I’m not really understanding this and while I agree that the ticket system isn’t the place for a discussion, it seems like on the one hand Phillipe is now saying it’s okay to “Allow Anonymous Inbound SIP Calls” and yet at the end says that “Anonymous SIP calls is still a very serious issue for many reasons, which I’m sure will be entertained on a forum thread.” I’m really confused now. Can anyone shed some light on this?
All I’m wanting to do is allow an incoming SIP call if it comes in with a particular DID, irregardless of the source of the call, but reject all other anonymous calls and not expose my system any more than is necessary.
if you don’t want a catch-all then don’t set an inbound route for it and send it to hangup, just don’t set one period and it will be addressed more efficiently.
Thank you for the explanations, it helps my understanding greatly.
Enum was actually one of the things I had in mind for this. What I originally wanted was to be able to have one, or maybe just a few, sip addresses that could be called from anywhere. As far as I know you could not make a trunk because the “host” would be an unknown IP address, and it might not even be the same from call to call. I know you can use trunks to receive calls from known, fixed IP addresses and that’s not a problem (unless the sender uses a range of addresses and you have to make an individual trunk for every one of them). A firewall wouldn’t work for the same reason - you can’t allow only “known” addresses if some of your callers will be coming in from a previously unknown address.
So, my thought was that if you could somehow allow just one, or just a few sip addresses to be okay even if anonymous, you could use those for your Enum or similar routes, while still giving anonymous calls that come in on any other DID (or with no DID) the heave-ho.
What I’m taking away from all this is that you can achieve that by setting up an inbound route for any DID/any CID and then sending that to hangup. But there are still risks, both from possible bugs in Asterisk, and from the user (me) inadvertently leaving an opening for incoming callers to make outgoing calls through the from-internal context.
Thanks again for the explanation, I appreciate it.
the very fact of using our default setup (which can be changed in the SIP Settings Module with the context variable) poses some risk if there are exploits in Asterisk that can be exploited by the plane fact that we are processing the call. This is usually DoS type attacks. Asterisk may even be susceptible to this regardless of the context so if this is ultimately a concern, then a firewall is the best solution to only allow known IP address sources in.
the other risk of allowing anonymous calls in general is if you are doing other custom changes to your dialplan that ultimately opens up security holes, and an anonymous calls ends up exploiting these. Example would be you have accidentally exposed ‘from-internal’ and thus your outbound routes to the outside. By not allowing anonymous calls, you would still be ‘luck’ in that your sources are all controlled, usually trunks of which the providers will only deliver DIDs that are yours where as an anonymous call could come in as an expensive outbound international phone number, thus passing right through your system to your outbound routes and making expensive calls. Of course if you have not messed with your dialplan then we have setup the internal context separations (internal firewall if you will) to prevent this whether the call is anonymous or from a provider…
sir_sip if you want to allow only one DID why not create a peer?
FreePBX calls peers “trunks”, almost 100 variables exist in chan_sip for the purpose of creating peers. Take a read through the asterisk SIP documentation and it will start to make some sense.
Keep in mind these general rules:
1 - Any asterisk peer variable can be used in the FreePBX "peer details"
2 - You must use FreePBX contexts or creat your own in extensions_custom.conf
With regard to “allow anonymous calls” the calls come in to a context that does not have access to the internal dialplan. It is not very dangerous unless you have something configured in an insecure way to allow inbound routes to access dial plans.
With that said the only reason to “allow anonymous calls” is if you have your advertise your domain and accept SIP URI calls IE: [email protected]
Other than this case using anonymous peer is simply sloppy and is not a substiture for the creating a peer.
A firewall wouldn’t work for the same reason - you can’t allow only “known” addresses if some of your callers will be coming in from a previously unknown address.