Hi, AFAIK security in SEMS (using the SIP stack) is done directly via iptables, this is, just allow SIP messages from our proxy. The example B2BUA applications (as auth_b2b) don't allow setting an outbound proxy so they contact directly the target. Linux conntrack makes possible UDP responses to come back from the target during some seconds (~120 sec).
So we have a security issue here: - We secure SEMS by Iptables and just allow initial SIP UDP requests comming from our proxy. We use a SEMS b2b application that contacts directly the SIP target (any target/IP). After 120 seconds the target tries to send BYE to SEMS but the UDP datagram is rejected/dropped by Iptables since conntrack already deleted that UDP "connection". - As an insecure solution we open SEMS SIP port to the world, so anyone from anywhere could send a INVITE with "P-App-Name" and so to SEMS bypassing our proxy (very insecure). - A non always feasible solution would be adding the possible SIP targets IP to Iptables ACCEPT list, but: - Maybe we cannot know which IP they will be (DNS can change...). - This "solution" would allow hacked from these target IP's. IMHO the best solution would be allowing an "outbound" parameter to SEMS applications, how easy is it? Thanks. -- Iñaki Baz Castillo <[EMAIL PROTECTED]> _______________________________________________ Semsdev mailing list [email protected] http://lists.iptel.org/mailman/listinfo/semsdev
