[asterisk-users] How does deny/permit work in sip.conf?

Bruce Ferrell bferrell at baywinds.org
Fri Aug 6 21:30:52 CDT 2010 

On 08/06/2010 02:16 PM, Frank Church wrote:
> On 6 August 2010 16:21, Bruce Ferrell <bferrell at baywinds.org> wrote:
>   
>> On 08/06/2010 07:45 AM, Frank Church wrote:
>>     
>>> I have been seeing some attempts to register devices on my Asterisk
>>> and I want to reconfigure it so that devices will be registered only
>>> if they are from the correct address, ie 192.168.1.8/255.255.255.255.
>>>
>>> I thought using a config like
>>>
>>> deny=0.0.0.0/0.0.0.0
>>> permit=192.168.1.8/255.255.255.255
>>>
>>> but it is not working the way I thought?
>>>
>>> Does that need a host=static.ip entry to work, rather than the
>>> deny/permit option?
>>>
>>> Does using a host=dynamic setting override any deny/permit and
>>> port=5060 options?
>>>
>>> Does being a peer or a user make a difference here?
>>>
>>>
>>>       
>> I had this same problem once.  host=<ip address>  or host=dynamic if you
>> want to use permit/deny.  Permit/deny and host=dynamic allows a sip peer
>> or user to have a range of addresses.
>>
>> --
>>     
> Does permit/deny  have any influence on registration, or is it related
> to the destinations it can call to or receive call from?
>
> How do you stop an asterisk server from accepting registrations when
> the IP is outside a subnet even if the username and secret are
> correct?
>
> When host=dynamic registrations are accepted even if the pemit IP is
> different from the registered device's IP address. Does permit/deny
> work on a  single IP address eg 192.168.4.111/255.255.255.2555
>
>
> The same seems to apply in the [general] section, with contactdeny and
> contacnt permit
>
> When I set
>
> contactdeny=0.0.0.0/0.0.0.0
> contactpermit=192.168.4.111/255.255.255.255
>
> Devices whose IP is not 192.168.4.111 are able to register.
>
>   

When I've used permit/deny, I did it in conjunction with insecure set to
port,invite to allow gateways that didn't register and don't use
username/secret to originate calls but only from the ip range in
permit.  In fact it was for a provider that had gateways on a large
number of IP addresses, all in the same CIDR block and I didn't want to
do an entry for each of  more than 100 gateways.

contactpermit/contactdeny *should* work as you are suggesting that you
want I've never tried that.  I may attempt it tonight and see on my 1.4
system.

More information about the asterisk-users mailing list