[asterisk-users] Re: How to separate outgoing extens from the
contexts from sip.conf?
Larry Alkoff
labradley at mindspring.com
Wed Feb 21 19:00:52 MST 2007
Eric "ManxPower" Wieling wrote:
> Larry Alkoff wrote:
>> Eric "ManxPower" Wieling wrote:
>>> Larry Alkoff wrote:
>>>> Hello Eric.
>>>>
>>>> I don't fully understand your example.
>>>>
>>>> I _think_ you have in extensions.conf:
>>>>
>>>> [incoming]
>>>> include => extensions
>>>>
>>>> [extensions]
>>>> exten => 667
>>>> more exten here
>>>>
>>>> [toll-trunks]
>>>> exten => 91NXXNXXXXXX
>>>> more exten here
>>>>
>>>> [toll-access]
>>>> include => extensions
>>>> include => toll-trunks
>>>>
>>>> My understanding of 'include' is it's as if the 'include'
>>>> were typed line by line into the context.
>>>>
>>>> Since both extensions and toll-trunks are mixed together in
>>>> [toll-access], doesn't that give anyone who gains access to extensions
>>>> in [incoming] also access to toll-trunks? How does anyone on the
>>>> inside gain access to [toll-access]?
>>>>
>>>> Also I don't understand the 'doubling' of [extensions] by including it
>>>> in another context.
>>>>
>>>> I'm probably missing something here. Can you help me understand
>>>> this better?
>>>
>>> No. Any device in the [incoming] context will only have access to
>>> anything in the [incoming] and [extensions] context. i.e. it will
>>> not have access to any exten => lines that allow dialing out of the
>>> system. include => is only "one-way"
>>
>> I have a feeling that the answer is contained in your words but still
>> don't quite get it.
>>
>> Let me ask this: How do inside devices get access to [toll-access]?
>> I would like my inside devices to have access to everything unless I
>> specifically deny access.
>
> Contexts are both one of the most important and most difficult concepts
> to understand in Asterisk.
>
> Calls from inside devices land in the toll-access context in
> extensions.conf. This is because of the context=toll-access line in
> that device's section of sip.conf. This context in extensions.conf
> include =>'s the toll-trunks context. Therefore, the inside device gets
> access to the toll-trunks context.
I _think_ we are getting somewhere.
You are essentially saying that, in order to have access to
[toll-access] I would need a line context=toll-access
in a specific device(s).
In my case, the system is for my house. So I have it setup to ring
_all_ phones when a call comes in and would like my wife and I to be
able to call _anywhere_. Since we never know which phone will be handy,
it's necessary to give full access to all phones, which I think means
context=toll-access in sip.conf for all phones.
Doesn't that give access to any outside caller who can break into the
system?
Searching voip-info
(my other bible besides "The Future of Telephony" book)
they specically say
"You should consider that if any channel, incoming line, etc can enter
an extension context that it has the capability of accessing any
extension within that context.
Therefore, you should NOT allow access to outgoing or toll services in
contexts that are accessible (especially without a password) from
incoming channels "
Doesn't that mean that
1. I have to have context=toll-access]
in any phone that can make toll calls
2, There is no way to give access to all internal phones unless I
violate voip-info's security directive above?
Since I can give a password from sip.conf, is there an easy way to
automatically give that password in calls made from my internal phones
in such a way that external callers won't know the password even if they
breach the system?
How do people breach a system anyway? I've heard about hitting an '*'
as soon as the connection is made but don't understand it.
Or much else apparently <g>.
Larry
--
Larry Alkoff N2LA - Austin TX
Using Thunderbird on Linux
More information about the asterisk-users
mailing list