How to allow incoming sip calls from range of addresses without allowing anonymous SIP calls?

Does anyone know of a way to allow incoming SIP calls from a particular range of IP addresses without just opening up the system and allowing anonymous SIP calls? The problem is that I get calls from one provider that uses sip forwarding - there is no registration, the calls just come in via SIP to [email protected]_freepbx_box. If I allow anonymous SIP the calls come in with no problem, but past experience has shown that’s not a good thing to do. Or, if I create a dummy SIP trunk with no registration but with the following in the peer details, the calls come in:

host=server1.provider.tld
type=peer
dtmfmode=rfc2833
context=from-trunk
disallow=all
allow=ulaw

In retrospect I’m not sure the dtmfmode line is necessary, but the real problem is that the calls don’t always come from “server1”, sometimes they can come from server2, server3, and so on. The only way I’ve found around this so far is to create a new trunk for each server but since I don’t know what servers calls might come from in the future, what I’d really like to do is allow incoming SIP calls from any IP address that resolves to *.provider.tld, or failing that, to any dotted IP address within a specific range (so far all their servers differ only in the last part of the IP address). I’ve tried searching Google but either I’m not using the right search terms or nobody else has cracked this nut. If anyone knows how to do this, or could point me to a link that addresses this issue, I’d be much appreciative.

there are various options that can be done but it’s not really the place of your PBX to provide that level of Firewall protection.

One problem trying to do things like this (including just blocking anonymous SIP calls) with your PBX is that it won’t stop Asterisk SIP vulnerabilities when they arise and are exploited, a firewall will if you are restricting the IP addresses where SIP calls can originate from.

Thanks for the response. Getting the list of IP addresses isn’t as much of an issue as the fact that those addresses could change at some point in the future, and that I was hoping not to have to create a separate trunk for each individual IP address - that does seem rather inefficient, though I suppose that’s an Asterisk issue, not a FreePBX issue. I’ll just do what I’m doing now, but was hoping for a better way.

Here’s a really out there thought, have you ever considered creating a module that would allow users to selective allow or block incoming access to sip and iax connections based on, among other things, location? There must be ways to tell where a connection is coming from (after all, if the BBC can block my ability to watch Doctor Who because I live in the U.S., they must have some way of determining where I live) and it would be great to have a way to allow or block connections selectively from different countries, or even from different states/provinces within the U.S. or Canada. I know this is probably a bit outside the normal feature set for a PBX, but for those of us who don’t really understand things like Linux firewalls all that well, it would be a real help in keeping the bad guys away.

For security reasons, a SIP provider should be able to tell you a full set of IP addresses that your calls make come from so that you can control your security.

The only two options that I know of (and the combination is probably best) is to have a trunk for each server and in addition to that, use your firewall (which is going to be the best solution if you are concerned about security).

Barring that, use anonymous sip and just use the firewall.