[Freeswitch-users] Reject SIP registrations

Steven Ayre steveayre at gmail.com
Tue Jun 28 11:56:53 MSD 2011 

When you use a CIDR it matches the user entry based on IP not on username.

You're able to authenticate with other usernames because they're all
authenticating to the same user based on IP.

-Steve



On 28 June 2011 00:12, Kurtis Heimerl <kheimerl at cs.berkeley.edu> wrote:

> One of those links got screwed up...
>
> Anyhow, here are those three config files:
>
> internal.xml : http://bpastebin.freeswitch.org/16609<http://pastebin.freeswitch.org/16609>
>
> acl.conf.xml : http://pastebin.freeswitch.org/16610
>
> 1300.xml : http://pastebin.freeswitch.org/16611
>
> If anything else could help, I'd love to share it.
>
> The basic story, so far as I see, is that I allow specific IPs through
> the ACL. Somehow this is allowing ANY SIP username to register, rather
> than just those defined (such as 1300). Any help would be appreciated.
>
> On Mon, Jun 27, 2011 at 4:11 PM, Kurtis Heimerl
> <kheimerl at cs.berkeley.edu> wrote:
> > Anyhow, here are those three config files:
> >
> > internal.xml : http://pastebin.freeswitch.org/16609
> > acl.conf.xml : http://pastebin.freeswitch.org/16610
> > 1300.xml : http://pastebin.freeswitch.org/16611
> >
> > If anything else could help, I'd love to share it.
> >
> > The basic story, so far as I see, is that I allow specific IPs through
> > the ACL. Somehow this is allowing ANY SIP username to register, rather
> > than just those defined (such as 1300). Any help would be appreciated.
> >
> > On Mon, Jun 27, 2011 at 1:30 PM, Kurtis Heimerl
> > <kheimerl at cs.berkeley.edu> wrote:
> >> It's enabled in the acl.conf.xml file, using CIDR.
> >>
> >> What conf files do you consider relevant? acl.conf.xml, internal.xml,
> >> a profile or two, anything else?
> >>
> >> On Mon, Jun 27, 2011 at 1:26 PM, David Ponzone <david.ponzone at ipeva.fr>
> wrote:
> >>> The interesting question is then: why are you able to register without
> >>> password, if this feature is not enabled on the profile...
> >>> Perhaps you should recap your config once more, and put the relevant
> files
> >>> on PB.
> >>> David Ponzone  Direction Technique
> >>> email: david.ponzone at ipeva.fr
> >>> tel:      01 74 03 18 97
> >>> gsm:   06 66 98 76 34
> >>> Service Client IPeva
> >>> tel:      0811 46 26 26
> >>> www.ipeva.fr  -   www.ipeva-studio.com
> >>> Ce message et toutes les pièces jointes sont confidentiels et établis à
> >>> l'intention exclusive de ses destinataires. Toute utilisation ou
> diffusion
> >>> non autorisée est interdite. Tout message électronique est susceptible
> >>> d'altération. IPeva décline toute responsabilité au titre de ce message
> s'il
> >>> a été altéré, déformé ou falsifié. Si vous n'êtes pas destinataire de
> ce
> >>> message, merci de le détruire immédiatement et d'avertir l'expéditeur.
> >>>
> >>>
> >>>
> >>> Le 27/06/2011 à 20:36, Kurtis Heimerl a écrit :
> >>>
> >>> That would explain why removing them didn't do anything!
> >>>
> >>> Thanks.
> >>>
> >>> On Mon, Jun 27, 2011 at 6:25 AM, Steven Ayre <steveayre at gmail.com>
> wrote:
> >>>
> >>> Just so you know...
> >>>
> >>>      <param name="accept-blind-reg" value="true"/>
> >>>
> >>>      <param name="accept-blind-auth" value="true"/>
> >>>
> >>> These will have no effect in the user directory. They only apply to SIP
> >>>
> >>> profiles.
> >>>
> >>> -Steve
> >>>
> >>>
> >>>
> >>> On 27 June 2011 02:23, Kurtis Heimerl <kheimerl at cs.berkeley.edu>
> wrote:
> >>>
> >>> Hello FS Users!
> >>>
> >>> I'm trying to create the following setup. When a user registers, if
> >>>
> >>> they register on a known account (lets say X), they do not need a
> >>>
> >>> password. X's registration is immediately OK'd, and everything is
> >>>
> >>> great. I've gotten that working using the ACL. The IP address of our
> >>>
> >>> SIP clients are added through cidr and the clients do not need to give
> >>>
> >>> passwords.
> >>>
> >>> However, for some reason, if another account that does not exist in
> >>>
> >>> the directory (let's say Y) registers, FS returns with a 200 OK,
> >>>
> >>> instead of rejecting Y. I'm trying to figure out why this is the case,
> >>>
> >>> and how to remedy that fact.
> >>>
> >>> I have the following line in my internal.xml file, which I had assumed
> >>>
> >>> would force this function:
> >>>
> >>>   <!-- Force the user and auth-user to match. -->
> >>>
> >>>   <param name="inbound-reg-force-matching-username" value="true"/>
> >>>
> >>> However, it does not work. In my directory, each individual account as
> >>>
> >>> the following lines:
> >>>
> >>>  <user id="1303">
> >>>
> >>>    <params>
> >>>
> >>>      <param name="accept-blind-reg" value="true"/>
> >>>
> >>>      <param name="accept-blind-auth" value="true"/>
> >>>
> >>>      <param name="vm-password" value="1000"/>
> >>>
> >>>    </params>
> >>>
> >>> Though I've found that removing it (from all users in the directory)
> >>>
> >>> doesn't help.
> >>>
> >>> I'm primarily concerned with the line in internal.xml; it seems
> >>>
> >>> possible that the fact that we do not have an auth-user (because we do
> >>>
> >>> not require auth) means that this won't work. However, I have yet to
> >>>
> >>> test that hypothesis. The ACL has been the most confusing aspect of
> >>>
> >>> this installation, with a lot of undocumented aspects, and I get the
> >>>
> >>> nagging feeling this is another. I could very well be wrong though.
> >>>
> >>> Thanks for any direction.
> >>>
> >>> _______________________________________________
> >>>
> >>> Join us at ClueCon 2011, Aug 9-11, Chicago
> >>>
> >>> http://www.cluecon.com 877-7-4ACLUE
> >>>
> >>> FreeSWITCH-users mailing list
> >>>
> >>> FreeSWITCH-users at lists.freeswitch.org
> >>>
> >>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> >>>
> >>> UNSUBSCRIBE:
> http://lists.freeswitch.org/mailman/options/freeswitch-users
> >>>
> >>> http://www.freeswitch.org
> >>>
> >>>
> >>> _______________________________________________
> >>>
> >>> Join us at ClueCon 2011, Aug 9-11, Chicago
> >>>
> >>> http://www.cluecon.com 877-7-4ACLUE
> >>>
> >>> FreeSWITCH-users mailing list
> >>>
> >>> FreeSWITCH-users at lists.freeswitch.org
> >>>
> >>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> >>>
> >>> UNSUBSCRIBE:
> http://lists.freeswitch.org/mailman/options/freeswitch-users
> >>>
> >>> http://www.freeswitch.org
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Join us at ClueCon 2011, Aug 9-11, Chicago
> >>> http://www.cluecon.com 877-7-4ACLUE
> >>>
> >>> FreeSWITCH-users mailing list
> >>> FreeSWITCH-users at lists.freeswitch.org
> >>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> >>> UNSUBSCRIBE:
> http://lists.freeswitch.org/mailman/options/freeswitch-users
> >>> http://www.freeswitch.org
> >>>
> >>>
> >>> _______________________________________________
> >>> Join us at ClueCon 2011, Aug 9-11, Chicago
> >>> http://www.cluecon.com 877-7-4ACLUE
> >>>
> >>> FreeSWITCH-users mailing list
> >>> FreeSWITCH-users at lists.freeswitch.org
> >>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> >>> UNSUBSCRIBE:
> http://lists.freeswitch.org/mailman/options/freeswitch-users
> >>> http://www.freeswitch.org
> >>>
> >>>
> >>
> >
>
> _______________________________________________
> Join us at ClueCon 2011, Aug 9-11, Chicago
> http://www.cluecon.com 877-7-4ACLUE
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20110628/46b54344/attachment.html

More information about the FreeSWITCH-users mailing list