Freepbx accept sip requests only with hostname

Hello,

Does anyone applied the tittle task?

i have a pbx with hostname pbx.eg.com that resolves to ip 1.1.1.1
when i have an register request to 1.1.1.1 i want the pbx ignore that message but when i try to register with pbx.eg.com will response.

My memory is a little soft right now, but it seems to me that @dicko came up with a way to set the system up so that it would only accept traffic bound for the FQDN and not just the address. I can’t for the life of me remember how to do that - it just seems to me that there is a way.

Chan_sip has a simple, global domain= parameter to do this. Didn’t find an easy alternative for PJSip, but didn’t look very hard.

For clear text SIP, I block at iptables if there isn’t a valid [email protected] in the packet.

For chan_sip add to /etc/asterisk/sip_general_cutom.conf

domain=pbx.eg.com
domain=127.0.0.1

For chan_pjsip you need to disable identify by ip, there is probably a way to do it in the gooey but adding to /etc/asterisk/modules.conf

noload = res_pjsip_endpoint_identifier_ip.so

should also work as perhaps just reordering them in the gooey pjsip config page, (which I haven’t tried)

1 Like

Since chan_sip is deprecated pjsip is the only way though.

@dicko so i have just to noload the module? where i should add the fqdn for the pjsip? Could you help a bit more? :slight_smile:

Hi @jerrm,
Do you mind sharing how you are doing that?

Thanks

1 Like

I don’t use the FreePBX firewall, so am not sure this could be easily integrated without getting clobbered.

Below is a simplified version of what is in my firewall script. It creates a chain that allows extensions in the “Roaming” group and drops any other traffic. I leave it to the user to determine the appropriate placement of any jump to the chain.


#/bin/bash
extensions="$(php -r '  include "/etc/freepbx.conf";
                        $um = FreePBX::Create()->Userman;
                        $users = $um->getGroupByUsername("Roaming")["users"];
                        foreach($users as $u) {
                                $devs = $um->getAssignedDevices($u);
                                foreach($devs as $d) echo $d, "\n";
                        }'
                )"

chain=checkExt
fqdn=mypbx.mydomain.tld
iptables -N $chain
iptables -F $chain

for ext in $extensions; do
        iptables --wait 5 -A $chain -m string --string "sip:[email protected]$fqdn" --algo bm -m comment --comment "valid extension" -j RETURN
done

iptables -A $chain -p udp -j DROP
iptables -A $chain -p tcp -j REJECT --reject-with tcp-reset

iptables -vnL $chain

2 Likes

This would be a good feature request–the ability to disable and not just reorder.

1 Like

Thank you

thank you all! i will try it and give you feedback asap! :slight_smile:

Just remember disabling/noloading this will break your PJSIP trunks as it removes the ability to match on IP for inbound traffic from providers. I mean unless youre going to use SIP Registration for every trunk.

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.