Hello, route[AUTH] allows calls from non-local users (from other sip servers) to local users. The R-URI has the public IP address, so it is considered to be for a local user.
If you do not want to allow non-local users to call your users, just do auth_check() for all non-trusted traffic. Cheers, Daniel On 11.04.18 17:15, Володимир Іванець wrote: > Hello all! > > I'm using Kamailio 5.1.0 on my testing machine. Configuration includes > slightly modified AUTH route > from > http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb > > route[AUTH] { > xlog("L_DBG", "== TRACE. AUTH\n"); > > # if caller is not local subscriber, then check if it calls > # a local destination, otherwise deny, not an open relay here > if (from_uri!=myself && uri!=myself) { > xlog("L_DBG", "== TRACE. AUTH. Not relaying. Exiting.\n"); > sl_send_reply("403","Not relaying"); > exit; > } > > if(isflagset(TRUSTEDIP)) { > xlog("== TRACE. AUTH. TRUSTEDIP. Returning.\n"); > return; > } > > if (is_method("REGISTER") || from_uri==myself) { > xlog("L_DBG", "== TRACE. AUTH. Method REGISTER\n"); > # authenticate requests > if (!auth_check("$fd", "sipusers", "1")) { > auth_challenge("$fd", "0"); > xlog("L_DBG", "== TRACE. AUTH. Exiting.\n"); > exit; > } > # user authenticated - remove auth header > if(!is_method("REGISTER|PUBLISH")) { > xlog("L_DBG", "== TRACE. AUTH. Method is not > REGISTER|PUBLISH\n"); > consume_credentials(); > } > } > > xlog("L_DBG", "== TRACE. AUTH. Returning.\n"); > return; > } > > I opened port UDP/5060 to everyone today and started receiving some > SIP requests. Most INVITEs were stopped by *auth_challenge* but then I > received this one: > > 2018/04/11 16:32:44.385689 38.91.106.211:5069 > <http://38.91.106.211:5069> -> 172.16.30.205:5060 > > INVITE sip:100@MY_PUB_IP_ADDRESS SIP/2.0 > v: SIP/2.0/UDP 38.91.106.211:5060;branch=z9hG4bK-929181129;rport > Content-Length: 0 > f: "pbx"<sip:100@1.1.1.1 > > <mailto:sip%3A100@1.1.1.1>>;tag=3535306165633930313363340131373533363938373235 > i: 757925348661465531074812 > m: sip:100@38.91.106.211:5069 <http://sip:100@38.91.106.211:5069> > Accept: application/sdp > CSeq: 1 INVITE > t: "pbx"<sip:100@1.1.1.1 <mailto:sip%3A100@1.1.1.1>> > Max-Forwards: 70 > > ... and it came through AUTH route. Below are two fragments of > Kamailio log: > > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <script>: == TRACE. INVITE From: sip:100@1.1.1.1 > <mailto:sip%3A100@1.1.1.1> (IP:38.91.106.211:5069 > <http://38.91.106.211:5069>) > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <script>: == TRACE. To: sip:100@1.1.1.1 > <mailto:sip%3A100@1.1.1.1> > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: pv > [pv_core.c:1286]: pv_get_dsturi(): no destination URI > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <script>: == TRACE. Destination URI : <null> > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <script>: == TRACE. SIP Request header : sip:100@MY_PUB_IP_ADDRESS > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/parser/msg_parser.c:89]: get_hdr_field(): found end > of header > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: pv > [pv_core.c:966]: pv_get_useragent(): no User-Agent header > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <script>: == TRACE. User Agent header : <null> > > **************************************************************************************************** > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <script>: == TRACE. request_route ==> AUTH > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <script>: == TRACE. AUTH > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/socket_info.c:564]: grep_sock_info(): checking if > host==us: 7==9 && [1.1.1.1] == [127.0.0.1] > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/socket_info.c:567]: grep_sock_info(): checking if > port 5060 (advertise 0) matches port 5060 > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/socket_info.c:564]: grep_sock_info(): checking if > host==us: 7==13 && [1.1.1.1] == [172.16.30.205] > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/socket_info.c:567]: grep_sock_info(): checking if > port 5060 (advertise 0) matches port 5060 > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/socket_info.c:564]: grep_sock_info(): checking if > host==us: 7==9 && [1.1.1.1] == [127.0.0.1] > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/socket_info.c:567]: grep_sock_info(): checking if > port 8088 (advertise 0) matches port 5060 > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/forward.c:412]: check_self(): host != me > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/socket_info.c:564]: grep_sock_info(): checking if > host==us: 7==9 && [1.1.1.1] == [127.0.0.1] > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/socket_info.c:567]: grep_sock_info(): checking if > port 5060 (advertise 0) matches port 5060 > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/socket_info.c:564]: grep_sock_info(): checking if > host==us: 7==13 && [1.1.1.1] == [172.16.30.205] > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/socket_info.c:567]: grep_sock_info(): checking if > port 5060 (advertise 0) matches port 5060 > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/socket_info.c:564]: grep_sock_info(): checking if > host==us: 7==9 && [1.1.1.1] == [127.0.0.1] > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/socket_info.c:567]: grep_sock_info(): checking if > port 8088 (advertise 0) matches port 5060 > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/forward.c:412]: check_self(): host != me > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/socket_info.c:564]: grep_sock_info(): checking if > host==us: 13==9 && [ MY_PUB_IP_ADDRESS ] == [127.0.0.1] > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/socket_info.c:567]: grep_sock_info(): checking if > port 5060 (advertise 0) matches port 5060 > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/socket_info.c:564]: grep_sock_info(): checking if > host==us: 13==13 && [ MY_PUB_IP_ADDRESS ] == [172.16.30.205] > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/socket_info.c:567]: grep_sock_info(): checking if > port 5060 (advertise 0) matches port 5060 > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/socket_info.c:564]: grep_sock_info(): checking if > host==us: 13==9 && [ MY_PUB_IP_ADDRESS ] == [127.0.0.1] > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <core> [core/socket_info.c:567]: grep_sock_info(): checking if > port 8088 (advertise 0) matches port 5060 > Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: > <script>: == TRACE. AUTH. Returning. > > As you can see all tests failed to catch this INVITE request and > Kamailio continued processing it. And I'm now wondering what would be > the best way to identify such packet. > > Thanks. > > > _______________________________________________ > Kamailio (SER) - Users Mailing List > sr-users@lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users -- Daniel-Constantin Mierla www.twitter.com/miconda -- www.linkedin.com/in/miconda Kamailio Advanced Training - April 16-18, 2018, Berlin - www.asipto.com Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com
_______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users