On 08/06/2010 02:16 PM, Frank Church wrote: > On 6 August 2010 16:21, Bruce Ferrell <bferr...@baywinds.org> wrote: > >> On 08/06/2010 07:45 AM, Frank Church wrote: >> >>> I have been seeing some attempts to register devices on my Asterisk >>> and I want to reconfigure it so that devices will be registered only >>> if they are from the correct address, ie 192.168.1.8/255.255.255.255. >>> >>> I thought using a config like >>> >>> deny=0.0.0.0/0.0.0.0 >>> permit=192.168.1.8/255.255.255.255 >>> >>> but it is not working the way I thought? >>> >>> Does that need a host=static.ip entry to work, rather than the >>> deny/permit option? >>> >>> Does using a host=dynamic setting override any deny/permit and >>> port=5060 options? >>> >>> Does being a peer or a user make a difference here? >>> >>> >>> >> I had this same problem once. host=<ip address> or host=dynamic if you >> want to use permit/deny. Permit/deny and host=dynamic allows a sip peer >> or user to have a range of addresses. >> >> -- >> > Does permit/deny have any influence on registration, or is it related > to the destinations it can call to or receive call from? > > How do you stop an asterisk server from accepting registrations when > the IP is outside a subnet even if the username and secret are > correct? > > When host=dynamic registrations are accepted even if the pemit IP is > different from the registered device's IP address. Does permit/deny > work on a single IP address eg 192.168.4.111/255.255.255.2555 > > > The same seems to apply in the [general] section, with contactdeny and > contacnt permit > > When I set > > contactdeny=0.0.0.0/0.0.0.0 > contactpermit=192.168.4.111/255.255.255.255 > > Devices whose IP is not 192.168.4.111 are able to register. > >
When I've used permit/deny, I did it in conjunction with insecure set to port,invite to allow gateways that didn't register and don't use username/secret to originate calls but only from the ip range in permit. In fact it was for a provider that had gateways on a large number of IP addresses, all in the same CIDR block and I didn't want to do an entry for each of more than 100 gateways. contactpermit/contactdeny *should* work as you are suggesting that you want I've never tried that. I may attempt it tonight and see on my 1.4 system. -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users