El 20/02/14 15:07, Markus escribió:
Am 20.02.2014 19:48, schrieb Alex Villacís Lasso:
My concern is that asterisk is left listening for SIP through all
interfaces and with no SIP passwords. I want to secure the setup against
directed traffic to the asterisk UDP port (5080), that bypasses the
kamailio process. I tried setting bindaddr=127.0.0.1 so asterisk will
only listen for SIP traffic on localhost, but this has the side effect
of also removing audio - the call appears to be successful on the
softphone and on the asterisk logs, but no audio is actually heard. My
theory is that the RTP traffic is being sent to kamailio instead of the
softphone.
Theories are nice, but you should check whether they are true using, e.g.,
tcpdump :)
I would check with, for example:
tcpdump -nnnqt -s 0 -A -i eth0 port 5060
or instead of "port 5060" (or 5080) try "udp" to see what is going on with RTP. Change from eth0 to lo to see if there is really RTP going to nowhere. When looking at port 5060/5080, check the SDP header to see what kamilio/Asterisk/your softphone
announce in terms of RTP.
I thought kamailio is a SIP server/proxy only and is not involved in RTP at all.
From a wireshark capture, what the softphone sees when contacting kamailio (in
the bindaddr=127.0.0.1 configuration) is that the media negotiation in the OK
package contains a random UDP port (as expected) but indicates that the IP for
RTP is 127.0.0.1 .
I have also tried deny=0.0.0.0/0.0.0.0 permit=127.0.0.1/255.0.0.0 , but the
softphone then gets denied through the kamailio too. It seems deny/permit
restricts the IP of the original contact, not the IP the SIP traffic was
received through.
In any case, if you want to only allow only certain connections from somewhere
to somewhere (including from/to certain ports), iptables is your friend if you
are using Linux.
I know iptables would solve my issue, and I will certainly use it, but I do not want to rely on iptables as the *only* thing that prevents the sip proxy bypass. I want an asterisk configuration that will only accept SIP signaling traffic coming from a
specific IP (in my case, 127.0.0.1), but will then negotiate RTP across any interface that will contact the softphone. I want this to work with the IP of the original contact.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
