I have the following in sip.conf. It was my understanding that this configuration (ie with deny/permit) would only allow connections from hosts 192.168.10.4 and 192.168.10.5. That doesn't seem to be the case. Asterisk is accepting INVITE's from other addresses. [a00090101] type=friend context=Company1 username=a00090101 ;secret=180 ;insecure=very host=dynamic mailbox=company1@vmusers deny=0.0.0.0/0.0.0.0 permit=192.168.10.4/255.255.255.0 permit=192.168.10.5/255.255.255.0 accountcode=a00090101 subscribecontext=status ;qualify=yes canreinvite=yes I'm trying to configure Asterisk to accept connections (ie invites) from two trusted hosts without asking for a password. If it gets an invite from somewhere else, send back Forbidden. Anyone know how to do this? Thanks, Doug.
Do the hosts have dynamic ip addresses, or can you set them up as static? We've got ours set up so that each server has the hostname of the other ones in the config files as such, and it only accepts communications that identify as those servers from those hostnames: [svm1] type=friend secret=password ;insecure=very context=default host=svm1.shsu.edu qualify=yes Douglas Garstang wrote:> I have the following in sip.conf. It was my understanding that this configuration (ie with deny/permit) would only allow connections from hosts 192.168.10.4 and 192.168.10.5. That doesn't seem to be the case. Asterisk is accepting INVITE's from other addresses. > > [a00090101] > type=friend > context=Company1 > username=a00090101 > ;secret=180 > ;insecure=very > host=dynamic > mailbox=company1@vmusers > deny=0.0.0.0/0.0.0.0 > permit=192.168.10.4/255.255.255.0 > permit=192.168.10.5/255.255.255.0 > accountcode=a00090101 > subscribecontext=status > ;qualify=yes > canreinvite=yes > > I'm trying to configure Asterisk to accept connections (ie invites) from two trusted hosts without asking for a password. If it gets an invite from somewhere else, send back Forbidden. Anyone know how to do this? > > Thanks, > Doug. > _______________________________________________ > --Bandwidth and Colocation provided by Easynews.com -- > > Asterisk-Users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
Aaron. They're static, and I'm just using IP addresses for now. I see you have secret= in there. I think Asterisk then asks for a password. I'm trying to avoid that and simply trust connections from the permitted hosts. I wouldn't be surprised if you took your host= out, it will still accept connections from other hosts and ask for a password. Doug. -----Original Message----- From: Aaron Daniel [mailto:amdtech@shsu.edu] Sent: Friday, December 23, 2005 9:30 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [Asterisk-Users] SIP permit/deny Do the hosts have dynamic ip addresses, or can you set them up as static? We've got ours set up so that each server has the hostname of the other ones in the config files as such, and it only accepts communications that identify as those servers from those hostnames: [svm1] type=friend secret=password ;insecure=very context=default host=svm1.shsu.edu qualify=yes Douglas Garstang wrote:> I have the following in sip.conf. It was my understanding that this configuration (ie with deny/permit) would only allow connections from hosts 192.168.10.4 and 192.168.10.5. That doesn't seem to be the case. Asterisk is accepting INVITE's from other addresses. > > [a00090101] > type=friend > context=Company1 > username=a00090101 > ;secret=180 > ;insecure=very > host=dynamic > mailbox=company1@vmusers > deny=0.0.0.0/0.0.0.0 > permit=192.168.10.4/255.255.255.0 > permit=192.168.10.5/255.255.255.0 > accountcode=a00090101 > subscribecontext=status > ;qualify=yes > canreinvite=yes > > I'm trying to configure Asterisk to accept connections (ie invites) from two trusted hosts without asking for a password. If it gets an invite from somewhere else, send back Forbidden. Anyone know how to do this? > > Thanks, > Doug. > _______________________________________________ > --Bandwidth and Colocation provided by Easynews.com -- > > Asterisk-Users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >_______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Good grief. Even this doesn't work... [a00090101] type=friend deny=0.0.0.0/0.0.0.0 Asterisk is allowing extension a00090101 to connect from 192.168.10.123. I must really be missing something here... Doug -----Original Message----- From: Douglas Garstang Sent: Friday, December 23, 2005 9:19 AM To: 'Asterisk Users Mailing List - Non-Commercial Discussion' Subject: SIP permit/deny I have the following in sip.conf. It was my understanding that this configuration (ie with deny/permit) would only allow connections from hosts 192.168.10.4 and 192.168.10.5. That doesn't seem to be the case. Asterisk is accepting INVITE's from other addresses. [a00090101] type=friend context=Company1 username=a00090101 ;secret=180 ;insecure=very host=dynamic mailbox=company1@vmusers deny=0.0.0.0/0.0.0.0 permit=192.168.10.4/255.255.255.0 permit=192.168.10.5/255.255.255.0 accountcode=a00090101 subscribecontext=status ;qualify=yes canreinvite=yes I'm trying to configure Asterisk to accept connections (ie invites) from two trusted hosts without asking for a password. If it gets an invite from somewhere else, send back Forbidden. Anyone know how to do this? Thanks, Doug.
Hi Aaron. Well, I now understand something I didn't before. When a user is not granted access because their host is denied (and maybe when they fail to authenticate?), Asterisk tries to allow them into the context as defined by context= in the [general] section if allowguest=yes. Something to watch out for. Doug. -----Original Message----- From: Aaron Daniel [mailto:amdtech@shsu.edu] Sent: Friday, December 23, 2005 10:21 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [Asterisk-Users] RE: SIP permit/deny What are your default settings configured to in the general configuration? Douglas Garstang wrote:> Good grief. Even this doesn't work... > > [a00090101] > type=friend > deny=0.0.0.0/0.0.0.0 > > Asterisk is allowing extension a00090101 to connect from 192.168.10.123. I must really be missing something here... > > Doug > > > -----Original Message----- > From: Douglas Garstang > Sent: Friday, December 23, 2005 9:19 AM > To: 'Asterisk Users Mailing List - Non-Commercial Discussion' > Subject: SIP permit/deny > > > I have the following in sip.conf. It was my understanding that this configuration (ie with deny/permit) would only allow connections from hosts 192.168.10.4 and 192.168.10.5. That doesn't seem to be the case. Asterisk is accepting INVITE's from other addresses. > > [a00090101] > type=friend > context=Company1 > username=a00090101 > ;secret=180 > ;insecure=very > host=dynamic > mailbox=company1@vmusers > deny=0.0.0.0/0.0.0.0 > permit=192.168.10.4/255.255.255.0 > permit=192.168.10.5/255.255.255.0 > accountcode=a00090101 > subscribecontext=status > ;qualify=yes > canreinvite=yes > > I'm trying to configure Asterisk to accept connections (ie invites) from two trusted hosts without asking for a password. If it gets an invite from somewhere else, send back Forbidden. Anyone know how to do this? > > Thanks, > Doug. > _______________________________________________ > --Bandwidth and Colocation provided by Easynews.com -- > > Asterisk-Users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >_______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Thanks for that. I can't get my head around how to allow access to specific hosts for specific extensions, while still allowing incoming calls from our PSTN gateway. Our PSTN gateway puts the caller-id in the From: field, as I think it should. Asterisk then fails to match it against any of the users in sip.conf, and therefore allows the call in as a guest and drops it into the context defined in [general]. If it allows calls in this manner for the PSTN gateway, I think it will allow calls from anyone in guest mode, which is bad. -----Original Message----- From: Kevin P. Fleming [mailto:kpfleming@digium.com] Sent: Friday, December 23, 2005 10:32 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [Asterisk-Users] RE: SIP permit/deny Douglas Garstang wrote:> [a00090101] > type=friend > context=Company1 > username=a00090101 > ;secret=180 > ;insecure=very > host=dynamic > mailbox=company1@vmusers > deny=0.0.0.0/0.0.0.0 > permit=192.168.10.4/255.255.255.0 > permit=192.168.10.5/255.255.255.0These lines are duplicates; you have asked Asterisk to look at only the first 24 bits of the host's IP address for matching purposes, so any host on 192.168.10.x will be able to send you SIP signaling. _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Douglas Garstang wrote:>I have the following in sip.conf. It was my understanding that this configuration (ie with deny/permit) would only allow connections from hosts 192.168.10.4 and 192.168.10.5. That doesn't seem to be the case. Asterisk is accepting INVITE's from other addresses. > >[a00090101] >type=friend >context=Company1 >username=a00090101 >;secret=180 >;insecure=very >host=dynamic >mailbox=company1@vmusers >deny=0.0.0.0/0.0.0.0 >permit=192.168.10.4/255.255.255.0 >permit=192.168.10.5/255.255.255.0 > >Change your netmask to 255.255.255.255 or if possible use CIDR (/32).