Freepbx accept sip requests only with hostname

(Paperakis) #1


Does anyone applied the tittle task?

i have a pbx with hostname that resolves to ip
when i have an register request to i want the pbx ignore that message but when i try to register with will response.

(Dave Burgess) #2

My memory is a little soft right now, but it seems to me that @dicko came up with a way to set the system up so that it would only accept traffic bound for the FQDN and not just the address. I can’t for the life of me remember how to do that - it just seems to me that there is a way.


Chan_sip has a simple, global domain= parameter to do this. Didn’t find an easy alternative for PJSip, but didn’t look very hard.

For clear text SIP, I block at iptables if there isn’t a valid ext@fqdn in the packet.


For chan_sip add to /etc/asterisk/sip_general_cutom.conf

For chan_pjsip you need to disable identify by ip, there is probably a way to do it in the gooey but adding to /etc/asterisk/modules.conf

noload =

should also work as perhaps just reordering them in the gooey pjsip config page, (which I haven’t tried)

(Paperakis) #5

Since chan_sip is deprecated pjsip is the only way though.

@dicko so i have just to noload the module? where i should add the fqdn for the pjsip? Could you help a bit more? :slight_smile:

(Itzik) #6

Hi @jerrm,
Do you mind sharing how you are doing that?



I don’t use the FreePBX firewall, so am not sure this could be easily integrated without getting clobbered.

Below is a simplified version of what is in my firewall script. It creates a chain that allows extensions in the “Roaming” group and drops any other traffic. I leave it to the user to determine the appropriate placement of any jump to the chain.

extensions="$(php -r '  include "/etc/freepbx.conf";
                        $um = FreePBX::Create()->Userman;
                        $users = $um->getGroupByUsername("Roaming")["users"];
                        foreach($users as $u) {
                                $devs = $um->getAssignedDevices($u);
                                foreach($devs as $d) echo $d, "\n";

iptables -N $chain
iptables -F $chain

for ext in $extensions; do
        iptables --wait 5 -A $chain -m string --string "sip:$ext@$fqdn" --algo bm -m comment --comment "valid extension" -j RETURN

iptables -A $chain -p udp -j DROP
iptables -A $chain -p tcp -j REJECT --reject-with tcp-reset

iptables -vnL $chain

(Simon Telephonics) #8

This would be a good feature request–the ability to disable and not just reorder.

(Itzik) #9

Thank you

(Paperakis) #10

thank you all! i will try it and give you feedback asap! :slight_smile:

(Tom Ray) #11

Just remember disabling/noloading this will break your PJSIP trunks as it removes the ability to match on IP for inbound traffic from providers. I mean unless youre going to use SIP Registration for every trunk.

(system) closed #12

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.