I do not want set allowguest=yes. The problem is, there is no official list with ip addresses of Telekom Germany. But I think all ip addresses comes from the ip range 217.0.0.0/13.
I have now the following addition to sip.conf. I think it is the only safe option. Or what would you say? [telekom](!) context=from-trunk type=peer defaultuser= authuser= remotesecret= fromdomain=tel.t-online.de qualify=no dtmfmode=rfc2833 directmedia=no sendrpid=pai trustrpid=no insecure=port,invite disallow=all allow=g722 allow=alaw allow=gsm deny=0.0.0.0/0 permit=217.0.0.0/13 [DTAG-IP_IN18_016](telekom) host=217.0.18.16 [DTAG-IP_IN18_036](telekom) host=217.0.18.36 etc. > Am 02.04.2015 um 23:21 schrieb Scott Griepentrog <sgriepent...@digium.com>: > > That sounds like asterisk was working 100% correctly. If you receive an > INVITE from an unknown IP address, then it should fail. Unless you want to > allow anonymous, which is genearlly a very bad idea. > > If you are registering to IP X, but the provider may be transmitting invites > from any number of other IP addresses, then you need a list of IP addresses, > and have a trunk configuration set up for each one so that they are all > recognized (with insecure=port,invite). > > If the provider is requiring you to accept invites from random IP addresses, > get a new provider. > > > On Thu, Apr 2, 2015 at 3:23 PM, Daniel Heckl <daniel.he...@gmail.com > <mailto:daniel.he...@gmail.com>> wrote: > Okay, Scott, I think we are on the wrong path. Maybe I'm wrong though. > > I will summarize again briefly the problems together: > The peer ip address could be another than the ip address of incoming invites > After an re-register the REGISTER is send to the new SIP server, answered > with OK. But the peer ip address is still the old one (sip show peers). > If now is a INVITE, the request is answered with 401 Unauthorized. > > That’s why I would say, the problem is not the port or a needed > authentication. My Asterisk works behind a NAT without port forwarding and > nat=no, I have qualify=yes that it does not come to a NAT timeout. > > Here is an example. The peer ip address was at this time 217.0.23.100, the > INVITE came from 217.0.23.68 an was rejected with 401 Unauthorized: > > INVITE sip:06123456789@80.000.111.222:45061 <> SIP/2.0 > Max-Forwards: 58 > Via: SIP/2.0/UDP > 217.0.23.68:5060;branch=z9hG4bKg3Zqkv7ib7h2smv8whryjnos88srot1i7 > To: <sip:6123456...@telekom.de <>> > From: <sip:+49123456...@tel.t-online.de;user=phone <>>;tag=h7g4Esbg_44c62525 > Call-ID: af71bbfbf269b895@62.155.0.75 <mailto:af71bbfbf269b895@62.155.0.75> > CSeq: 3950540 INVITE > Contact: <sip:sgc_c@217.0.23.68;transport=udp <>> > Record-Route: <sip:217.0.23.68;transport=udp;lr <>> > Min-Se: 900 > P-Asserted-Identity: <sip:+49123456...@tel.t-online.de;user=phone <>> > Session-Expires: 3600 > Supported: histinfo > Supported: timer > Supported: norefersub > Content-Type: application/sdp > Content-Disposition: session > Content-Length: 204 > Allow: ACK, BYE, CANCEL, INFO, INVITE, OPTIONS, PRACK, REFER, REGISTER, UPDATE > > v=0 > o=- 0 0 IN IP4 217.0.23.68 > s=- > c=IN IP4 217.0.4.134 > t=0 0 > m=audio 36480 RTP/AVP 9 8 102 > a=rtpmap:9 G722/8000 > a=rtpmap:8 PCMA/8000 > a=rtpmap:102 telephone-event/8000 > a=maxptime:20 > a=ptime:20 > >> Am 02.04.2015 um 22:00 schrieb Scott Griepentrog <sgriepent...@digium.com >> <mailto:sgriepent...@digium.com>>: >> >> Actually, the IP address is still used to identify the incoming invite. >> With the insecure=port option set, Asterisk will presume the invite to still >> match the trunk account even if the NAT router has mangled (changed) the >> port number. My suspicion is that when the new register goes out, it's >> creating a new state in the firewall, resulting in a new port number, which >> is why you would have to allow anonymous calls to then accept it without >> insecure=port. The other possibility is that you have a port forward in the >> router set, which is similarly mangling the port number. With a valid >> registration being held, and assuming the router does not drop UDP states >> faster than 30 minutes, and also assuming that the provider is sending you >> invites on the registered port rather than always on 5060, there should not >> be a need for an inbound port forward to Asterisk, and you should not need >> insecure=port. >> >> The invite option disables authentication - which means only that Asterisk >> will not force a check of the password on the other end. Where the IP >> address is well known and trusted, the extra overhead and delay of >> authenticating incoming INVITEs is not needed. >> >> >> >> On Thu, Apr 2, 2015 at 2:28 PM, Daniel Heckl <daniel.he...@gmail.com >> <mailto:daniel.he...@gmail.com>> wrote: >> Scott, I have changed the configuration as said it and will test it. I’m >> curious. >> >> Can you briefly explain what insecure=invite,port does? >> >> ;insecure=port ; Allow matching of peer by IP address without >> ; matching port number >> ;insecure=invite ; Do not require authentication of incoming INVITEs >> ;insecure=port,invite ; (both) >> >> Do I understand correctly that in this mode the IP address is not checked >> and no authentication is required? >> >>> Am 02.04.2015 um 20:11 schrieb Scott Griepentrog <sgriepent...@digium.com >>> <mailto:sgriepent...@digium.com>>: >>> >>> I'd be curious if setting >>> >>> insecure=invite,port >>> >>> makes any difference either (without alllowguest on). >>> >>> >>> On Thu, Apr 2, 2015 at 9:03 AM, Daniel Heckl <daniel.he...@gmail.com >>> <mailto:daniel.he...@gmail.com>> wrote: >>> Ok, I have tested dnsmgr. This is not a solution, the situation has not >>> changed. With dnsmgr I can not place outbound calls. I do not know why and >>> what dnsmgr really do. >>> >>> My current solution is as follows: >>> >>> Say allowguest=yes, configure the default context that there can not be >>> placed outbound calls. Use iptables to DROP all at your SIP port and allow >>> only your local phones and the sip trunk ip range. I think srvlookup must >>> be set to yes to place outbound calls if there is an ip address change. >>> >>> I think with the restriction of the firewall that should be a secure >>> solution. >>> >>> > Am 01.04.2015 um 19:23 schrieb Sebastian Kemper <sebastian...@gmx.net >>> > <mailto:sebastian...@gmx.net>>: >>> > >>> > On Wed, Apr 01, 2015 at 11:00:56AM -0400, Andres wrote: >>> >> On 4/1/15 10:48 AM, Daniel Heckl wrote: >>> >>> John, >>> >>> >>> >>> thank you four your answer. I think you have misunderstood the >>> >>> problem. It’s about a ip address change of the sip trunk, not of my >>> >>> asterisk server. >>> >> You would probably benefit by enabling the DNS Manager to allow for >>> >> dynamic IP changes: >>> >> >>> >> # cat dnsmgr.conf [general] enable=yes ; enable creation >>> >> of managed DNS lookups ; default is 'no' refreshinterval=180 ; >>> >> refresh managed DNS lookups every <n> seconds ; default is 300 (5 >>> >> minutes) >>> > >>> > Hello Andres, >>> > >>> > I read that same suggestion elsewhere in connection with Deutsche >>> > Telekom, so it seems there's some benefit in it. >>> > >>> > Daniel, did you try it out already? >>> > >>> > Kind regards, >>> > Sebastian >>> > >>> > -- >>> > _____________________________________________________________________ >>> > -- Bandwidth and Colocation Provided by http://www.api-digital.com >>> > <http://www.api-digital.com/> -- >>> > New to Asterisk? Join us for a live introductory webinar every Thurs: >>> > http://www.asterisk.org/hello >>> > <http://www.asterisk.org/hello> >>> > >>> > asterisk-users mailing list >>> > To UNSUBSCRIBE or update options visit: >>> > http://lists.digium.com/mailman/listinfo/asterisk-users >>> > <http://lists.digium.com/mailman/listinfo/asterisk-users> >>> >>> >>> -- >>> _____________________________________________________________________ >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com >>> <http://www.api-digital.com/> -- >>> New to Asterisk? Join us for a live introductory webinar every Thurs: >>> http://www.asterisk.org/hello <http://www.asterisk.org/hello> >>> >>> asterisk-users mailing list >>> To UNSUBSCRIBE or update options visit: >>> http://lists.digium.com/mailman/listinfo/asterisk-users >>> <http://lists.digium.com/mailman/listinfo/asterisk-users> >>> >>> >>> -- >>> >>> Scott Griepentrog >>> Digium, Inc · Software Developer >>> 445 Jan Davis Drive NW · Huntsville, AL 35806 · US >>> direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090 >>> Check us out at: http://digium.com <http://digium.com/> · >>> http://asterisk.org <http://asterisk.org/> >>> -- >>> _____________________________________________________________________ >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com >>> <http://www.api-digital.com/> -- >>> New to Asterisk? Join us for a live introductory webinar every Thurs: >>> http://www.asterisk.org/hello <http://www.asterisk.org/hello> >>> >>> asterisk-users mailing list >>> To UNSUBSCRIBE or update options visit: >>> http://lists.digium.com/mailman/listinfo/asterisk-users >>> <http://lists.digium.com/mailman/listinfo/asterisk-users> >> >> -- >> _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com >> <http://www.api-digital.com/> -- >> New to Asterisk? Join us for a live introductory webinar every Thurs: >> http://www.asterisk.org/hello <http://www.asterisk.org/hello> >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> <http://lists.digium.com/mailman/listinfo/asterisk-users> >> >> >> >> -- >> >> Scott Griepentrog >> Digium, Inc · Software Developer >> 445 Jan Davis Drive NW · Huntsville, AL 35806 · US >> direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090 >> Check us out at: http://digium.com <http://digium.com/> · >> http://asterisk.org <http://asterisk.org/> >> -- >> _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com >> <http://www.api-digital.com/> -- >> New to Asterisk? Join us for a live introductory webinar every Thurs: >> http://www.asterisk.org/hello <http://www.asterisk.org/hello> >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> <http://lists.digium.com/mailman/listinfo/asterisk-users> > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com > <http://www.api-digital.com/> -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello <http://www.asterisk.org/hello> > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > <http://lists.digium.com/mailman/listinfo/asterisk-users> > > > > -- > > Scott Griepentrog > Digium, Inc · Software Developer > 445 Jan Davis Drive NW · Huntsville, AL 35806 · US > direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090 > Check us out at: http://digium.com <http://digium.com/> · http://asterisk.org > <http://asterisk.org/> > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users