uhm, strange but does this work on your setup? even with permit and deny, if a user is not matched in the conf, it is allowed access to the default context stated in the conf.
On Wed, 2004-04-28 at 16:12, James H. Thompson wrote: > I think the problem is that using permit= alone does nothing. > You need to combine it with a deny= as in: > > deny=0.0.0.0/0.0.0.0 ; deny all > permit=123.123.123.123 ; allow only this address - netmask defaults to: > /255.255.255.255 > > order matters, the deny needs to come first. > > for reference here is the code from acl.c that checks the rules: > > int ast_apply_ha(struct ast_ha *ha, struct sockaddr_in *sin) > { > /* Start optimistic */ > int res = AST_SENSE_ALLOW; > while(ha) { > /* For each rule, if this address and the netmask = the net address > apply the current rule */ > if ((sin->sin_addr.s_addr & ha->netmask.s_addr) == (ha->netaddr.s_addr) > res = ha->sense; > ha = ha->next; > } > return res; > } > > > Jim > > James H. Thompson > [EMAIL PROTECTED] > > ----- Original Message ----- > From: "William Zhang" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, April 27, 2004 2:43 PM > Subject: [Asterisk-Users] Security Issue in Asterisk with sip.conf configuration. > > > > I had tried many ways with some advanced user help, but without > > success(at one point I thought I had it worked). > > > > Here Asterisk is working as a SIP PSTN Gateway, and in the sip.conf > > file, there are a lot of entries with just "host=a.b.c.d", thinking > > that * will only accept calls from host "a.b.c.d", but in my test, no > > mater how you set up the sip.conf entries, either * will NOT accept > > calls for that user account at all, or it will accept calls from any > > where without VERIFYING the source IP(whether it is "a.b.c.d" or not), > > so long the sip userid is the username in sip.conf. This post a very > > serious security problem. > > > > Of course we can put "secret=" for each entries, but giving Asterisk GW > > and SIP proxy are in 2 TRUSTED IPs, no Authentication is neccessary, > > otherwise it increase the SIP traffic quite a bit. > > > > Following are the 4 different entries that I had tried: > > #Notice that in the "general" section, context is pointed to a none > > existant context "INVALID". > > > > ; > > ; SIP Configuration for Asterisk > > ; > > [general] > > port = 5060 ; Port to bind to > > bindaddr = 212.213.66.68 > > context = INVALID ; > > ;srvlookup = yes ; Enable SRV lookups on outbound calls > > ;pedantic = yes ; Enable slow, pedantic checking for > > Pingtel > > ;tos=lowdelay > > ;tos=184 > > ;maxexpirey=3600 ; Max length of incoming registration > > we allow > > ;defaultexpirey=120 ; Default length of incoming/outoing > > registration > > ;notifymimetype=text/plain ; Allow overriding of mime type in > > NOTIFY > > ;videosupport=yes ; Turn on support for SIP video > > disallow=all ; Disallow all codecs > > allow=ulaw ; Allow codecs in order of preference > > allow=g729 > > allow=ilbc > > ; > > ;dtmfmode=info > > ;dtmfmode=inband > > dtmfmode=rfc2833 > > > > > > > > [20034] > > type=friend > > callerid=TEST <61331045> > > host=212.213.65.66 > > nat=yes ; This phone may be natted > > canreinvite=no > > > > [20035] > > type=peers > > callerid=TEST <61331045> > > host=212.213.65.66 > > nat=yes ; This phone may be natted > > canreinvite=no > > > > [20036] > > type=friend > > context=default > > callerid=TEST <61331045> > > host=212.213.65.66 > > permit=212.213.65.66 > > nat=yes ; This phone may be natted > > canreinvite=no > > > > [20037] > > type=peers > > context=default > > callerid=TEST <61331045> > > permit=212.213.65.66 > > nat=yes ; This phone may be natted > > canreinvite=no > > > > Thank you in advance. > > > > > > _______________________________________________ > > Asterisk-Users mailing list > > [EMAIL PROTECTED] > > http://lists.digium.com/mailman/listinfo/asterisk-users > > To UNSUBSCRIBE or update options visit: > > http://lists.digium.com/mailman/listinfo/asterisk-users > > > > > _______________________________________________ > Asterisk-Users mailing list > [EMAIL PROTECTED] > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users _______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users