o Iñaki Baz Castillo [11/11/08 12:59]: > Hi, AFAIK security in SEMS (using the SIP stack) is done directly via > iptables, this is, just allow SIP messages from our proxy. > The example B2BUA applications (as auth_b2b) don't allow setting an > outbound proxy so they contact directly the target. Linux conntrack why does this not work?
sems.conf: # optional parameter: outbound_proxy=uri # # - this sets a next hop for calls and registrations outgoing # from SEMS. This does not apply to requests in a dialog that # is initiated by someone else and incoming to SEMS, as in # this case the next_hop is taken by SEMS from the incoming # request that established the dialog. # If this is not set (default setting), then for dialogs # initiated by SEMS the r-uri is resolved and the request # is sent there directly. # This is resolved by the SIP stack with DNS if a name is given. # Warning: If the value set here can not be resolved, no # requests will be sent out at all! # # default: empty # # Example: # outbound_proxy=sip:proxy.mydomain.net BR Stefan > makes possible UDP responses to come back from the target during some > seconds (~120 sec). > > So we have a security issue here: > > - We secure SEMS by Iptables and just allow initial SIP UDP requests > comming from our proxy. We use a SEMS b2b application that contacts > directly the SIP target (any target/IP). After 120 seconds the target > tries to send BYE to SEMS but the UDP datagram is rejected/dropped by > Iptables since conntrack already deleted that UDP "connection". > > - As an insecure solution we open SEMS SIP port to the world, so > anyone from anywhere could send a INVITE with "P-App-Name" and so to > SEMS bypassing our proxy (very insecure). > > - A non always feasible solution would be adding the possible SIP > targets IP to Iptables ACCEPT list, but: > - Maybe we cannot know which IP they will be (DNS can change...). > - This "solution" would allow hacked from these target IP's. > > > IMHO the best solution would be allowing an "outbound" parameter to > SEMS applications, how easy is it? Thanks. > -- Stefan Sayer VoIP Services [EMAIL PROTECTED] www.iptego.com IPTEGO GmbH Am Borsigturm 40 13507 Berlin Germany Amtsgericht Charlottenburg, HRB 101010 Geschaeftsfuehrer: Alexander Hoffmann _______________________________________________ Semsdev mailing list [email protected] http://lists.iptel.org/mailman/listinfo/semsdev
