Re: [asterisk-users] Dynamically setting from domain when calling friends
Thank you very much. I will try this! It seems to be what I'm looking for. I'm in most cases working with 1.2 asterisks, so I'm not up to date on newer features. My current project however needed a newer version. I tried some googleing, but I did not find these variables. Glad to help! Wow.. 1.2 ! Most are using 1.8 or 11 these days, so it is good to be aware of that when seeking help and Googeling. The 1.8 branch is the oldest supported version at the moment. https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions Yes, I know, way behind. We are trying to make the time needed to move on to 11 or 12, but it is quite time consuming. Although we're not alone, at least Steve Edwards uses 1.2.. :) I tested SIPFROMDOMAIN, and it worked. Important thing to note is that I needed to have at least one underscore at the beginning of the variable, as your example did, it needs to be inherited at least one level. I don't really see way this should be needed, shouldn't Dial be able see it in the channel that executes the application? Maybe this should be noted on the wiki as well, to avoid this kind of confusion? Thanks for the help! BR, Torbjörn Abrahamsson -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Variables are empty after Redirecting a channel
Guys, I am using Asterisk 1.8.20.0 built by mockbuild @ buildvm-24.phx2.fedoraproject.org on a x86_64 running Linux on 2013-01-18 19:52:25 UTC How can I set variable in one context and then Redirect a channel to another context and use variable there? The code below doesn't work, so I've got empty VAR1 in context_2 [context_1] exten = s,1,SET(__VAR1=VALUE1) exten = s,n,ChannelRedirect(${CHANNEL},context_2,AMD,1) [context_2] exten = AMD,1,NoOp(VAR1: ${VAR1}) Thank you in advance, Igor -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Hacking attempt, Asterisk 1.4
Hi all We have an Asterisk server thats been running for a few years now without problems. We have IPTables running, as well as fail2ban and have followed all the security recommendations we have found. Every few weeks we get an attack that lasts about a minute or two, resulting in our AGI script being overloaded. What happens is that somebody seems to be trying to connect from our server in my cdrs log I can see that they use a four digit number for source, destination and caller id, e.g. clid: 7321 src: 7321 dst: 7321 channel: SIP/xx.xx.xx.xx- xx.xx.xx.xx is our server IP. When one of our registered users makes a call the channel is SIP/- where is the SIP user ID. So it looks like a SIP phone trying to call itself, using our Asterisk server IP as SIP user name. Within a couple of minutes the attacker seems to go through some 1 attempts, resulting in our AGI script collapsing from the load. My Asterisk full log shows something like: -- Executing [7321@sip:1] Answer(SIP/xx.xx.xx.xx-b0828f20, ) in new stack -- Executing [7321@sip:2] AGI(SIP/ xx.xx.xx.xx -b0828f20, agi:// xx.xx.xx.xx ) in new stack -- Executing [7321@sip:3] Hangup(SIP/ xx.xx.xx.xx -b6130f70, ) in new stack == Spawn extension (sip, 7321, 3) exited non-zero on 'SIP/ xx.xx.xx.xx -b6130f70' cdr_odbc: Query Successful! -- AGI Script agi:// xx.xx.xx.xx completed, returning 0 Our AGI script refuses to call illegal numbers, while our Asterisk dialplan is a bit more accommodating, mostly because I have had problems figuring out the order in which to put the various rules (I might have another look at that!) Does anybody know how to stop this from happening I cant find the attackers IP number in my logs, and these attacks happen infrequently, and are over quickly, so that I havent had an opportunity to run sip debug during an attack, and I dont want to have it running all the time. Best regards Binni Brynjólfur Þorvarðsson IT Consultant Tlf. +45 88321688 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Hacking attempt, Asterisk 1.4
On Thursday 20 Feb 2014, Brynjolfur Thorvardsson wrote: Every few weeks we get an attack that lasts about a minute or two, resulting in our AGI script being overloaded. What happens is that somebody seems to be trying to connect from our server in my cdrs log I can see that they use a four digit number for source, destination and caller id, e.g. clid: 7321 src: 7321 dst: 7321 channel: SIP/xx.xx.xx.xx- Assuming that it's the AGI script that is the bottleneck, how about simply checking in the dialplan that the ${CALLERID(num)} is different from ${EXTEN} before executing the AGI script? -- AJS Answers come *after* questions. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Hacking attempt, Asterisk 1.4
On 20/02/14 11:27, Brynjolfur Thorvardsson wrote: Hi all We have an Asterisk server that's been running for a few years now without problems. We have IPTables running, as well as fail2ban and have followed all the security recommendations we have found. Every few weeks we get an attack that lasts about a minute or two, resulting in our AGI script being overloaded. What happens is that somebody seems to be trying to connect from our server -- in my cdrs log I can see that they use a four digit number for source, destination and caller id, e.g. clid: 7321 src: 7321 dst: 7321 channel: SIP/xx.xx.xx.xx- xx.xx.xx.xx is our server IP. When one of our registered users makes a call the channel is SIP/- where is the SIP user ID. So it looks like a SIP phone trying to call itself, using our Asterisk server IP as SIP user name. Within a couple of minutes the attacker seems to go through some 1 attempts, resulting in our AGI script collapsing from the load. My Asterisk full log shows something like: -- Executing [7321@sip:1] Answer(SIP/xx.xx.xx.xx-b0828f20, ) in new stack -- Executing [7321@sip:2] AGI(SIP/ xx.xx.xx.xx -b0828f20, agi:// xx.xx.xx.xx ) in new stack -- Executing [7321@sip:3] Hangup(SIP/ xx.xx.xx.xx -b6130f70, ) in new stack == Spawn extension (sip, 7321, 3) exited non-zero on 'SIP/ xx.xx.xx.xx -b6130f70' cdr_odbc: Query Successful! -- AGI Script agi:// xx.xx.xx.xx completed, returning 0 Our AGI script refuses to call illegal numbers, while our Asterisk dialplan is a bit more accommodating, mostly because I have had problems figuring out the order in which to put the various rules (I might have another look at that!) Does anybody know how to stop this from happening -- I can't find the attackers IP number in my logs, and these attacks happen infrequently, and are over quickly, so that I haven't had an opportunity to run sip debug during an attack, and I don't want to have it running all the time. Best regards Binni Brynjólfur Þorvarðsson IT Consultant Tlf. +45 88321688 I have this in my extensions.conf :- [default] ; all unauthenticated connection attempts from the internet come in here. exten = _[+*#0-9].,1,NoOp(Unauthenticated call attempt - ${SIP_HEADER(Contact)}) exten = _[+*#0-9].,n,Congestion Then in fail2ban I have the extra line added to the failregex so it is now :- failregex = Registration from .* failed for \'HOST\' - Wrong password Registration from .* failed for \'HOST\' - No matching Unauthenticated call attempt .*\@HOST\: That seems to work pretty well for me. Assuming the attacks are unauthenticated why are you accepting them and running an AGI script and not rejecting them earlier? If you need to allow anonymous inbound calls (which is required in some cases) then I would have the AGI detect them and write an output to verbose() with the SIP_HEADER(Contact) or any other header which correctly indicated the origin of the packet. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Variables are empty after Redirecting a channel
On 20/02/14 10:24, Igor Dvorzhak wrote: Guys, I am using Asterisk 1.8.20.0 built by mockbuild @ buildvm-24.phx2.fedoraproject.org http://buildvm-24.phx2.fedoraproject.org on a x86_64 running Linux on 2013-01-18 19:52:25 UTC How can I set variable in one context and then Redirect a channel to another context and use variable there? The code below doesn't work, so I've got empty VAR1 in context_2 [context_1] exten = s,1,SET(__VAR1=VALUE1) exten = s,n,ChannelRedirect(${CHANNEL},context_2,AMD,1) [context_2] exten = AMD,1,NoOp(VAR1: ${VAR1}) Thank you in advance, Igor You should be able to get something working using a shared variable. I have used them in one of my blog posts if you would like an example of their use http://gblades.blogspot.co.uk/2013/07/how-to-get-sip-response-code-in.html -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Variables are empty after Redirecting a channel
On 14-02-20 06:24 AM, Igor Dvorzhak wrote: Guys, I am using Asterisk 1.8.20.0 built by mockbuild @ buildvm-24.phx2.fedoraproject.org http://buildvm-24.phx2.fedoraproject.org on a x86_64 running Linux on 2013-01-18 19:52:25 UTC How can I set variable in one context and then Redirect a channel to another context and use variable there? The code below doesn't work, so I've got empty VAR1 in context_2 [context_1] exten = s,1,SET(__VAR1=VALUE1) exten = s,n,ChannelRedirect(${CHANNEL},context_2,AMD,1) You should be using Goto here instead of ChannelRedirect, since you are redirecting the channel which is executing ChannelRedirect (that slightly made my head hurt). Switching should also make the variable work as you desire. Cheers, -- Joshua Colp Digium, Inc. | Senior Software Developer 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at: www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] G729 - what happens if licences used up?
I haven't been able to find the answer online, and am not currently able to conduct an experiment to find the answer... I understand that in a SIP call where G729 has been negotiated as the preferred codec, a G.729 licence is not consumed until there is a need to perform transcoding, e.g. play a non-g729 sound, or do voicemail, or enter a Meetme, etc. What happens when a SIP call in progress needs a G.729 licence and they are all in use already? Does the call fail, or go silent, or do a re-INVITE to negotiate another codec? I'm interested in what happens on Asterisk 1.2 (for a legacy system), and also whether it is any different on later versions. Thanks, Tony -- Tony Mountifield Work: t...@softins.co.uk - http://www.softins.co.uk Play: t...@mountifield.org - http://tony.mountifield.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] G729 - what happens if licences used up?
On Thu, Feb 20, 2014 at 10:40 AM, Tony Mountifield t...@softins.co.uk wrote: I haven't been able to find the answer online, and am not currently able to conduct an experiment to find the answer... I understand that in a SIP call where G729 has been negotiated as the preferred codec, a G.729 licence is not consumed until there is a need to perform transcoding, e.g. play a non-g729 sound, or do voicemail, or enter a Meetme, etc. What happens when a SIP call in progress needs a G.729 licence and they are all in use already? Does the call fail, or go silent, or do a re-INVITE to negotiate another codec? I'm interested in what happens on Asterisk 1.2 (for a legacy system), and also whether it is any different on later versions. The question depends if you are offering up other codecs or not. If you only using g729, the call will fail to establish because lack of codecs. If you offer a both g729 and ulaw, then ulaw will be used. -- Paul Belanger | PolyBeacon, Inc. Jabber: paul.belan...@polybeacon.com | IRC: pabelanger (Freenode) Github: https://github.com/pabelanger | Twitter: https://twitter.com/pabelanger -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] G729 - what happens if licences used up?
In my experience when you run out of g729 licenses additional calls will fail. Simple as that. Make sure you run out of licenses. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Tony Mountifield Sent: Thursday, February 20, 2014 10:40 AM To: asterisk-users@lists.digium.com Subject: [asterisk-users] G729 - what happens if licences used up? I haven't been able to find the answer online, and am not currently able to conduct an experiment to find the answer... I understand that in a SIP call where G729 has been negotiated as the preferred codec, a G.729 licence is not consumed until there is a need to perform transcoding, e.g. play a non-g729 sound, or do voicemail, or enter a Meetme, etc. What happens when a SIP call in progress needs a G.729 licence and they are all in use already? Does the call fail, or go silent, or do a re-INVITE to negotiate another codec? I'm interested in what happens on Asterisk 1.2 (for a legacy system), and also whether it is any different on later versions. Thanks, Tony -- Tony Mountifield Work: t...@softins.co.uk - http://www.softins.co.uk Play: t...@mountifield.org - http://tony.mountifield.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] G729 - what happens if licences used up?
In article CALLKq0RpimD05jz=osbgjydx-41uebohxmft_skwfjt51ko...@mail.gmail.com, Paul Belanger paul.belan...@polybeacon.com wrote: On Thu, Feb 20, 2014 at 10:40 AM, Tony Mountifield t...@softins.co.uk wrote: I haven't been able to find the answer online, and am not currently able to conduct an experiment to find the answer... I understand that in a SIP call where G729 has been negotiated as the preferred codec, a G.729 licence is not consumed until there is a need to perform transcoding, e.g. play a non-g729 sound, or do voicemail, or enter a Meetme, etc. What happens when a SIP call in progress needs a G.729 licence and they are all in use already? Does the call fail, or go silent, or do a re-INVITE to negotiate another codec? I'm interested in what happens on Asterisk 1.2 (for a legacy system), and also whether it is any different on later versions. The question depends if you are offering up other codecs or not. If you only using g729, the call will fail to establish because lack of codecs. If you offer a both g729 and ulaw, then ulaw will be used. The codecs offered by each end would be g729, alaw and ulaw. I guess my point is that the licence is NOT required to negotiate codecs and establish the call, e.g. if g.729 sounds are installed and calls are pass-through, then no transcoding is required. So the call will negotiate g729 and get established, and then if later the dialplan calls something that requires transcoding, the licence is requested at that time. What happens if there is not one available? Can/will it do a re-INVITE to change codec, or does the call fail, or does it continue but go silent? Cheers Tony -- Tony Mountifield Work: t...@softins.co.uk - http://www.softins.co.uk Play: t...@mountifield.org - http://tony.mountifield.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] G729 - what happens if licences used up?
On 20/02/14 17:16, Paul Belanger wrote: On Thu, Feb 20, 2014 at 10:40 AM, Tony Mountifieldt...@softins.co.uk wrote: I haven't been able to find the answer online, and am not currently able to conduct an experiment to find the answer... I understand that in a SIP call where G729 has been negotiated as the preferred codec, a G.729 licence is not consumed until there is a need to perform transcoding, e.g. play a non-g729 sound, or do voicemail, or enter a Meetme, etc. What happens when a SIP call in progress needs a G.729 licence and they are all in use already? Does the call fail, or go silent, or do a re-INVITE to negotiate another codec? I'm interested in what happens on Asterisk 1.2 (for a legacy system), and also whether it is any different on later versions. The question depends if you are offering up other codecs or not. If you only using g729, the call will fail to establish because lack of codecs. If you offer a both g729 and ulaw, then ulaw will be used. That would only apply for new calls. Even new calls would still typically accept g729 even if there are no licenses remaining as there might not be transcoding required. What I would expect to happen if there were no licenses is for you to see an error on the console (possibly repeated multiple times) and for there to be no audio. This is certainly what happens if you have a g729 call with no license and then try to play a sound file which does not have a native g729 format. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] How to configure asterisk to only accept SIP from kamailio@localhost but exchange RTP on all interfaces?
I have a setup with asterisk-11.7.0 and kamailio-4.1.1. I am following the setup guide at http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb . I want to run asterisk and kamailio on the same server, with SIP realtime configuration (MySQL database) so that kamailio authenticates and then forwards the registration to asterisk on localhost. The setup calls for asterisk to be configured to listen for SIP traffic on all interfaces, on a nonstandard port (I chose 5080). It also calls for blanking of the password for the SIP peer (in my case, a softphone), so that it will not request for authentication again. I have managed to make a call with working audio from the softphone to an extension on asterisk through kamailio. My concern is that asterisk is left listening for SIP through all interfaces and with no SIP passwords. I want to secure the setup against directed traffic to the asterisk UDP port (5080), that bypasses the kamailio process. I tried setting bindaddr=127.0.0.1 so asterisk will only listen for SIP traffic on localhost, but this has the side effect of also removing audio - the call appears to be successful on the softphone and on the asterisk logs, but no audio is actually heard. My theory is that the RTP traffic is being sent to kamailio instead of the softphone. How can I set up asterisk so that it can send RTP anywhere but reject any SIP traffic that does not come from the kamailio process on localhost? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Dynamically setting from domain when calling friends
On Thu, Feb 20, 2014 at 3:45 AM, Torbjörn Abrahamsson torbjorn.abrahams...@gmail.com wrote: I tested SIPFROMDOMAIN, and it worked. Important thing to note is that I needed to have at least one underscore at the beginning of the variable, as your example did, it needs to be inherited at least one level. I don't really see way this should be needed, shouldn't Dial be able see it in the channel that executes the application? Maybe this should be noted on the wiki as well, to avoid this kind of confusion? Glad to hear it worked for you! Information on variable inheritance is already on the wiki. Here https://wiki.asterisk.org/wiki/display/AST/Variable+Inheritance+Basics and here https://wiki.asterisk.org/wiki/display/AST/Variable+Inheritance Those two pages and their sub-pages have some overlap and may need to be consolidated. -- Rusty Newton Digium, Inc. | Community Support Manager 445 Jan Davis Drive NW - Huntsville, AL 35806 - US direct: +1 256 428 6200 Check us out at: http://digium.com http://asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk NAT
On Tue, Feb 18, 2014 at 10:53 PM, Gholamreza Sabery gr.sab...@gmail.com wrote: Hello, a few days ago I sent a question: http://lists.digium.com/pipermail/asterisk-users/2014-February/282241.html but no one answered me! I just want to know is it possible or not? Hi! As many others mentioned, if you don't get an answer, first go googling then try the #asterisk IRC channel, or maybe the forums at forums.asterisk.org. I noticed your first post today and was going to answer it there, before I saw this new post as well... To attempt answering your question... I believe so. The NAT section of the sip.conf sample contains a lot of helpful options, including: ;directmedia=nonat ; An additional option is to allow media path redirection ; (reinvite) but only when the peer where the media is being ; sent is known to not be behind a NAT (as the RTP core can ; determine it based on the apparent IP address the media ; arrives from). That is for chan_sip in Asterisk 11, and should also be available in Asterisk 1.8 I've not used a config with this option before, but it sounds like the intent is what you may need. A link to the sample file (that is also included with your source files) http://svnview.digium.com/svn/asterisk/branches/11/configs/sip.conf.sample?view=markup -- Rusty Newton Digium, Inc. | Community Support Manager 445 Jan Davis Drive NW - Huntsville, AL 35806 - US direct: +1 256 428 6200 Check us out at: http://digium.com http://asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Dynamically setting from domain when calling friends
I tested SIPFROMDOMAIN, and it worked. Important thing to note is that I needed to have at least one underscore at the beginning of the variable, as your example did, it needs to be inherited at least one level. I don't really see way this should be needed, shouldn't Dial be able see it in the channel that executes the application? Maybe this should be noted on the wiki as well, to avoid this kind of confusion? Glad to hear it worked for you! Information on variable inheritance is already on the wiki. Here https://wiki.asterisk.org/wiki/display/AST/Variable+Inheritance+Basics and here https://wiki.asterisk.org/wiki/display/AST/Variable+Inheritance Those two pages and their sub-pages have some overlap and may need to be consolidated. I was not referring to the concept of inheritance, rather than that I found it odd that I would need the inheritance in this specific case. My gut feeling told me that the Dial application should see the SIPFROMDOMAIN variable without having to resort to inheritance. This seems the logical way to me, although I have no trouble grasping that there may be magic under the hood that makes this operation need the inheritance. My comment about the wiki was about stating on the SIP CHANNEL VARIABLES page that you need to have the inheritance, otherwise it will not work. If I hadn't seen your example in the mail, I would not have thought Oh, I need to make this variable inheritable I would have thought there was some other problem. Thanks again for your help! BR, Torbjörn Abrahamsson -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk NAT
On Wed, Feb 19, 2014 at 2:55 AM, A J Stiles asterisk_l...@earthshod.co.uk wrote: On Wednesday 19 Feb 2014, Gholamreza Sabery wrote: Hello, a few days ago I sent a question: http://lists.digium.com/pipermail/asterisk-users/2014-February/282241.html but no one answered me! I just want to know is it possible or not? No answer on the list probably just means the question was answered before; so your best bet is to search the mailing list archives and the wiki at http://voip-info.org Eventually, you will have been yomping around in Tech Land for long enough to graduate from ignorant tourist to seasoned traveller -- and then you get to ignore noob questions yourself. Or set yourself up as a tour guide, if you feel that way inclined :) It is worth nothing that the official Asterisk wiki is at http://wiki.asterisk.org. If there is something missing from there, feel free to let me or someone in #asterisk-dev know and we'll make sure things get updated. One thing I do have on my to-do list is a NAT guide. -- Rusty Newton Digium, Inc. | Community Support Manager 445 Jan Davis Drive NW - Huntsville, AL 35806 - US direct: +1 256 428 6200 Check us out at: http://digium.com http://asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to configure asterisk to only accept SIP from kamailio@localhost but exchange RTP on all interfaces?
Am 20.02.2014 19:48, schrieb Alex Villacís Lasso: My concern is that asterisk is left listening for SIP through all interfaces and with no SIP passwords. I want to secure the setup against directed traffic to the asterisk UDP port (5080), that bypasses the kamailio process. I tried setting bindaddr=127.0.0.1 so asterisk will only listen for SIP traffic on localhost, but this has the side effect of also removing audio - the call appears to be successful on the softphone and on the asterisk logs, but no audio is actually heard. My theory is that the RTP traffic is being sent to kamailio instead of the softphone. Theories are nice, but you should check whether they are true using, e.g., tcpdump :) I would check with, for example: tcpdump -nnnqt -s 0 -A -i eth0 port 5060 or instead of port 5060 (or 5080) try udp to see what is going on with RTP. Change from eth0 to lo to see if there is really RTP going to nowhere. When looking at port 5060/5080, check the SDP header to see what kamilio/Asterisk/your softphone announce in terms of RTP. I thought kamailio is a SIP server/proxy only and is not involved in RTP at all. In any case, if you want to only allow only certain connections from somewhere to somewhere (including from/to certain ports), iptables is your friend if you are using Linux. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk as a client: can I get the remote SIP server to ignore rport?
On Wed, Feb 19, 2014 at 11:53 AM, Markus unive...@truemetal.org wrote: Hi list, I have a fresh install of Asterisk 12.0.0 and I'm going to use it only as a client. I'm trying to SIP REGISTER with a remote SIP provider. The situation is that Asterisk is running in a VMware VM with a RFC IP address (192.168.1.2). The provider of the VM performs static NAT from the RFC IP address to a dedicated public IP address, however, they are rewriting ports at will. That's the problem. Here's an excerpt from tcpdump: snip I'm thinking the answer is no, but is there any option how I can get the remote SIP provider to answer me on port 5060? Without having them to change anything in their config. http://www.ietf.org/rfc/rfc3581.txt To force RFC3581 support for outbound REGISTER messages, you can set nat=force_rport in the general section of your sip.conf. (This also forces RFC3581 compliance for inbound messages, for any peers that inherit this general option) In my testing this results in the outbound REGISTER setting rport like Via: SIP/2.0/UDP X.X.X.X:5060;branch=z9hG4bK493d3405;rport If the far end supports RFC3581 it should respond back to the port from what it received requests. That should be 5060 if they receive the message from 5060. However.. if your VM/Network provider is rewriting things, then they could potentially remove your rport value, send it out over a different port, or do any number of crazy things. Depending on what they have going on in their network, receiving it back at 5060 is no guarantee it'll get back to your Asterisk VM. -- Rusty Newton Digium, Inc. | Community Support Manager 445 Jan Davis Drive NW - Huntsville, AL 35806 - US direct: +1 256 428 6200 Check us out at: http://digium.com http://asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to configure asterisk to only accept SIP from kamailio@localhost but exchange RTP on all interfaces?
El 20/02/14 15:07, Markus escribió: Am 20.02.2014 19:48, schrieb Alex Villacís Lasso: My concern is that asterisk is left listening for SIP through all interfaces and with no SIP passwords. I want to secure the setup against directed traffic to the asterisk UDP port (5080), that bypasses the kamailio process. I tried setting bindaddr=127.0.0.1 so asterisk will only listen for SIP traffic on localhost, but this has the side effect of also removing audio - the call appears to be successful on the softphone and on the asterisk logs, but no audio is actually heard. My theory is that the RTP traffic is being sent to kamailio instead of the softphone. Theories are nice, but you should check whether they are true using, e.g., tcpdump :) I would check with, for example: tcpdump -nnnqt -s 0 -A -i eth0 port 5060 or instead of port 5060 (or 5080) try udp to see what is going on with RTP. Change from eth0 to lo to see if there is really RTP going to nowhere. When looking at port 5060/5080, check the SDP header to see what kamilio/Asterisk/your softphone announce in terms of RTP. I thought kamailio is a SIP server/proxy only and is not involved in RTP at all. From a wireshark capture, what the softphone sees when contacting kamailio (in the bindaddr=127.0.0.1 configuration) is that the media negotiation in the OK package contains a random UDP port (as expected) but indicates that the IP for RTP is 127.0.0.1 . I have also tried deny=0.0.0.0/0.0.0.0 permit=127.0.0.1/255.0.0.0 , but the softphone then gets denied through the kamailio too. It seems deny/permit restricts the IP of the original contact, not the IP the SIP traffic was received through. In any case, if you want to only allow only certain connections from somewhere to somewhere (including from/to certain ports), iptables is your friend if you are using Linux. I know iptables would solve my issue, and I will certainly use it, but I do not want to rely on iptables as the *only* thing that prevents the sip proxy bypass. I want an asterisk configuration that will only accept SIP signaling traffic coming from a specific IP (in my case, 127.0.0.1), but will then negotiate RTP across any interface that will contact the softphone. I want this to work with the IP of the original contact. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk as a client: can I get the remote SIP server to ignore rport?
Am 20.02.2014 22:20, schrieb Rusty Newton: To force RFC3581 support for outbound REGISTER messages, you can set nat=force_rport in the general section of your sip.conf. (This also forces RFC3581 compliance for inbound messages, for any peers that inherit this general option) [...] Thank you for the suggestion, I just tried that. Unfortunately it doesn't help in my case. The problem remains that my hosting provider is rewriting ports: Packets on the hosted VM (1.1.1.1) where Asterisk client is running: IP 1.1.1.1.5060 2.2.2.2.5060: UDP, length 428 IP 2.2.2.2.5060 1.1.1.1.16025: UDP, length 544 IP 1.1.1.1 2.2.2.2: ICMP 1.1.1.1 udp port 16025 unreachable, length 556 And on 2.2.2.2, the remote SIP server (another Asterisk box for testing): IP 1.1.1.1.16025 2.2.2.2.5060: UDP, length 428 IP 2.2.2.2.5060 1.1.1.1.16025: UDP, length 544 IP 1.1.1.1 2.2.2.2: ICMP 1.1.1.1 udp port 16025 unreachable, length 556 The initial REGISTER received from 1.1.1.1 without force_rport: Via: SIP/2.0/UDP 1.1.1.1:5060;branch=z9hG4bK1780c521 And with force_rport enabled: Via: SIP/2.0/UDP 1.1.1.1:5060;branch=z9hG4bK279a0a9b;rport But of course, Asterisk on 2.2.2.2 will reply on the port where the request originated, in the above case, port 16025 which was rewritten from 5060 to 16052 by the evil hosting provider. This is what the Via header looks like when 2.2.2.2 answers to 1.1.1.1: Via: SIP/2.0/UDP 1.1.1.1:5060;branch=z9hG4bK279a0a9b;received=1.1.1.1;rport=16025 So, if there would be some kind of implementation that said Ignore the actual port that the request originated from, instead force answer on a port that is transmitted via some header setting, that would help me. Some fantasy option in sip.conf: nat_rport_forced=5060 Could generate a header in the initial REGISTER from 1.1.1.1 to 2.2.2.2 like this: Via: SIP/2.0/UDP 1.1.1.1:5060;branch=z9hG4bK279a0a9b;rport_forced=5060 And now, even though 2.2.2.2 received the request originating from port 16025, it would honor the rport_forced setting and reply back on port 5060 instead of 16025. Maybe such an option exists, I just haven't found it yet? :) Thank you! Markus -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk as a client: can I get the remote SIP server to ignore rport?
To be fair NAT is rewriting your SIP packet source port. This happens all day, on almost every NAT device out there.Stop thinking it is purely a port rewriting issue, something else is going on. Have you set localnet and externip in sip.conf. Maybe the NAT device has a short UDP translation timeout -- try setting qualifyfreq=15 in sip.conf to generate traffic so the NAT box does not close the translations Here is an example sip show peers on one my my boxes. Three different locations are show. The ones you see with 5060 are either not NAT'd or they have a proxy at the customer location. The ones with a different port are NAT'd. 2212012/2212012 xxx.27.201.xxx D N 5060 OK (57 ms) 2212008/2212008xxx.27.201.xxx D N 5060 OK (50 ms) 2212000/2212000xxx.27.201.xxx D N 5060 OK (51 ms) 220810/220810 xxx.242.17.xxxD N 53277OK (728 ms) 220807/220807 xxx.242.17.xxxD N 4121 OK (44 ms) 220806/220806 xxx.242.17.xxxD N 47822OK (57 ms) 220805/220805 xxx.242.17.xxxD N 31820OK (44 ms) 220804/220804 xxx.242.17.xxxD N 4175 OK (42 ms) 220803/220803 xxx.242.17.xxxD N 15386OK (42 ms) 220802/220802 xxx.242.17.xxxD N 28632OK (44 ms) 220800/220800 xxx.242.17.xxxD N 47043OK (44 ms) 219249/219249 xxx.99.200.xxx D 5060 OK (47 ms) 219244/219244 xxx.99.200.xx D 5060 OK (49 ms) -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Markus Sent: Thursday, February 20, 2014 6:45 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Asterisk as a client: can I get the remote SIP server to ignore rport? Am 20.02.2014 22:20, schrieb Rusty Newton: To force RFC3581 support for outbound REGISTER messages, you can set nat=force_rport in the general section of your sip.conf. (This also forces RFC3581 compliance for inbound messages, for any peers that inherit this general option) [...] Thank you for the suggestion, I just tried that. Unfortunately it doesn't help in my case. The problem remains that my hosting provider is rewriting ports: Packets on the hosted VM (1.1.1.1) where Asterisk client is running: IP 1.1.1.1.5060 2.2.2.2.5060: UDP, length 428 IP 2.2.2.2.5060 1.1.1.1.16025: UDP, length 544 IP 1.1.1.1 2.2.2.2: ICMP 1.1.1.1 udp port 16025 unreachable, length 556 And on 2.2.2.2, the remote SIP server (another Asterisk box for testing): IP 1.1.1.1.16025 2.2.2.2.5060: UDP, length 428 IP 2.2.2.2.5060 1.1.1.1.16025: UDP, length 544 IP 1.1.1.1 2.2.2.2: ICMP 1.1.1.1 udp port 16025 unreachable, length 556 The initial REGISTER received from 1.1.1.1 without force_rport: Via: SIP/2.0/UDP 1.1.1.1:5060;branch=z9hG4bK1780c521 And with force_rport enabled: Via: SIP/2.0/UDP 1.1.1.1:5060;branch=z9hG4bK279a0a9b;rport But of course, Asterisk on 2.2.2.2 will reply on the port where the request originated, in the above case, port 16025 which was rewritten from 5060 to 16052 by the evil hosting provider. This is what the Via header looks like when 2.2.2.2 answers to 1.1.1.1: Via: SIP/2.0/UDP 1.1.1.1:5060;branch=z9hG4bK279a0a9b;received=1.1.1.1;rport=16025 So, if there would be some kind of implementation that said Ignore the actual port that the request originated from, instead force answer on a port that is transmitted via some header setting, that would help me. Some fantasy option in sip.conf: nat_rport_forced=5060 Could generate a header in the initial REGISTER from 1.1.1.1 to 2.2.2.2 like this: Via: SIP/2.0/UDP 1.1.1.1:5060;branch=z9hG4bK279a0a9b;rport_forced=5060 And now, even though 2.2.2.2 received the request originating from port 16025, it would honor the rport_forced setting and reply back on port 5060 instead of 16025. Maybe such an option exists, I just haven't found it yet? :) Thank you! Markus -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk as a client: can I get the remote SIP server to ignore rport?
Am 21.02.2014 01:33, schrieb Eric Wieling: To be fair NAT is rewriting your SIP packet source port. This happens all day, on almost every NAT device out there.Stop thinking it is purely a port rewriting issue, something else is going on. In the meantime, the provider has reconfigured the VM to work with the public IP address. That means the RFC IP address was removed and the public IP is now configured on the VM directly. The effect is the same, ports on outgoing packets still get rewritten. Have you set localnet and externip in sip.conf. Maybe the NAT device has a short UDP translation timeout -- try setting qualifyfreq=15 in sip.conf to generate traffic so the NAT box does not close the translations Yes, I have played around with local and externaddr. But the IP is not the problem, the port is. I think the translation timeout doesn't matter, because the router rewrites outgoing packets to a different port, but doesn't do so on incoming packets, and that's the issue. Here is an example sip show peers on one my my boxes. Three different locations are show. The ones you see with 5060 are either not NAT'd or they have a proxy at the customer location. The ones with a different port are NAT'd. And I'm pretty sure if you look at any of those peers that have a non-5060 port, the routers in front of them will rewrite packets destined for ports 53277, 4121, 47822 etc. to the proper corresponding internal IP:port where something is listening. The router of my provider won't. It rewrites ports on outgoing packets, but it passes incoming packets 1:1 to the VM. IMHO, my hosting provider is at fault, and I'm working with them to get it fixed. I was just wondering if there is some magic switch which can fix such a broken scenario. Thank you! Markus -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users