Hi Petr, the first issue is probably a misunderstanding what the prefixes in the FileIPAuth rules mean and I have clarified that in the CVS manual a minute ago:
The prefixes specify the destination numbers an endpoint with that IP may call and are only checked in Setup messages. The prefixes _do_not_ restrict the aliases the endpoint can register with. Your 2nd issue is caused by the fact that GnuGk can only see the IP of the immediate next endpoint/neighbor sending the call. There is no way to check if that call really originates at that endpoint. If you neighbor may call that destination, then anybody who may route calls through your neighbor may also call that destination. Regards, Jan -- Jan Willamowius, Founder of the GNU Gatekeeper Project EMail : [email protected] Website: http://www.gnugk.org Support: http://www.willamowius.com/gnugk-support.html Petr Holub wrote: > 1) ----- > > [Gatekeeper::Auth] > FileIPAuth=required;RRQ > PrefixAuth=required;ARQ,LRQ > > [FileIPAuth] > 147.251.54.0/24=allow;95008238,95008239 > any=reject > > While the the basic allow feature works, the prefixes behind the semicolon get > ignored and I'm able to register using an arbitrary number (instead only the > numbers complying with the specified prefixes). > > 2) ----- > > [Gatekeeper::Auth] > FileIPAuth=required;RRQ > PrefixAuth=required;ARQ,LRQ > > [PrefixAuth] > 9500823=allow ipv4:147.251.15.224/27 > default=deny > > While these rules work for the endpoints registered with the gatekeeper, they > seem to be ignored if the calls get routed through a neighboring gatekeeper. ------------------------------------------------------------------------------ 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/ _______________________________________________________ Posting: mailto:[email protected] Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users Homepage: http://www.gnugk.org/
