Hi Aqs, What seems to be the problem ! do you want this caller to be IP Authenticated or Digest Authenticated or denied !?
On Fri, Mar 23, 2018 at 6:16 AM, Aqs Younas <aqsyou...@gmail.com> wrote: > Greetings list. > > I can see that I was able to bypass the default route[AUTH] if I send an > invite containing from_uri which is not local but requested line containing > a local user. > > llisten=udp:172.16.40.10:5060 > > route[AUTH] { > #!ifdef WITH_AUTH > #!ifdef WITH_IPAUTH > if((!is_method("REGISTER")) && allow_source_address()) { > # source IP allowed > return; > } > #!endif > if (is_method("REGISTER") || from_uri==myself) { > # authenticate requests > if (!auth_check("$fd", "subscriber", "1")) { > auth_challenge("$fd", "0"); > exit; > } > # user authenticated - remove auth header > if(!is_method("REGISTER|PUBLISH")) > consume_credentials(); > } > # if caller is not local subscriber, then check if it calls > # a local destination, otherwise deny, not an open relay here > if (from_uri!=myself && uri!=myself) { > sl_send_reply("403","Not relaying"); > exit; > } > #!else > # authentication not enabled - do not relay at all to foreign networks > if(uri!=myself) { > sl_send_reply("403","Not relaying"); > exit; > } > #!endif > return; > } > > Below INVITE get passed above auth route. > > > INVITE sip:60129879190@172.16.40.10 SIP/2.0 > Via: SIP/2.0/UDP 139.5.177.91:5060;branch=z9hG4bK31edc7f4;rport > Max-Forwards: 70 > From: <sip:0128888877@139.5.177.99>;tag=as2274e806 > To: <sip:60129879190@172.16.40.10> > Contact: <sip:0128888877@139.5.177.91:5060> > Call-ID: 7b6d32bc6c679bb23eb248b955c0ac8b@139.5.177.91:5060 > CSeq: 102 INVITE > User-Agent: FPBX-13.0.194.2(13.17.0) > Date: Fri, 23 Mar 2018 09:33:01 GMT > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, > PUBLISH, MESSAGE > Supported: replaces, timer > Content-Type: application/sdp > Content-Length: 321 > > v=0 > o=root 237494576 237494576 IN IP4 139.5.177.99 > s=Asterisk PBX 13.17.0 > c=IN IP4 139.5.177.99 > t=0 0 > m=audio 15332 RTP/AVP 0 18 8 101 > a=rtpmap:0 PCMU/8000 > a=rtpmap:18 G729/8000 > a=fmtp:18 annexb=no > a=rtpmap:8 PCMA/8000 > a=rtpmap:101 telephone-event/8000 > a=fmtp:101 0-16 > a=ptime:20 > a=maxptime:150 > a=sendrecv > > From INVITE and route[AUTH] I can see why it is being passed. > > But should not it by default authenticate every request if IP address is > not allowed in permission module. > > Br, Aqs. > > _______________________________________________ > Kamailio (SER) - Users Mailing List > sr-users@lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > >
_______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users