[asterisk-users] How does deny/permit work in sip.conf?

Fri Aug 6 22:47:11 CDT 2010

On 7 August 2010 03:54, Bruce Ferrell <bferrell at baywinds.org> wrote:
> On 08/06/2010 07:30 PM, Bruce Ferrell wrote:
>> On 08/06/2010 02:16 PM, Frank Church wrote:
>>
>>> On 6 August 2010 16:21, Bruce Ferrell <bferrell at baywinds.org> wrote:
>>>
>>>
>>>> On 08/06/2010 07:45 AM, Frank Church wrote:
>>>>
>>>>
>>>>> I have been seeing some attempts to register devices on my Asterisk
>>>>> and I want to reconfigure it so that devices will be registered only
>>>>> if they are from the correct address, ie 192.168.1.8/255.255.255.255.
>>>>>
>>>>> I thought using a config like
>>>>>
>>>>> deny=0.0.0.0/0.0.0.0
>>>>> permit=192.168.1.8/255.255.255.255
>>>>>
>>>>> but it is not working the way I thought?
>>>>>
>>>>> Does that need a host=static.ip entry to work, rather than the
>>>>> deny/permit option?
>>>>>
>>>>> Does using a host=dynamic setting override any deny/permit and
>>>>> port=5060 options?
>>>>>
>>>>> Does being a peer or a user make a difference here?
>>>>>
>>>>>
>>>>>
>>>>>
>>>> I had this same problem once.  host=<ip address>  or host=dynamic if you
>>>> want to use permit/deny.  Permit/deny and host=dynamic allows a sip peer
>>>> or user to have a range of addresses.
>>>>
>>>> --
>>>>
>>>>
>>> Does permit/deny  have any influence on registration, or is it related
>>> to the destinations it can call to or receive call from?
>>>
>>> How do you stop an asterisk server from accepting registrations when
>>> the IP is outside a subnet even if the username and secret are
>>> correct?
>>>
>>> When host=dynamic registrations are accepted even if the pemit IP is
>>> different from the registered device's IP address. Does permit/deny
>>> work on a  single IP address eg 192.168.4.111/255.255.255.2555
>>>
>>>
>>> The same seems to apply in the [general] section, with contactdeny and
>>> contacnt permit
>>>
>>> When I set
>>>
>>> contactdeny=0.0.0.0/0.0.0.0
>>> contactpermit=192.168.4.111/255.255.255.255
>>>
>>> Devices whose IP is not 192.168.4.111 are able to register.
>>>
>>>
>>>
>> When I've used permit/deny, I did it in conjunction with insecure set to
>> port,invite to allow gateways that didn't register and don't use
>> username/secret to originate calls but only from the ip range in
>> permit.  In fact it was for a provider that had gateways on a large
>> number of IP addresses, all in the same CIDR block and I didn't want to
>> do an entry for each of  more than 100 gateways.
>>
>> contactpermit/contactdeny *should* work as you are suggesting that you
>> want I've never tried that.  I may attempt it tonight and see on my 1.4
>> system.
>>
>>
>
> To follow up on my own reply.  I just tried this with one of my standard
> peers that I use for a softphone on a 1.6.2.10  and see the registration
> attempt come in at the console and a warning comes up
>
> : Host '192.0.2.40' disallowed by contact ACL (violating IP 192.0.2.40)
> : Registration denied because of contact ACL
>
> The peer does show in sip show peers and the softphone (twinkle) shows a
> Registration Fails with a 603 denied.
>
> So I'd say it's working
>
> --

I am using 1.4.27 and it doesn't seem to work.

I should probably try the 1.6 series

> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>