Re: [SR-Users] Permissions module question

2016-10-11 Thread Ivan Dudko 
Daniel,

Thank you. It works.

чт, 15 сент. 2016 г. в 15:07, Daniel-Constantin Mierla :

> Hello,
>
> On 14/09/16 09:49, Ivan Dudko wrote:
>
> Hello!
>
> I am new to kamailio and trying to use it vanilla config.
> Now main question is how to use ip based auth.
> I found recent post of Daniel-Constantin Mierla:
> http://lists.sip-router.org/pipermail/sr-users/2011-December/071147.html
> Here he recommends to use 'address' table from permissions module,
>
> I try yo use advice and add this lines at config begin:
> #!define WITH_MYSQL
> #!define DBURL "mysql://kamailio:kamailiorw@localhost/kamailio"
> #!define WITH_AUTH
> #!define WITH_IPAUTH
> #!define WITH_USRLOCDB
>
> Database is created and kamailio can access it.
> I am add user 1000 to kamailio via kamctl and successful register it with
> soft-phone.
> I create trunk without registration to kamailio on asterisk server. And
> trying to call from asterisk to user 1000. Call is successful. I try to
> create file /etc/kamailio/permissions.deny with content 'ALL : ALL'. And
> retry previous call. It still sucessful. I try to add record with asterisk
> address to 'address' table with group 1. And retry previous call. It still
> sucessful.
>
> I am confused. I do not now how to disable any address for ip_auth except
> if it in the
> 'address' table. And allow any address with if it request kamailio with
> registration.
>
> forget about the /etc/kamailio/*.deny or *.allow files, they are not
> related to IP matching with address table at all.
>
> If you want to deny traffic from ip addresses stored in address table with
> grp 10, then do:
>
> if(allow_source_address("10")) {
>send_reply("403", "Forbidden");
>exit;
> }
>
> If you want to allow traffic only from ip addresses stored in address
> table with grp 10, then negate the condition, do:
>
> if( ! allow_source_address("10")) {
>send_reply("403", "Forbidden");
>exit;
> }
>
> Cheers,
> Daniel
>
> --
> Daniel-Constantin Mierlahttp://www.asipto.com - 
> http://www.kamailio.orghttp://twitter.com/#!/miconda - 
> http://www.linkedin.com/in/miconda
>
> ___
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users@lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] Permissions module question

2016-09-15 Thread Daniel-Constantin Mierla 
Hello,


On 14/09/16 09:49, Ivan Dudko wrote:
> Hello!
>
> I am new to kamailio and trying to use it vanilla config.
> Now main question is how to use ip based auth.
> I found recent post of Daniel-Constantin Mierla:
> http://lists.sip-router.org/pipermail/sr-users/2011-December/071147.html
> Here he recommends to use 'address' table from permissions module,
>
> I try yo use advice and add this lines at config begin:
> #!define WITH_MYSQL
> #!define DBURL "mysql://kamailio:kamailiorw@localhost/kamailio"
> #!define WITH_AUTH
> #!define WITH_IPAUTH
> #!define WITH_USRLOCDB
>
> Database is created and kamailio can access it.
> I am add user 1000 to kamailio via kamctl and successful register it
> with soft-phone.
> I create trunk without registration to kamailio on asterisk server.
> And trying to call from asterisk to user 1000. Call is successful. I
> try to create file /etc/kamailio/permissions.deny with content 'ALL :
> ALL'. And retry previous call. It still sucessful. I try to add record
> with asterisk address to 'address' table with group 1. And retry
> previous call. It still sucessful.
>
> I am confused. I do not now how to disable any address for ip_auth
> except if it in the
> 'address' table. And allow any address with if it request kamailio
> with registration.
>
forget about the /etc/kamailio/*.deny or *.allow files, they are not
related to IP matching with address table at all.

If you want to deny traffic from ip addresses stored in address table
with grp 10, then do:

if(allow_source_address("10")) {
   send_reply("403", "Forbidden");
   exit;
}

If you want to allow traffic only from ip addresses stored in address
table with grp 10, then negate the condition, do:

if( ! allow_source_address("10")) {
   send_reply("403", "Forbidden");
   exit;
}

Cheers,
Daniel

-- 
Daniel-Constantin Mierla
http://www.asipto.com - http://www.kamailio.org
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda

___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] Permissions module question

2016-09-14 Thread Ivan Dudko 
Hi Tim,

I think in this thread you talk about this commit:
https://github.com/kamailio/kamailio/commit/5d285e90b0f145410acd15a7abf96d3b339a31b5

But i talk about work of function allow_source_address() which have to
check if ip address in the 'address' table.

Like in vanilla config:

#!ifdef WITH_IPAUTH
   if((!is_method("REGISTER")) && allow_source_address()) {
   # source IP allowed
   return;
   }
#!endif

I think this is another problem.


Best Regards,
Ivan Dudko

ср, 14 сент. 2016 г. в 15:41, Tim Balmer :

> Hi Ivan,
>
>
>
> What Kamailio version are you using? If 4.4.2 maybe take a look at the
> thread I started a few weeks back:
> http://lists.sip-router.org/pipermail/sr-users/2016-July/093682.html
>
>
>
> TL;DR: The 4.4.2 release of the permissions module contains some bugs
> which are already fixed by Daniel in the repository. So in case you are
> also dealing with issues caused by this bug you can either manually compile
> the latest GIT version or just use 4.4.1 for now and wait for the 4.4.3
> release.
>
>
>
>
>
> Best Regards,
>
> Tim Balmer
>
>
>
> *Van:* sr-users [mailto:sr-users-boun...@lists.sip-router.org] *Namens *Ivan
> Dudko
> *Verzonden:* woensdag 14 september 2016 09:49
> *Aan:* sr-users@lists.sip-router.org
> *Onderwerp:* [SR-Users] Permissions module question
>
>
>
> Hello!
>
> I am new to kamailio and trying to use it vanilla config.
>
> Now main question is how to use ip based auth.
>
> I found recent post of Daniel-Constantin Mierla:
>
> http://lists.sip-router.org/pipermail/sr-users/2011-December/071147.html
>
> Here he recommends to use 'address' table from permissions module,
>
>
> I try yo use advice and add this lines at config begin:
> #!define WITH_MYSQL
> #!define DBURL "mysql://kamailio:kamailiorw@localhost/kamailio"
> #!define WITH_AUTH
> #!define WITH_IPAUTH
> #!define WITH_USRLOCDB
>
> Database is created and kamailio can access it.
>
> I am add user 1000 to kamailio via kamctl and successful register it with
> soft-phone.
>
> I create trunk without registration to kamailio on asterisk server. And
> trying to call from asterisk to user 1000. Call is successful. I try to
> create file /etc/kamailio/permissions.deny with content 'ALL : ALL'. And
> retry previous call. It still sucessful. I try to add record with asterisk
> address to 'address' table with group 1. And retry previous call. It still
> sucessful.
>
> I am confused. I do not now how to disable any address for ip_auth except
> if it in the
> 'address' table. And allow any address with if it request kamailio with
> registration.
>
>
>
> --
>
> Best Regards,
>
> Ivan Dudko
> ___
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users@lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] Permissions module question

2016-09-14 Thread Tim Balmer 
Hi Ivan,

What Kamailio version are you using? If 4.4.2 maybe take a look at the thread I 
started a few weeks back: 
http://lists.sip-router.org/pipermail/sr-users/2016-July/093682.html

TL;DR: The 4.4.2 release of the permissions module contains some bugs which are 
already fixed by Daniel in the repository. So in case you are also dealing with 
issues caused by this bug you can either manually compile the latest GIT 
version or just use 4.4.1 for now and wait for the 4.4.3 release.


Best Regards,
Tim Balmer

Van: sr-users [mailto:sr-users-boun...@lists.sip-router.org] Namens Ivan Dudko
Verzonden: woensdag 14 september 2016 09:49
Aan: sr-users@lists.sip-router.org
Onderwerp: [SR-Users] Permissions module question

Hello!
I am new to kamailio and trying to use it vanilla config.
Now main question is how to use ip based auth.
I found recent post of Daniel-Constantin Mierla:
http://lists.sip-router.org/pipermail/sr-users/2011-December/071147.html
Here he recommends to use 'address' table from permissions module,

I try yo use advice and add this lines at config begin:
#!define WITH_MYSQL
#!define DBURL "mysql://kamailio:kamailiorw@localhost/kamailio"
#!define WITH_AUTH
#!define WITH_IPAUTH
#!define WITH_USRLOCDB
Database is created and kamailio can access it.
I am add user 1000 to kamailio via kamctl and successful register it with 
soft-phone.
I create trunk without registration to kamailio on asterisk server. And trying 
to call from asterisk to user 1000. Call is successful. I try to create file 
/etc/kamailio/permissions.deny with content 'ALL : ALL'. And retry previous 
call. It still sucessful. I try to add record with asterisk address to 
'address' table with group 1. And retry previous call. It still sucessful.
I am confused. I do not now how to disable any address for ip_auth except if it 
in the
'address' table. And allow any address with if it request kamailio with 
registration.

--
Best Regards,
Ivan Dudko
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] Permissions module question

2011-12-05 Thread Daniel-Constantin Mierla 

Hello,

for pure IP based auth, it is better to use 'address' table from 
permission module instead of trusted table.


You have to add the trusted IP addresses in address table with grp=1 and 
in the config file have a condition like:


if(allow_source_address()) {
   # source IP is in address table
   ...
}

Cheers,
Daniel

On 12/5/11 4:47 AM, pablo umanzor wrote:

hi, recently i've implemented the module antiflood into kamailio
(3.1.5 from GIT) ,the module works and i can see the ip banned with

kamctl fifo sht_dump ipban

now, when i try to allocate a trusted ip address with permissions module

#!ifdef WITH_IPAUTH
modparam(permissions, db_url, DBURL)
modparam(permissions, db_mode, 1)
modparam(permissions, trusted_table, trusted)
#!endif
--

  if(src_ip!=TRUSTEDIP)

then i make a sipsak flood test from ip address 1.2.3.4 , but the ip
address entered before into trusted table  (1.2.3.4 ) again is banned
with antiflood module

syslog file

: INFO: auth [auth_mod.c:312]: auth: qop set, but nonce-count
(nc_enabled) support disabled
: INFO: permissions [parse_config.c:251]: file not found:
/usr/local/etc/kamailio/permissions.allow
: INFO: permissions [permissions.c:606]: default allow file
(/usr/local/etc/kamailio/permissions.allow) not found =  empty rule
set
: INFO: permissions [parse_config.c:251]: file not found:
/usr/local/etc/kamailio/permissions.deny
:INFO : permissions [permissions.c:615]: default deny file
(/usr/local/etc/kamailio/permissions.deny) not found =  empty rule set


must i to create this files (permissions.allow, deny) to this module
works? or is enough with empty rule set, according with documentation
- there are another options into this module, but i need only enabling
the trusted ip address part.


regards
pablo umanzor

___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users


--
Daniel-Constantin Mierla -- http://www.asipto.com
Kamailio Advanced Training, Dec 5-8, Berlin: http://asipto.com/u/kat
http://linkedin.com/in/miconda -- http://twitter.com/miconda


___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] Permissions module question?

2010-06-29 Thread Iñaki Baz Castillo 
2010/6/28 JR Richardson jmr.richard...@gmail.com:
 Kamailio 3.0 permissions module, I see that the address database table
 is cached by default, really the only option.  But there is no MI
 Function to reload the database into cache, you must restart kamailio
 to update the cache for the address table.  Is there any reason the
 reload MI function is not there for the address table?

It is:
http://kamailio.org/docs/modules/stable/modules_k/permissions.html#id2961370

-- 
Iñaki Baz Castillo
i...@aliax.net

___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users