[asterisk-users] Asterisk ACL

[Steve Davies]

On 2 April 2012 14:06, Mark Farmer <mark.farmer at gagenetworks.com> wrote:
>
>
> From: asterisk-users-bounces at lists.digium.com
> [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Leandro
> Dardini
> Sent: 02 April 2012 13:53
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> Subject: Re: [asterisk-users] Asterisk ACL
>
>
>
> Your understanding of the problem seems incorrect. The problem seems due to
> the extension not available in your dialplan. Please check carefully in
> which context the call is placed and if the extension is defined in that
> context.
>
>
>
> Maybe it can be useful to define a _X. extension to catch all not defined
> extensions.
>
>
>
> Leandro
>
> [Mark Farmer]
>
> The problem is that the inbound call is not being matched by the correct
> peer and as such falls through to the default context which is not supposed
> to match.
>
> The problem is around the matching of a range of IP addresses to one peer.
>
> Thanks
>
> Mark.

Mark,

This is a problem I have encountered regularly. Your mistake is
thinking that setting deny/permit will cause a peer to be matched if
it falls in the permitted range. It will not. The peer will only match
if the source IP address matches the host= value, and in the case of
"dynamic" it must match the IP address of the party that registered.

deny/permit will also restrict a 'type=user' or 'type=friend' so that
the username can only be attempted from specified IP ranges.

IAX does what you expect, and I have thought regularly of implementing
in SIP what you expected to be the normal behaviour, but in fact, the
deny/permit will limit where the original registration can come from,
but AFAIK does not get used for subsequent (INVITE) matches until
after the host IP match is completed.

At present, the best solution is to change type to 'friend' and use
username/password based authentication.

"Buyer beware" - I believe the above to be true, and I hope it makes sense!

Regards,
Steve