Hello,
Does anyone applied the tittle task?
i have a pbx with hostname pbx.eg.com that resolves to ip 1.1.1.1
when i have an register request to 1.1.1.1 i want the pbx ignore that message but when i try to register with pbx.eg.com will response.
Hello,
Does anyone applied the tittle task?
i have a pbx with hostname pbx.eg.com that resolves to ip 1.1.1.1
when i have an register request to 1.1.1.1 i want the pbx ignore that message but when i try to register with pbx.eg.com will response.
My memory is a little soft right now, but it seems to me that @dicko came up with a way to set the system up so that it would only accept traffic bound for the FQDN and not just the address. I can’t for the life of me remember how to do that - it just seems to me that there is a way.
Chan_sip has a simple, global domain= parameter to do this. Didn’t find an easy alternative for PJSip, but didn’t look very hard.
For clear text SIP, I block at iptables if there isn’t a valid ext@fqdn in the packet.
For chan_sip add to /etc/asterisk/sip_general_cutom.conf
domain=pbx.eg.com
domain=127.0.0.1
For chan_pjsip you need to disable identify by ip, there is probably a way to do it in the gooey but adding to /etc/asterisk/modules.conf
noload = res_pjsip_endpoint_identifier_ip.so
should also work as perhaps just reordering them in the gooey pjsip config page, (which I haven’t tried)
Since chan_sip is deprecated pjsip is the only way though.
@dicko so i have just to noload the module? where i should add the fqdn for the pjsip? Could you help a bit more?
I don’t use the FreePBX firewall, so am not sure this could be easily integrated without getting clobbered.
Below is a simplified version of what is in my firewall script. It creates a chain that allows extensions in the “Roaming” group and drops any other traffic. I leave it to the user to determine the appropriate placement of any jump to the chain.
#/bin/bash
extensions="$(php -r ' include "/etc/freepbx.conf";
$um = FreePBX::Create()->Userman;
$users = $um->getGroupByUsername("Roaming")["users"];
foreach($users as $u) {
$devs = $um->getAssignedDevices($u);
foreach($devs as $d) echo $d, "\n";
}'
)"
chain=checkExt
fqdn=mypbx.mydomain.tld
iptables -N $chain
iptables -F $chain
for ext in $extensions; do
iptables --wait 5 -A $chain -m string --string "sip:$ext@$fqdn" --algo bm -m comment --comment "valid extension" -j RETURN
done
iptables -A $chain -p udp -j DROP
iptables -A $chain -p tcp -j REJECT --reject-with tcp-reset
iptables -vnL $chain
This would be a good feature request–the ability to disable and not just reorder.
Thank you
thank you all! i will try it and give you feedback asap!
Just remember disabling/noloading this will break your PJSIP trunks as it removes the ability to match on IP for inbound traffic from providers. I mean unless youre going to use SIP Registration for every trunk.
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.