[Asterisk-Users] SIP permit/deny

Discussion:

Douglas Garstang

2005-12-23 16:18:40 UTC

I have the following in sip.conf. It was my understanding that this configuration (ie with deny/permit) would only allow connections from hosts 192.168.10.4 and 192.168.10.5. That doesn't seem to be the case. Asterisk is accepting INVITE's from other addresses.

[a00090101]
type=friend
context=Company1
username=a00090101
;secret=180
;insecure=very
host=dynamic
mailbox=***@vmusers
deny=0.0.0.0/0.0.0.0
permit=192.168.10.4/255.255.255.0
permit=192.168.10.5/255.255.255.0
accountcode=a00090101
subscribecontext=status
;qualify=yes
canreinvite=yes

I'm trying to configure Asterisk to accept connections (ie invites) from two trusted hosts without asking for a password. If it gets an invite from somewhere else, send back Forbidden. Anyone know how to do this?

Thanks,
Doug.

Aaron Daniel

2005-12-23 16:30:18 UTC

Permalink

Do the hosts have dynamic ip addresses, or can you set them up as
static? We've got ours set up so that each server has the hostname of
the other ones in the config files as such, and it only accepts
communications that identify as those servers from those hostnames:

[svm1]
type=friend
secret=password
;insecure=very
context=default
host=svm1.shsu.edu
qualify=yes

Post by Douglas Garstang
I have the following in sip.conf. It was my understanding that this configuration (ie with deny/permit) would only allow connections from hosts 192.168.10.4 and 192.168.10.5. That doesn't seem to be the case. Asterisk is accepting INVITE's from other addresses.
[a00090101]
type=friend
context=Company1
username=a00090101
;secret=180
;insecure=very
host=dynamic
deny=0.0.0.0/0.0.0.0
permit=192.168.10.4/255.255.255.0
permit=192.168.10.5/255.255.255.0
accountcode=a00090101
subscribecontext=status
;qualify=yes
canreinvite=yes
I'm trying to configure Asterisk to accept connections (ie invites) from two trusted hosts without asking for a password. If it gets an invite from somewhere else, send back Forbidden. Anyone know how to do this?
Thanks,
Doug.
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --
Asterisk-Users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users

Douglas Garstang

2005-12-23 16:41:02 UTC

Permalink

Aaron.

They're static, and I'm just using IP addresses for now.
I see you have secret= in there. I think Asterisk then asks for a password. I'm trying to avoid that and simply trust connections from the permitted hosts. I wouldn't be surprised if you took your host= out, it will still accept connections from other hosts and ask for a password.

Doug.

-----Original Message-----
From: Aaron Daniel [mailto:***@shsu.edu]
Sent: Friday, December 23, 2005 9:30 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [Asterisk-Users] SIP permit/deny

Do the hosts have dynamic ip addresses, or can you set them up as
static? We've got ours set up so that each server has the hostname of
the other ones in the config files as such, and it only accepts
communications that identify as those servers from those hostnames:

[svm1]
type=friend
secret=password
;insecure=very
context=default
host=svm1.shsu.edu
qualify=yes

_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --

Asterisk-Users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

Douglas Garstang

2005-12-23 16:58:35 UTC

Permalink

Good grief. Even this doesn't work...

[a00090101]
type=friend
deny=0.0.0.0/0.0.0.0

Asterisk is allowing extension a00090101 to connect from 192.168.10.123. I must really be missing something here...

Doug

-----Original Message-----
From: Douglas Garstang
Sent: Friday, December 23, 2005 9:19 AM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: SIP permit/deny

I have the following in sip.conf. It was my understanding that this configuration (ie with deny/permit) would only allow connections from hosts 192.168.10.4 and 192.168.10.5. That doesn't seem to be the case. Asterisk is accepting INVITE's from other addresses.

[a00090101]
type=friend
context=Company1
username=a00090101
;secret=180
;insecure=very
host=dynamic
mailbox=***@vmusers
deny=0.0.0.0/0.0.0.0
permit=192.168.10.4/255.255.255.0
permit=192.168.10.5/255.255.255.0
accountcode=a00090101
subscribecontext=status
;qualify=yes
canreinvite=yes

I'm trying to configure Asterisk to accept connections (ie invites) from two trusted hosts without asking for a password. If it gets an invite from somewhere else, send back Forbidden. Anyone know how to do this?

Thanks,
Doug.

Aaron Daniel

2005-12-23 17:21:27 UTC

Permalink

What are your default settings configured to in the general configuration?

Post by Douglas Garstang
Good grief. Even this doesn't work...
[a00090101]
type=friend
deny=0.0.0.0/0.0.0.0
Asterisk is allowing extension a00090101 to connect from 192.168.10.123. I must really be missing something here...
Doug
-----Original Message-----
From: Douglas Garstang
Sent: Friday, December 23, 2005 9:19 AM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: SIP permit/deny
I have the following in sip.conf. It was my understanding that this configuration (ie with deny/permit) would only allow connections from hosts 192.168.10.4 and 192.168.10.5. That doesn't seem to be the case. Asterisk is accepting INVITE's from other addresses.
[a00090101]
type=friend
context=Company1
username=a00090101
;secret=180
;insecure=very
host=dynamic
deny=0.0.0.0/0.0.0.0
permit=192.168.10.4/255.255.255.0
permit=192.168.10.5/255.255.255.0
accountcode=a00090101
subscribecontext=status
;qualify=yes
canreinvite=yes
I'm trying to configure Asterisk to accept connections (ie invites) from two trusted hosts without asking for a password. If it gets an invite from somewhere else, send back Forbidden. Anyone know how to do this?
Thanks,
Doug.
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --
Asterisk-Users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users

Kevin P. Fleming

2005-12-23 17:32:27 UTC

Permalink

Post by Douglas Garstang
[a00090101]
type=friend
context=Company1
username=a00090101
;secret=180
;insecure=very
host=dynamic
deny=0.0.0.0/0.0.0.0
permit=192.168.10.4/255.255.255.0
permit=192.168.10.5/255.255.255.0

Douglas Garstang

2005-12-23 17:26:01 UTC

Permalink

Hi Aaron.

Well, I now understand something I didn't before. When a user is not granted access because their host is denied (and maybe when they fail to authenticate?), Asterisk tries to allow them into the context as defined by context= in the [general] section if allowguest=yes. Something to watch out for.

Doug.

-----Original Message-----
From: Aaron Daniel [mailto:***@shsu.edu]
Sent: Friday, December 23, 2005 10:21 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [Asterisk-Users] RE: SIP permit/deny

What are your default settings configured to in the general configuration?

Douglas Garstang

2005-12-23 17:49:28 UTC

Permalink

Thanks for that. I can't get my head around how to allow access to specific hosts for specific extensions, while still allowing incoming calls from our PSTN gateway. Our PSTN gateway puts the caller-id in the From: field, as I think it should. Asterisk then fails to match it against any of the users in sip.conf, and therefore allows the call in as a guest and drops it into the context defined in [general]. If it allows calls in this manner for the PSTN gateway, I think it will allow calls from anyone in guest mode, which is bad.

-----Original Message-----
From: Kevin P. Fleming [mailto:***@digium.com]
Sent: Friday, December 23, 2005 10:32 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [Asterisk-Users] RE: SIP permit/deny

These lines are duplicates; you have asked Asterisk to look at only the
first 24 bits of the host's IP address for matching purposes, so any
host on 192.168.10.x will be able to send you SIP signaling.
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --

Asterisk-Users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

Kevin P. Fleming

2005-12-23 18:35:47 UTC

Permalink

Post by Douglas Garstang
Thanks for that. I can't get my head around how to allow access to specific hosts for specific extensions, while still allowing incoming calls from our PSTN gateway. Our PSTN gateway puts the caller-id in the From: field, as I think it should. Asterisk then fails to match it against any of the users in sip.conf, and therefore allows the call in as a guest and drops it into the context defined in [general]. If it allows calls in this manner for the PSTN gateway, I think it will allow calls from anyone in guest mode, which is bad.

Then define a peer by IP address for your PSTN gateway, so it will
become a 'known' peer instead of being treated as a guest.

Note that this is _not_ the same as using permit/deny; I am referring to
putting 'host=x.x.x.x' in the peer definition.

Mike Fedyk

2006-01-09 04:35:01 UTC

Permalink

Change your netmask to 255.255.255.255 or if possible use CIDR (/32).

Continue reading on narkive:

Search results for '[Asterisk-Users] SIP permit/deny' (Questions and Answers)

replies

Why does Christianity promote alcohol consumption and alcoholism?

started 2011-01-29 20:59:20 UTC

religion & spirituality

replies

Texas church shooter DENIED the right to carry a gun but he got one anyway, what would a gun ban have done in this situation?