Hello!
If you're currently running an asterisk instance, you are always forced to create a listener - even if you don't need it all. Therefore you are forced to "secure" this unnecessary listener port afterwards by other means. This shouldn't be the way to handle it.
A much better way to do it, is: just don't open listeners at all you don't need. Pjsip supports such a behavior. What's the use case (one example):You have a multihomed (or not - that doesn't matter) asterisk system, which on the one hand accepts registrations from devices on an internal network on tcp/5060 (-> listener transport needed) and acts as tls trunk for outbound registration (client transport needed - but no listener) on the other hand.
Attached is a working patch example (based on Asterisk 18.4), which shows the necessary different parts to achieve the desired behavior (tested). A few words to the different patches: - 73433a5-add-correct-port-to-sip-header.diff see https://issues.asterisk.org/jira/browse/ASTERISK-29241 - allow-port-0.diff This patch allows to use port 0 in the transport bind configuration - nolistener.diffThis patch enables Asterisk to use a new transport option "nolistener", which prevents creating a listener on starting the transport. Asterisk must be built using the compile time switch PJSIP_TCP_TRANSPORT_DONT_CREATE_LISTENER
- res_pjsip_nat.c.diff, res_pjsip_session.c.diffThose two patches are NAT related when using external_media_address= and external_signaling_address= parameters. They fix the problem, that not always the correct IP address is added to SIP header or SDP.
- f213833-rev-partial-transport-reload.diffThis patch reverts ASTERISK-29354 (came with 18.4), because it just doesn't work (for me): After a "core reload", the defined values for external_*_address aren't applied to any outgoing package any more.
How to use it? That's an example how it should be used in the transport configuration: [example-nat-tls-transport] type=transport protocol=tls bind=192.168.13.24:0 ca_list_file=/etc/pki/tls/certs/ca-bundle.crt method=tlsv1_2 verify_server=yes allow_reload=no external_media_address=external.host.com external_signaling_address=external.host.com local_net=192.168.0.0/16 nolistener=1 ^^^^^^^^^^^^ or an example for a traditional transport including listener: [192.168.27.28-internal-tcp] type=transport protocol=tcp bind=192.168.27.28 allow_reload=no How to prove if it's working? Take a look at the pjsip.log. If you see entries like this, you see, that it's working: Example example-nat-tls-transport [2021-05-14 07:28:05] DEBUG[12836] pjproject: tlstp:0 SIP TLS is ready (client only) Example 192.168.27.28-internal-tcp [2021-05-14 07:28:05] DEBUG[12836] pjproject: tcptp:5060 SIP TCP is ready (client only) [2021-05-14 07:28:05] DEBUG[12836] pjproject: tcptp:5060 SIP TCP listener ready for incoming connections at 192.168.27.28:5060 Thanks Michael
nolistener.tar.gz
Description: application/gzip
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
