[asterisk-users] Re: How to separate outgoing extens from thecontexts from s

Yuan LIU yliu11 at hotmail.com
Thu Feb 22 02:30:35 MST 2007 

>From: Larry Alkoff <labradley at mindspring.com>
>Date: Wed, 21 Feb 2007 20:00:52 -0600
...
>"You should consider that if any channel, incoming line, etc can enter an 
>extension context that it has the capability of accessing any extension 
>within that context.
>
>Therefore, you should NOT allow access to outgoing or toll services in 
>contexts that are accessible (especially without a password) from incoming 
>channels "
>
>Doesn't that mean that
>1.  I have to have context=toll-access]
>in any phone that can make toll calls
>2,  There is no way to give access to all internal phones unless I violate 
>voip-info's security directive above?

Not really.  The voip-info warning is about "incoming channels".  But 
definition they exclude any of your internal phones.  The key is to use a 
one context for your phones and a different one for your incoming line.

For example, suppose all your internal phones are SIP phones, and you use an 
FXO channel for incoming.  Then your sip.conf would include 
"context=toll-access" with all devices, but the general section would have 
"context=incoming".  Your zapata.conf would also include "context=incoming". 
  Your extensions.conf may look like:

[general]
sippy1=SIP/phone1; living room
sippy2=SIP/phone2; kitchen
sippy3=SIP/phone3; bedroom
sippy4=SIP/phone4; laundry room

[incoming]
exten => s,1,NoOp(no dialing out allowd)
exten => s,n,Answer()
exten => s,n,Background(press-1-for-living-room&press-2-for-kitchen&...)
exten => s,n,Dial(${sippy1}&${sippy3},15); ring living room and bedroom 
first
exten => s,n,Dial(${sippy1}&${sippy3}&${sippy2}&${sippy4}); ring 'em all
exten => s,n,Hangup
exten => 1,1,Dial(${sippy1}); 1 is for living room
exten => 2,1,Dial(${sippy2}); 2 for kitchen
exten => 3,1,Dial(${sippy3}); 3 rings bedroom
exten => 4,1,Dial(${sippy4}); 4 rings laundry room
exten => 0,1,Dial(${sippy1}&${sippy3}&${sippy2}&${sippy4}); ring 'em all

[toll-access]
; allow toll access and internal calls
exten => _Z.,1,Dial(Zap/1/${EXTEN}); anything other than [0-4] will go to 
toll
exten => _[0-4],1,Goto(incoming,${EXTEN},1); internal "extensions"

>Since I can give a password from sip.conf, is there an easy way to 
>automatically give that password in calls made from my internal phones
>in such a way that external callers won't know the password even if they  
>breach the system?

Once you separate the contexts, there is no need for internal password.

>How do people breach a system anyway?  I've heard about hitting an

For example, if instead of separate contexts, your sip.conf has general 
context and device context all in [default] (and zapata.conf has FXO channel 
also in [default] context).  Your [default] will look something like:

[default]
exten => s,1,Answer()
exten => s,n,Background(press-1-for-living-room&press-2-for-kitchen&...)
exten => s,n,Dial(${sippy1}&${sippy3},15); ring living room and bedroom 
first
exten => s,n,Dial(${sippy1}&${sippy3}&${sippy2}&${sippy4}); ring 'em all
exten => s,n,Hangup
exten => _Z.,1,Dial(Zap/1/${EXTEN}); anything other than [0-4] will go to 
toll
exten => 1,1,Dial(${sippy1}); 1 is for living room
exten => 2,1,Dial(${sippy2}); 2 for kitchen
exten => 3,1,Dial(${sippy3}); 3 rings bedroom
exten => 4,1,Dial(${sippy4}); 4 rings laundry room
exten => 0,1,Dial(${sippy1}&${sippy3}&${sippy2}&${sippy4}); ring 'em all

Now, some random SIP dialers on the net may land on your Asterisk SIP 
address.  This will invoke extension s at default.  If the caller dials 1 
during your announcement after Asterisk answers, only living room rings.  
But if the caller starts to dial 011315158005, Asterisk will transfer to 
that extension, which will be matched by _Z. and dials out from your FXO 
(Zap/1).  Even if you don't have a lengthy announcement like illustrated 
above, there's still a possibility that Asterisk intercepts the toll number 
the caller dials in between priorities before priorities in s extension.  
Even if you don't use Answer at all, there's a possibility that Asterisk 
intercepts the toll number after you hang up but before the dial plan is 
taken to h priority.  The less IVR functions you implement, the lower the 
risk.  But there's always this possibility.

This is my understanding.  More knowledgeable please correct me if I'm 
wrong.

Yuan Liu

>'*' as soon as the connection is made but don't understand it.
>Or much else apparently <g>.
>
>Larry
>
>--
>Larry Alkoff N2LA - Austin TX
>Using Thunderbird on Linux

More information about the asterisk-users mailing list