[asterisk-users] permit/deny in sip.conf iax.conf
Olle E. Johansson
oej at edvina.net
Thu Mar 25 06:28:40 CDT 2010
24 mar 2010 kl. 16.48 skrev Karl Fife:
>>> Steve Edwards wrote:
>>>
>>>> It may not be as intended, but from a "user" standpoint, it seems
>>>> logical
>>>> and convenient to establish "policy" in [general] and make exceptions in
>>>> the entities as needed.
>>>
>>> Right... for when you have one policy. When you have two policies, each
>>> that apply to a dozen or more entries in the config file, then it really
>>> doesn't help, it harms. Templates solve that problem completely, because
>>> each policy can be its own (named!) template, and they can be combined.
>>> Since templates are also very easy to use for the single policy case,
>>> they are a better solution to teach people (and they're also easier to
>>> implement in the configuration code of the module).
>>>
>>> In other modules created since chan_sip, we've intentionally avoided
>>> this problem, and you'll note that in nearly every other module, the
>>> [general] section is exactly that; general settings for the module, and
>>> not defaults.
>>
>> In my NACL work, I implemented a channel-wide NACL for blacklist purposes.
>
> Can you talk more about this? Were your Named ACL's something other than
> templates?
>
> What was/were the specific 'pain point/s' you were trying to assuage? For
> example did you need something not currently offered in the existing
> frameworks, for example DNS-resolved hostnames for permitting/restricting
> registration/connection? Or were you just doing a
> clever/elaborate/well-implemented setup of the existing frameworks?
>
> I for one would love to hear your 10,000 foot concepts and any details you'd
> be willing to share.
Well, I've written several mails and blog entries about this. Many discussions
about security in Asterisk has ended with the need for a new concept
for ACLs, something that can be manipulated by Asterisk using the C API,
by using manager and the CLI. So currently, it's a framework. You can
create a named ACL that is used by multiple devices or SIP trunks.
In the future, we have the API to build all kind of blacklist/whitelist functions.
And I'm open for input on what's needed here. Now we have the framework
to build on.
http://www.voip-forum.com/asterisk/2010-01/manageable-access-control-lists-asterisk-nacls/
http://svnview.digium.com/svn/asterisk/team/oej/deluxepine-1.4/README.nacl
It's something I'm working on just for fun, so it moves slowly forward.
/O
More information about the asterisk-users
mailing list