[Freeswitch-users] Combine non-auth and auth calls on same profile security consideration.

Wed Jan 4 20:07:40 MSK 2017

On Tue, Jan 3, 2017 at 3:40 AM, Mimiko <vbvbrj at gmail.com> wrote:

> Hello.
>
> There where separate sip profiles for registered accounts and anonymous
> inbound calls: internal and external. All calls and registrations on
> internal a authenticated and routed to "default" context. For external
> profile inbound calls are not authenticated and are routed to "public"
> context.
>
> In order for some one to call inbound (s)he have to use :5080 port,
> which is somehow inconvenient. So I decided to combine in one profile
> named "example" on port 5060.
>
> <profile name="internal_77.89.245.34">
> <settings>
> <param name="context" value="public"/>
> <param name="auth-calls" value="false"/>
> <param name="auth-all-packets" value="false"/>
> <param name="inbound-reg-force-matching-username" value="true"/>
> <param name="force-register-domain" value="default"/>
> <param name="force-subscription-domain" value="default"/>
> <param name="force-register-db-domain" value="default"/>
> </settings>
> </profile>
> <domain name="$${domain}">
> <variables>
> <variable name="inbound-reg-force-matching-username" value="true"/>
> <variable name="user_context" value="default"/>
> <groups>
> <group name="default">
> <users>
> <X-PRE-PROCESS cmd="include" data="default/*.xml"/>
> </users>
> </group>
> </groups>
> </variables>
> </domain>
>
> Registration was working, calling to those registration was working, but
> some phones hit public context, some default context. I started to dig
> whats happening and found that D-Link phones always do authenticated
> calls when they a registered, while Stephen's phones does
> unauthenticated and go to public.
>
> Then I found a mention that registrations allow only to find the phone
> to call, while calls does not necessary authenticate. So I used
> Anthony's solution in public context on the end:
>
> <extension name="check_auth" continue="true">
> <condition field="${sip_authorized}" expression="^true$" break="never">
> <anti-action application="respond" data="407"/>
> </condition>
> </extension>
>
> Now when a registered phone hits public context and no other conditions
> are met, they are rejected and call authenticated hitting default context.
>
> Then in CDR I see two lines: one with rejected and one with success.
> This is not well, so found a hint and put:
> <anti-action application="set" data="process_cdr=false"/>
>
> And now is working somewhat correct except that calls to public numbers
> which does not require authentication does not get vars for the
> registered extension.
>
> My questions are:
>
> 1) Does this type of combination affect security?
> 2) How to impose all registered phones to make authenticated calls
> always? So they will not go first thru public context and then to default?
>
>
Its a lot to go through for the vanity of not having to type 5080 once in a
config box, but that's just my opinion ;)

You can use the set_user app to make unauthenticated calls get the same
data as authenticated calls would have on a specified exten.

> --
> Mimiko desu.
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>

-- 
Anthony Minessale II       ♬ @anthmfs  ♬ @FreeSWITCH  ♬

☞ http://freeswitch.org/  ☞ http://cluecon.com/  ☞
http://twitter.com/FreeSWITCH
☞ irc.freenode.net #freeswitch ☞ *http://freeswitch.org/g+
<http://freeswitch.org/g+>*

ClueCon Weekly Development Call
☎ sip:888 at conference.freeswitch.org  ☎ +19193869900

https://www.youtube.com/watch?v=9XXgW34t40s
https://www.youtube.com/watch?v=NLaDpGQuZDA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170104/d29c6f33/attachment.html 