[Freeswitch-users] Combine non-auth and auth calls on same profile security consideration.

Mimiko vbvbrj at gmail.com
Tue Jan 3 12:40:07 MSK 2017 

Hello.

There where separate sip profiles for registered accounts and anonymous 
inbound calls: internal and external. All calls and registrations on 
internal a authenticated and routed to "default" context. For external 
profile inbound calls are not authenticated and are routed to "public" 
context.

In order for some one to call inbound (s)he have to use :5080 port, 
which is somehow inconvenient. So I decided to combine in one profile 
named "example" on port 5060.

<profile name="internal_77.89.245.34">
<settings>
<param name="context" value="public"/>
<param name="auth-calls" value="false"/>
<param name="auth-all-packets" value="false"/>
<param name="inbound-reg-force-matching-username" value="true"/>
<param name="force-register-domain" value="default"/>
<param name="force-subscription-domain" value="default"/>
<param name="force-register-db-domain" value="default"/>
</settings>
</profile>
<domain name="$${domain}">
<variables>
<variable name="inbound-reg-force-matching-username" value="true"/>
<variable name="user_context" value="default"/>
<groups>
<group name="default">
<users>
<X-PRE-PROCESS cmd="include" data="default/*.xml"/>
</users>
</group>
</groups>
</variables>
</domain>

Registration was working, calling to those registration was working, but 
some phones hit public context, some default context. I started to dig 
whats happening and found that D-Link phones always do authenticated 
calls when they a registered, while Stephen's phones does 
unauthenticated and go to public.

Then I found a mention that registrations allow only to find the phone 
to call, while calls does not necessary authenticate. So I used 
Anthony's solution in public context on the end:

<extension name="check_auth" continue="true">
<condition field="${sip_authorized}" expression="^true$" break="never">
<anti-action application="respond" data="407"/>
</condition>
</extension>

Now when a registered phone hits public context and no other conditions 
are met, they are rejected and call authenticated hitting default context.

Then in CDR I see two lines: one with rejected and one with success. 
This is not well, so found a hint and put:
<anti-action application="set" data="process_cdr=false"/>

And now is working somewhat correct except that calls to public numbers 
which does not require authentication does not get vars for the 
registered extension.

My questions are:

1) Does this type of combination affect security?
2) How to impose all registered phones to make authenticated calls 
always? So they will not go first thru public context and then to default?

-- 
Mimiko desu.

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list