

http://pastebin.freeswitch.org/11629

 

Thanks, Lars

_______________________________________________
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org

 


_______________________________________________
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20091224/bd0f5417/attachment-0002.html

More information about the FreeSWITCH-users mailing list