[Freeswitch-users] Combine non-auth and auth calls on same profile security consideration.

Thu Jan 5 16:19:47 MSK 2017

Wouldn't it be simpler to make :5060 the unauthenticated port and :5080 the
authenticated?

On Jan 5, 2017 7:58 AM, "Mimiko" <vbvbrj at gmail.com> wrote:

> On 04.01.2017 19:07, Anthony Minessale wrote:
> >     My questions are:
> >
> >     1) Does this type of combination affect security?
> >     2) How to impose all registered phones to make authenticated calls
> >     always? So they will not go first thru public context and then to
> >     default?
> >
> >
> > Its a lot to go through for the vanity of not having to type 5080 once
> > in a config box, but that's just my opinion ;)
> >
> > You can use the set_user app to make unauthenticated calls get the same
> > data as authenticated calls would have on a specified exten.
>
> Anthony thank you for suggestion.
>
> Taking this public dialplan:
>
> <context name="public">
> <extension name="unloop">
> <condition field="${unroll_loops}" expression="^true$"/>
> <condition field="${sip_looped_call}" expression="^true$">
> <action application="deflect" data="${destination_number}"/>
> </condition>
> </extension>
> <extension name="sip_nat_detected" continue="true">
> <condition field="${sip_nat_detected}" expression="^true$">
> <action application="set" inline="true"
> data="sip-force-contact=NDLB-connectile-dysfunction"/>
> </condition>
> <extension name="public_did">
> <condition field="destination_number" expression="^([5-8]\d\d)$">
> <action application="transfer" data="$1 XML default"/>
> </condition>
> </extension>
> </extension>
> <extension name="check_auth" continue="true">
> <condition field="${sip_authorized}" expression="^true$" break="never">
> <anti-action application="set" data="process_cdr=false"/>
> <anti-action application="respond" data="407"/>
> </condition>
> </extension>
> </context>
>
> Where to put the set_user app? If I'll put it before "check_auth"
> extension like:
>
> <action application="set_user" data="${caller_id_number}@${domain}"/>
>
> Then any one calling from internet could set theirs caller_id_number to
> internal's one and act on behalf of some registered user to fraud.
>
> Or may be first extension in public dialplan to put something which will
> check, based on caller_id_number, if there is a registered user and
> impose to make authenticate call, like:
>
> <extension name="check_user_registered">
> <condition field="${sofia_contact(${caller_id_number})}"
> expression="^error/" break="on-false">
> <anti-action application="set" data="process_cdr=false"/>
> <anti-action application="respond" data="407"/>
> </condition>
> </extension>
>
> PS: Yes, its not to big to add :5080, but take callers that want to call
> from mobile via internet using a sip uri. Even myself forgets to add
> port number at the end. :)
>
> --
> Mimiko desu.
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170105/0dd91ef5/attachment.html 