Freepbx accept sip requests only with hostname


(Paperakis) #1

Hello,

Does anyone applied the tittle task?

i have a pbx with hostname pbx.eg.com that resolves to ip 1.1.1.1
when i have an register request to 1.1.1.1 i want the pbx ignore that message but when i try to register with pbx.eg.com will response.


(Dave Burgess) #2

My memory is a little soft right now, but it seems to me that @dicko came up with a way to set the system up so that it would only accept traffic bound for the FQDN and not just the address. I can’t for the life of me remember how to do that - it just seems to me that there is a way.


#3

Chan_sip has a simple, global domain= parameter to do this. Didn’t find an easy alternative for PJSip, but didn’t look very hard.

For clear text SIP, I block at iptables if there isn’t a valid ext@fqdn in the packet.


#4

For chan_sip add to /etc/asterisk/sip_general_cutom.conf

domain=pbx.eg.com
domain=127.0.0.1

For chan_pjsip you need to disable identify by ip, there is probably a way to do it in the gooey but adding to /etc/asterisk/modules.conf

noload = res_pjsip_endpoint_identifier_ip.so

should also work as perhaps just reordering them in the gooey pjsip config page, (which I haven’t tried)


(Paperakis) #5

Since chan_sip is deprecated pjsip is the only way though.

@dicko so i have just to noload the module? where i should add the fqdn for the pjsip? Could you help a bit more? :slight_smile:


(Itzik) #6

Hi @jerrm,
Do you mind sharing how you are doing that?

Thanks


#7

I don’t use the FreePBX firewall, so am not sure this could be easily integrated without getting clobbered.

Below is a simplified version of what is in my firewall script. It creates a chain that allows extensions in the “Roaming” group and drops any other traffic. I leave it to the user to determine the appropriate placement of any jump to the chain.


#/bin/bash
extensions="$(php -r '  include "/etc/freepbx.conf";
                        $um = FreePBX::Create()->Userman;
                        $users = $um->getGroupByUsername("Roaming")["users"];
                        foreach($users as $u) {
                                $devs = $um->getAssignedDevices($u);
                                foreach($devs as $d) echo $d, "\n";
                        }'
                )"

chain=checkExt
fqdn=mypbx.mydomain.tld
iptables -N $chain
iptables -F $chain

for ext in $extensions; do
        iptables --wait 5 -A $chain -m string --string "sip:$ext@$fqdn" --algo bm -m comment --comment "valid extension" -j RETURN
done

iptables -A $chain -p udp -j DROP
iptables -A $chain -p tcp -j REJECT --reject-with tcp-reset

iptables -vnL $chain


(Simon Telephonics) #8

This would be a good feature request–the ability to disable and not just reorder.


(Itzik) #9

Thank you


(Paperakis) #10

thank you all! i will try it and give you feedback asap! :slight_smile:


(Tom Ray) #11

Just remember disabling/noloading this will break your PJSIP trunks as it removes the ability to match on IP for inbound traffic from providers. I mean unless youre going to use SIP Registration for every trunk.


(system) closed #12

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.