Re: [asterisk-users] How to configure asterisk to only accept SIP from kamailio@localhost but exchange RTP on all interfaces?

Tue, 25 Feb 2014 10:05:22 -0800 

El 25/02/14 08:30, Karsten Wemheuer escribió:

Hi Alex,

Am Donnerstag, den 20.02.2014, 13:48 -0500 schrieb Alex Villací­s Lasso:

I have a setup with asterisk-11.7.0 and kamailio-4.1.1. I am following
the setup guide at
http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb . I 
want to run asterisk and kamailio on the same server, with SIP realtime 
configuration
(MySQL database) so that kamailio authenticates and then forwards the
registration to asterisk on localhost. The setup calls for asterisk to
be configured to listen for SIP traffic on all interfaces, on a
nonstandard port (I chose 5080). It also calls for
blanking of the password for the SIP peer (in my case, a softphone),
so that it will not request for authentication again. I have managed
to make a call with working audio from the softphone to an extension
on asterisk through kamailio.

My concern is that asterisk is left listening for SIP through all
interfaces and with no SIP passwords. I want to secure the setup
against directed traffic to the asterisk UDP port (5080), that
bypasses the kamailio process. I tried setting
bindaddr=127.0.0.1 so asterisk will only listen for SIP traffic on
localhost, but this has the side effect of also removing audio - the
call appears to be successful on the softphone and on the asterisk
logs, but no audio is actually heard. My theory is
that the RTP traffic is being sent to kamailio instead of the
softphone.

How can I set up asterisk so that it can send RTP anywhere but reject
any SIP traffic that does not come from the kamailio process on
localhost?


If You bind asterisk to 127.0.0.1 I think the media connection is set
for this IP. Your Softphone can not reach the correct 127.0.0.1
(localhost is everywhere).

I would suggest, You setup asterisk on eth0 address or 0.0.0.0. In the
sip.conf You could secure Your setup with
         deny = 0.0.0.0/0.0.0.0
         permit = Your-LAN-Adress
This way asterisk accepts SIP from Your box only.


This might work, but would need to touch sip.conf every time the IP address 
changes. It would be nice to have a configuration that can be set up once and 
not modified again. That is why I wanted to set up localhost.

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
              http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Reply via email to