[asterisk-users] permit/deny in sip.conf iax.conf

Olle E. Johansson oej at edvina.net
Thu Mar 25 06:28:40 CDT 2010


24 mar 2010 kl. 16.48 skrev Karl Fife:

>>> Steve Edwards wrote:
>>> 
>>>> It may not be as intended, but from a "user" standpoint, it seems 
>>>> logical
>>>> and convenient to establish "policy" in [general] and make exceptions in
>>>> the entities as needed.
>>> 
>>> Right... for when you have one policy. When you have two policies, each
>>> that apply to a dozen or more entries in the config file, then it really
>>> doesn't help, it harms. Templates solve that problem completely, because
>>> each policy can be its own (named!) template, and they can be combined.
>>> Since templates are also very easy to use for the single policy case,
>>> they are a better solution to teach people (and they're also easier to
>>> implement in the configuration code of the module).
>>> 
>>> In other modules created since chan_sip, we've intentionally avoided
>>> this problem, and you'll note that in nearly every other module, the
>>> [general] section is exactly that; general settings for the module, and
>>> not defaults.
>> 
>> In my NACL work, I implemented a channel-wide NACL for blacklist purposes.
> 
> Can you talk more about this?  Were your Named ACL's something other than 
> templates?
> 
> What was/were the specific 'pain point/s' you were trying to assuage?  For 
> example did you need something not currently offered in the existing 
> frameworks, for example DNS-resolved hostnames for permitting/restricting 
> registration/connection?  Or were you just doing a 
> clever/elaborate/well-implemented setup of the existing frameworks?
> 
> I for one would love to hear your 10,000 foot concepts and any details you'd 
> be willing to share.
Well, I've written several mails and blog entries about this. Many discussions
about security in Asterisk has ended with the need for a new concept
for ACLs, something that can be manipulated by Asterisk using the C API,
by using manager and the CLI. So currently, it's a framework. You can
create a named ACL that is used by multiple devices or SIP trunks.

In the future, we have the API to build all kind of blacklist/whitelist functions.
And I'm open for input on what's needed here. Now we have the framework
to build on.

http://www.voip-forum.com/asterisk/2010-01/manageable-access-control-lists-asterisk-nacls/
http://svnview.digium.com/svn/asterisk/team/oej/deluxepine-1.4/README.nacl

It's something I'm working on just for fun, so it moves slowly forward.

/O


More information about the asterisk-users mailing list