Re: [asterisk-users] How does deny/permit work in sip.conf?
On 7/08/10 3:47 PM, Frank Church wrote: > On 7 August 2010 03:54, Bruce Ferrell wrote: >> On 08/06/2010 07:30 PM, Bruce Ferrell wrote: >>> On 08/06/2010 02:16 PM, Frank Church wrote: >>> On 6 August 2010 16:21, Bruce Ferrell wrote: > On 08/06/2010 07:45 AM, Frank Church wrote: > > >> I have been seeing some attempts to register devices on my Asterisk >> and I want to reconfigure it so that devices will be registered only >> if they are from the correct address, ie 192.168.1.8/255.255.255.255. >> >> I thought using a config like >> >> deny=0.0.0.0/0.0.0.0 >> permit=192.168.1.8/255.255.255.255 >> >> but it is not working the way I thought? >> >> Does that need a host=static.ip entry to work, rather than the >> deny/permit option? >> >> Does using a host=dynamic setting override any deny/permit and >> port=5060 options? >> >> Does being a peer or a user make a difference here? >> >> >> >> > I had this same problem once. host=or host=dynamic if you > want to use permit/deny. Permit/deny and host=dynamic allows a sip peer > or user to have a range of addresses. > > -- > > Does permit/deny have any influence on registration, or is it related to the destinations it can call to or receive call from? How do you stop an asterisk server from accepting registrations when the IP is outside a subnet even if the username and secret are correct? When host=dynamic registrations are accepted even if the pemit IP is different from the registered device's IP address. Does permit/deny work on a single IP address eg 192.168.4.111/255.255.255.2555 The same seems to apply in the [general] section, with contactdeny and contacnt permit When I set contactdeny=0.0.0.0/0.0.0.0 contactpermit=192.168.4.111/255.255.255.255 Devices whose IP is not 192.168.4.111 are able to register. >>> When I've used permit/deny, I did it in conjunction with insecure set to >>> port,invite to allow gateways that didn't register and don't use >>> username/secret to originate calls but only from the ip range in >>> permit. In fact it was for a provider that had gateways on a large >>> number of IP addresses, all in the same CIDR block and I didn't want to >>> do an entry for each of more than 100 gateways. >>> >>> contactpermit/contactdeny *should* work as you are suggesting that you >>> want I've never tried that. I may attempt it tonight and see on my 1.4 >>> system. >>> >>> >> >> To follow up on my own reply. I just tried this with one of my standard >> peers that I use for a softphone on a 1.6.2.10 and see the registration >> attempt come in at the console and a warning comes up >> >> : Host '192.0.2.40' disallowed by contact ACL (violating IP 192.0.2.40) >> : Registration denied because of contact ACL >> >> The peer does show in sip show peers and the softphone (twinkle) shows a >> Registration Fails with a 603 denied. >> >> So I'd say it's working >> >> -- > > I am using 1.4.27 and it doesn't seem to work. > > I should probably try the 1.6 series Are you using deny before permit? -- Cheers, Matt Riddell ___ http://www.venturevoip.com/news.php (Daily Asterisk News) http://www.venturevoip.com/exchange.php (Full ITSP Solution) http://www.venturevoip.com/st.php (SmoothTorque Predictive Dialer) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How does deny/permit work in sip.conf?
On 7 August 2010 03:54, Bruce Ferrell wrote: > On 08/06/2010 07:30 PM, Bruce Ferrell wrote: >> On 08/06/2010 02:16 PM, Frank Church wrote: >> >>> On 6 August 2010 16:21, Bruce Ferrell wrote: >>> >>> On 08/06/2010 07:45 AM, Frank Church wrote: > I have been seeing some attempts to register devices on my Asterisk > and I want to reconfigure it so that devices will be registered only > if they are from the correct address, ie 192.168.1.8/255.255.255.255. > > I thought using a config like > > deny=0.0.0.0/0.0.0.0 > permit=192.168.1.8/255.255.255.255 > > but it is not working the way I thought? > > Does that need a host=static.ip entry to work, rather than the > deny/permit option? > > Does using a host=dynamic setting override any deny/permit and > port=5060 options? > > Does being a peer or a user make a difference here? > > > > I had this same problem once. host= or host=dynamic if you want to use permit/deny. Permit/deny and host=dynamic allows a sip peer or user to have a range of addresses. -- >>> Does permit/deny have any influence on registration, or is it related >>> to the destinations it can call to or receive call from? >>> >>> How do you stop an asterisk server from accepting registrations when >>> the IP is outside a subnet even if the username and secret are >>> correct? >>> >>> When host=dynamic registrations are accepted even if the pemit IP is >>> different from the registered device's IP address. Does permit/deny >>> work on a single IP address eg 192.168.4.111/255.255.255.2555 >>> >>> >>> The same seems to apply in the [general] section, with contactdeny and >>> contacnt permit >>> >>> When I set >>> >>> contactdeny=0.0.0.0/0.0.0.0 >>> contactpermit=192.168.4.111/255.255.255.255 >>> >>> Devices whose IP is not 192.168.4.111 are able to register. >>> >>> >>> >> When I've used permit/deny, I did it in conjunction with insecure set to >> port,invite to allow gateways that didn't register and don't use >> username/secret to originate calls but only from the ip range in >> permit. In fact it was for a provider that had gateways on a large >> number of IP addresses, all in the same CIDR block and I didn't want to >> do an entry for each of more than 100 gateways. >> >> contactpermit/contactdeny *should* work as you are suggesting that you >> want I've never tried that. I may attempt it tonight and see on my 1.4 >> system. >> >> > > To follow up on my own reply. I just tried this with one of my standard > peers that I use for a softphone on a 1.6.2.10 and see the registration > attempt come in at the console and a warning comes up > > : Host '192.0.2.40' disallowed by contact ACL (violating IP 192.0.2.40) > : Registration denied because of contact ACL > > The peer does show in sip show peers and the softphone (twinkle) shows a > Registration Fails with a 603 denied. > > So I'd say it's working > > -- I am using 1.4.27 and it doesn't seem to work. I should probably try the 1.6 series > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How does deny/permit work in sip.conf?
On 08/06/2010 07:30 PM, Bruce Ferrell wrote: > On 08/06/2010 02:16 PM, Frank Church wrote: > >> On 6 August 2010 16:21, Bruce Ferrell wrote: >> >> >>> On 08/06/2010 07:45 AM, Frank Church wrote: >>> >>> I have been seeing some attempts to register devices on my Asterisk and I want to reconfigure it so that devices will be registered only if they are from the correct address, ie 192.168.1.8/255.255.255.255. I thought using a config like deny=0.0.0.0/0.0.0.0 permit=192.168.1.8/255.255.255.255 but it is not working the way I thought? Does that need a host=static.ip entry to work, rather than the deny/permit option? Does using a host=dynamic setting override any deny/permit and port=5060 options? Does being a peer or a user make a difference here? >>> I had this same problem once. host= or host=dynamic if you >>> want to use permit/deny. Permit/deny and host=dynamic allows a sip peer >>> or user to have a range of addresses. >>> >>> -- >>> >>> >> Does permit/deny have any influence on registration, or is it related >> to the destinations it can call to or receive call from? >> >> How do you stop an asterisk server from accepting registrations when >> the IP is outside a subnet even if the username and secret are >> correct? >> >> When host=dynamic registrations are accepted even if the pemit IP is >> different from the registered device's IP address. Does permit/deny >> work on a single IP address eg 192.168.4.111/255.255.255.2555 >> >> >> The same seems to apply in the [general] section, with contactdeny and >> contacnt permit >> >> When I set >> >> contactdeny=0.0.0.0/0.0.0.0 >> contactpermit=192.168.4.111/255.255.255.255 >> >> Devices whose IP is not 192.168.4.111 are able to register. >> >> >> > When I've used permit/deny, I did it in conjunction with insecure set to > port,invite to allow gateways that didn't register and don't use > username/secret to originate calls but only from the ip range in > permit. In fact it was for a provider that had gateways on a large > number of IP addresses, all in the same CIDR block and I didn't want to > do an entry for each of more than 100 gateways. > > contactpermit/contactdeny *should* work as you are suggesting that you > want I've never tried that. I may attempt it tonight and see on my 1.4 > system. > > To follow up on my own reply. I just tried this with one of my standard peers that I use for a softphone on a 1.6.2.10 and see the registration attempt come in at the console and a warning comes up : Host '192.0.2.40' disallowed by contact ACL (violating IP 192.0.2.40) : Registration denied because of contact ACL The peer does show in sip show peers and the softphone (twinkle) shows a Registration Fails with a 603 denied. So I'd say it's working -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How does deny/permit work in sip.conf?
On 08/06/2010 02:16 PM, Frank Church wrote: > On 6 August 2010 16:21, Bruce Ferrell wrote: > >> On 08/06/2010 07:45 AM, Frank Church wrote: >> >>> I have been seeing some attempts to register devices on my Asterisk >>> and I want to reconfigure it so that devices will be registered only >>> if they are from the correct address, ie 192.168.1.8/255.255.255.255. >>> >>> I thought using a config like >>> >>> deny=0.0.0.0/0.0.0.0 >>> permit=192.168.1.8/255.255.255.255 >>> >>> but it is not working the way I thought? >>> >>> Does that need a host=static.ip entry to work, rather than the >>> deny/permit option? >>> >>> Does using a host=dynamic setting override any deny/permit and >>> port=5060 options? >>> >>> Does being a peer or a user make a difference here? >>> >>> >>> >> I had this same problem once. host= or host=dynamic if you >> want to use permit/deny. Permit/deny and host=dynamic allows a sip peer >> or user to have a range of addresses. >> >> -- >> > Does permit/deny have any influence on registration, or is it related > to the destinations it can call to or receive call from? > > How do you stop an asterisk server from accepting registrations when > the IP is outside a subnet even if the username and secret are > correct? > > When host=dynamic registrations are accepted even if the pemit IP is > different from the registered device's IP address. Does permit/deny > work on a single IP address eg 192.168.4.111/255.255.255.2555 > > > The same seems to apply in the [general] section, with contactdeny and > contacnt permit > > When I set > > contactdeny=0.0.0.0/0.0.0.0 > contactpermit=192.168.4.111/255.255.255.255 > > Devices whose IP is not 192.168.4.111 are able to register. > > When I've used permit/deny, I did it in conjunction with insecure set to port,invite to allow gateways that didn't register and don't use username/secret to originate calls but only from the ip range in permit. In fact it was for a provider that had gateways on a large number of IP addresses, all in the same CIDR block and I didn't want to do an entry for each of more than 100 gateways. contactpermit/contactdeny *should* work as you are suggesting that you want I've never tried that. I may attempt it tonight and see on my 1.4 system. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How does deny/permit work in sip.conf?
This works. I have tested with the following settings: In regards to the specifics of your question: In sip.conf: dynamic_exclude_static=yes In users.conf, for each user (changing the permit statement to the ip of each user): hassip=yes host=dynamic registersip=yes deny=0.0.0.0/0.0.0.0 permit=192.168.1.8/255.255.255.255 (using your ip setting) Hope that helps -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Frank Church Sent: Friday, August 06, 2010 11:46 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] How does deny/permit work in sip.conf? I have been seeing some attempts to register devices on my Asterisk and I want to reconfigure it so that devices will be registered only if they are from the correct address, ie 192.168.1.8/255.255.255.255. I thought using a config like deny=0.0.0.0/0.0.0.0 permit=192.168.1.8/255.255.255.255 but it is not working the way I thought? Does that need a host=static.ip entry to work, rather than the deny/permit option? Does using a host=dynamic setting override any deny/permit and port=5060 options? Does being a peer or a user make a difference here? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How does deny/permit work in sip.conf?
On 6 August 2010 16:21, Bruce Ferrell wrote: > On 08/06/2010 07:45 AM, Frank Church wrote: >> I have been seeing some attempts to register devices on my Asterisk >> and I want to reconfigure it so that devices will be registered only >> if they are from the correct address, ie 192.168.1.8/255.255.255.255. >> >> I thought using a config like >> >> deny=0.0.0.0/0.0.0.0 >> permit=192.168.1.8/255.255.255.255 >> >> but it is not working the way I thought? >> >> Does that need a host=static.ip entry to work, rather than the >> deny/permit option? >> >> Does using a host=dynamic setting override any deny/permit and >> port=5060 options? >> >> Does being a peer or a user make a difference here? >> >> > I had this same problem once. host= or host=dynamic if you > want to use permit/deny. Permit/deny and host=dynamic allows a sip peer > or user to have a range of addresses. > > -- Does permit/deny have any influence on registration, or is it related to the destinations it can call to or receive call from? How do you stop an asterisk server from accepting registrations when the IP is outside a subnet even if the username and secret are correct? When host=dynamic registrations are accepted even if the pemit IP is different from the registered device's IP address. Does permit/deny work on a single IP address eg 192.168.4.111/255.255.255.2555 The same seems to apply in the [general] section, with contactdeny and contacnt permit When I set contactdeny=0.0.0.0/0.0.0.0 contactpermit=192.168.4.111/255.255.255.255 Devices whose IP is not 192.168.4.111 are able to register. > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How does deny/permit work in sip.conf?
On 08/06/2010 07:45 AM, Frank Church wrote: > I have been seeing some attempts to register devices on my Asterisk > and I want to reconfigure it so that devices will be registered only > if they are from the correct address, ie 192.168.1.8/255.255.255.255. > > I thought using a config like > > deny=0.0.0.0/0.0.0.0 > permit=192.168.1.8/255.255.255.255 > > but it is not working the way I thought? > > Does that need a host=static.ip entry to work, rather than the > deny/permit option? > > Does using a host=dynamic setting override any deny/permit and > port=5060 options? > > Does being a peer or a user make a difference here? > > I had this same problem once. host= or host=dynamic if you want to use permit/deny. Permit/deny and host=dynamic allows a sip peer or user to have a range of addresses. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] How does deny/permit work in sip.conf?
I have been seeing some attempts to register devices on my Asterisk and I want to reconfigure it so that devices will be registered only if they are from the correct address, ie 192.168.1.8/255.255.255.255. I thought using a config like deny=0.0.0.0/0.0.0.0 permit=192.168.1.8/255.255.255.255 but it is not working the way I thought? Does that need a host=static.ip entry to work, rather than the deny/permit option? Does using a host=dynamic setting override any deny/permit and port=5060 options? Does being a peer or a user make a difference here? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
