[asterisk-users] How does deny/permit work in sip.conf?

Matt Riddell lists at venturevoip.com
Sun Aug 8 18:21:51 CDT 2010


On 7/08/10 3:47 PM, Frank Church wrote:
> On 7 August 2010 03:54, Bruce Ferrell<bferrell at baywinds.org>  wrote:
>> On 08/06/2010 07:30 PM, Bruce Ferrell wrote:
>>> On 08/06/2010 02:16 PM, Frank Church wrote:
>>>
>>>> On 6 August 2010 16:21, Bruce Ferrell<bferrell at baywinds.org>  wrote:
>>>>
>>>>
>>>>> On 08/06/2010 07:45 AM, Frank Church wrote:
>>>>>
>>>>>
>>>>>> I have been seeing some attempts to register devices on my Asterisk
>>>>>> and I want to reconfigure it so that devices will be registered only
>>>>>> if they are from the correct address, ie 192.168.1.8/255.255.255.255.
>>>>>>
>>>>>> I thought using a config like
>>>>>>
>>>>>> deny=0.0.0.0/0.0.0.0
>>>>>> permit=192.168.1.8/255.255.255.255
>>>>>>
>>>>>> but it is not working the way I thought?
>>>>>>
>>>>>> Does that need a host=static.ip entry to work, rather than the
>>>>>> deny/permit option?
>>>>>>
>>>>>> Does using a host=dynamic setting override any deny/permit and
>>>>>> port=5060 options?
>>>>>>
>>>>>> Does being a peer or a user make a difference here?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> I had this same problem once.  host=<ip address>    or host=dynamic if you
>>>>> want to use permit/deny.  Permit/deny and host=dynamic allows a sip peer
>>>>> or user to have a range of addresses.
>>>>>
>>>>> --
>>>>>
>>>>>
>>>> Does permit/deny  have any influence on registration, or is it related
>>>> to the destinations it can call to or receive call from?
>>>>
>>>> How do you stop an asterisk server from accepting registrations when
>>>> the IP is outside a subnet even if the username and secret are
>>>> correct?
>>>>
>>>> When host=dynamic registrations are accepted even if the pemit IP is
>>>> different from the registered device's IP address. Does permit/deny
>>>> work on a  single IP address eg 192.168.4.111/255.255.255.2555
>>>>
>>>>
>>>> The same seems to apply in the [general] section, with contactdeny and
>>>> contacnt permit
>>>>
>>>> When I set
>>>>
>>>> contactdeny=0.0.0.0/0.0.0.0
>>>> contactpermit=192.168.4.111/255.255.255.255
>>>>
>>>> Devices whose IP is not 192.168.4.111 are able to register.
>>>>
>>>>
>>>>
>>> When I've used permit/deny, I did it in conjunction with insecure set to
>>> port,invite to allow gateways that didn't register and don't use
>>> username/secret to originate calls but only from the ip range in
>>> permit.  In fact it was for a provider that had gateways on a large
>>> number of IP addresses, all in the same CIDR block and I didn't want to
>>> do an entry for each of  more than 100 gateways.
>>>
>>> contactpermit/contactdeny *should* work as you are suggesting that you
>>> want I've never tried that.  I may attempt it tonight and see on my 1.4
>>> system.
>>>
>>>
>>
>> To follow up on my own reply.  I just tried this with one of my standard
>> peers that I use for a softphone on a 1.6.2.10  and see the registration
>> attempt come in at the console and a warning comes up
>>
>> : Host '192.0.2.40' disallowed by contact ACL (violating IP 192.0.2.40)
>> : Registration denied because of contact ACL
>>
>> The peer does show in sip show peers and the softphone (twinkle) shows a
>> Registration Fails with a 603 denied.
>>
>> So I'd say it's working
>>
>> --
>
> I am using 1.4.27 and it doesn't seem to work.
>
> I should probably try the 1.6 series

Are you using deny before permit?

-- 
Cheers,

Matt Riddell
_______________________________________________

http://www.venturevoip.com/news.php (Daily Asterisk News)
http://www.venturevoip.com/exchange.php (Full ITSP Solution)
http://www.venturevoip.com/st.php (SmoothTorque Predictive Dialer)



More information about the asterisk-users mailing list