Freepbx accept sip requests only with hostname


Does anyone applied the tittle task?

i have a pbx with hostname that resolves to ip
when i have an register request to i want the pbx ignore that message but when i try to register with will response.

My memory is a little soft right now, but it seems to me that @dicko came up with a way to set the system up so that it would only accept traffic bound for the FQDN and not just the address. I can’t for the life of me remember how to do that - it just seems to me that there is a way.

Chan_sip has a simple, global domain= parameter to do this. Didn’t find an easy alternative for PJSip, but didn’t look very hard.

For clear text SIP, I block at iptables if there isn’t a valid [email protected] in the packet.

For chan_sip add to /etc/asterisk/sip_general_cutom.conf

For chan_pjsip you need to disable identify by ip, there is probably a way to do it in the gooey but adding to /etc/asterisk/modules.conf

noload =

should also work as perhaps just reordering them in the gooey pjsip config page, (which I haven’t tried)

1 Like

Since chan_sip is deprecated pjsip is the only way though.

@dicko so i have just to noload the module? where i should add the fqdn for the pjsip? Could you help a bit more? :slight_smile:

Hi @jerrm,
Do you mind sharing how you are doing that?


1 Like

I don’t use the FreePBX firewall, so am not sure this could be easily integrated without getting clobbered.

Below is a simplified version of what is in my firewall script. It creates a chain that allows extensions in the “Roaming” group and drops any other traffic. I leave it to the user to determine the appropriate placement of any jump to the chain.

extensions="$(php -r '  include "/etc/freepbx.conf";
                        $um = FreePBX::Create()->Userman;
                        $users = $um->getGroupByUsername("Roaming")["users"];
                        foreach($users as $u) {
                                $devs = $um->getAssignedDevices($u);
                                foreach($devs as $d) echo $d, "\n";

iptables -N $chain
iptables -F $chain

for ext in $extensions; do
        iptables --wait 5 -A $chain -m string --string "sip:[email protected]$fqdn" --algo bm -m comment --comment "valid extension" -j RETURN

iptables -A $chain -p udp -j DROP
iptables -A $chain -p tcp -j REJECT --reject-with tcp-reset

iptables -vnL $chain


This would be a good feature request–the ability to disable and not just reorder.

1 Like

Thank you

thank you all! i will try it and give you feedback asap! :slight_smile:

Just remember disabling/noloading this will break your PJSIP trunks as it removes the ability to match on IP for inbound traffic from providers. I mean unless youre going to use SIP Registration for every trunk.

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.