[asterisk-users] How does deny/permit work in sip.conf?

Fri Aug 6 21:54:26 CDT 2010

On 08/06/2010 07:30 PM, Bruce Ferrell wrote:
> On 08/06/2010 02:16 PM, Frank Church wrote:
>   
>> On 6 August 2010 16:21, Bruce Ferrell <bferrell at baywinds.org> wrote:
>>   
>>     
>>> On 08/06/2010 07:45 AM, Frank Church wrote:
>>>     
>>>       
>>>> I have been seeing some attempts to register devices on my Asterisk
>>>> and I want to reconfigure it so that devices will be registered only
>>>> if they are from the correct address, ie 192.168.1.8/255.255.255.255.
>>>>
>>>> I thought using a config like
>>>>
>>>> deny=0.0.0.0/0.0.0.0
>>>> permit=192.168.1.8/255.255.255.255
>>>>
>>>> but it is not working the way I thought?
>>>>
>>>> Does that need a host=static.ip entry to work, rather than the
>>>> deny/permit option?
>>>>
>>>> Does using a host=dynamic setting override any deny/permit and
>>>> port=5060 options?
>>>>
>>>> Does being a peer or a user make a difference here?
>>>>
>>>>
>>>>       
>>>>         
>>> I had this same problem once.  host=<ip address>  or host=dynamic if you
>>> want to use permit/deny.  Permit/deny and host=dynamic allows a sip peer
>>> or user to have a range of addresses.
>>>
>>> --
>>>     
>>>       
>> Does permit/deny  have any influence on registration, or is it related
>> to the destinations it can call to or receive call from?
>>
>> How do you stop an asterisk server from accepting registrations when
>> the IP is outside a subnet even if the username and secret are
>> correct?
>>
>> When host=dynamic registrations are accepted even if the pemit IP is
>> different from the registered device's IP address. Does permit/deny
>> work on a  single IP address eg 192.168.4.111/255.255.255.2555
>>
>>
>> The same seems to apply in the [general] section, with contactdeny and
>> contacnt permit
>>
>> When I set
>>
>> contactdeny=0.0.0.0/0.0.0.0
>> contactpermit=192.168.4.111/255.255.255.255
>>
>> Devices whose IP is not 192.168.4.111 are able to register.
>>
>>   
>>     
> When I've used permit/deny, I did it in conjunction with insecure set to
> port,invite to allow gateways that didn't register and don't use
> username/secret to originate calls but only from the ip range in
> permit.  In fact it was for a provider that had gateways on a large
> number of IP addresses, all in the same CIDR block and I didn't want to
> do an entry for each of  more than 100 gateways.
>
> contactpermit/contactdeny *should* work as you are suggesting that you
> want I've never tried that.  I may attempt it tonight and see on my 1.4
> system.
>
>   

To follow up on my own reply.  I just tried this with one of my standard
peers that I use for a softphone on a 1.6.2.10  and see the registration
attempt come in at the console and a warning comes up

: Host '192.0.2.40' disallowed by contact ACL (violating IP 192.0.2.40)
: Registration denied because of contact ACL

The peer does show in sip show peers and the softphone (twinkle) shows a
Registration Fails with a 603 denied.

So I'd say it's working