Anon inbound calls stopped by firewall

configuration
Tags: #<Tag:0x00007f701f600630>

(Yknivag) #1

I’m forwarding a PSTN number into my FreePBX environment via SIP URI (don’t ask why, it’s the only supported way atm).

I followed the excellent guide in the second post of this thread (Sip uri) to set up the incoming route and set the DID and then when I call the PSTN number it rings but never shows up in the Asterisk logs.

If I disable the firewall then the call connects and proceeds to my IVR without a problem.

Is there a way I can create a custom rule in the firewall to allow calls only from the one forwarding provider?


#2

Connectivity -> Firewall, Networks tab. At the bottom, enter the provider’s IP address, choose the Trusted zone, click +.

However, your setup is somewhat strange. Had you simply configured a pjsip trunk with Registration: None, Authentication: None, SIP Server: (provider’s IP address), then the firewall would be automatically set up.
https://wiki.freepbx.org/display/FPG/Firewall
See first FAQ.


(Yknivag) #3

@Stewart1 thank you for your reply.

I appreciate that this is a most unusual (and rather undesirable) setup. Ultimately it will be replaced with a SIP trunk. This is only a temporary solution.

I’ve found the way of adding the firewall rule (thank you!). Is there a way of seeing what IP/host the call is coming from in FreePBX/Asterisk logs? (The provider is not particularly clued up).


(Lorne Gaetz) #4

Easiest way by far is using sngrep, but the IP of anonymous calls is logged in /var/log/asterisk/full.


#5

No, this is the most robust way to do SIP trunking. It eliminates the possibility of “lost registration” and is somewhat more secure, because there are no provider credentials to get stolen. Also, it allow the provider to send a call from an alternate POP site, if the first failed or your PBX is unreachable from its address. I use registration only when IP authentication is unavailable.

Usually called “IP authentication”, it is the only interconnect method supported by most wholesalers, and is available as a (recommended) option by most business-oriented retailers.


(Yknivag) #6

Is it? I have verbose logging enabled and can find no reference to it (or any IP) in that file. That was where I first looked in the hope of finding the source IP so I could whitelist it.

It isn’t even logged there when I turn on security logging to that file.

Is there some other log category I need to enable for it to present the source IP?


(Lorne Gaetz) #7

Perhaps not. The IP is in the channel name for chan_sip calls, but not for pjsip. Two different examples of an anonymous call from IP 10.224.50.2:

[2020-04-03 12:44:28] VERBOSE[17129][C-00000019] pbx.c: Executing [5005@from-sip-external:1] NoOp("SIP/10.224.50.2-00000009", "Received incoming SIP connection from unknown peer to 5005") in new stack
[2020-04-03 12:46:12] VERBOSE[17564][C-0000001a] pbx.c: Executing [5005@from-sip-external:1] NoOp("PJSIP/anonymous-00000022", "Received incoming SIP connection from unknown peer to 5005") in new stack

You could write your own anon context using from-sip-external as the basis, and add lines to log the IP of the calling party. There is dialplan here that shows how to get IP: Need help with multiple locations e911


(system) closed #8

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.