Hello Try to modify your code " if(!check_source_address("0")){
sl_send_reply("403", "Forbidden"); exit;" -----Original Message----- From: users-boun...@lists.opensips.org [mailto:users-boun...@lists.opensips.org] On Behalf Of Alejandro Recarey Sent: Monday, January 17, 2011 5:10 AM To: OpenSIPS users mailling list Subject: [OpenSIPS-Users] Problem with the configuration of permissions module Hi all, I have been checking the SIP security of my configuration and am shocked to find out that my configuration is currently not working correctly. I am using OpenSIPS 1.6.2 and the check_source_address function to only allow calls from my own domain but it seems that no matter what I write to the address table, I can always call! That means that any IP address has access to my OpenSIPS server for outbound calls. Now, I am certain that it must be a problem with my configuration of the opensips.cfg file, so any help would be appreciated to find out the problem. I am using the permissions module with the following configuration: mysql> select * from address; +----+-----+---------------+------+------+-------+----------+----------+ | id | grp | ip | mask | port | proto | pattern | context_i| +----+-----+---------------+------+------+-------+----------+----------+ | 1 | 0 | 130.117.93.0 | 25 | 5060 | any | ^sip:.*$ | | +----+-----+---------------+------+------+-------+----------+----------+ My route table is as follows: route{ if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; } if (has_totag()) { # sequential request withing a dialog should # take the path determined by record-routing if (loose_route()) { if (is_method("BYE")) { setflag(1); # do accounting ... setflag(3); # ... even if the transaction fails } else if (is_method("INVITE")) { # even if in most of the cases is useless, do RR for # re-INVITEs alos, as some buggy clients do change route set # during the dialog. record_route(); } # route it out to whatever destination was set by loose_route() # in $du (destination URI). route(1); } else { /* uncomment the following lines if you want to enable presence */ ##if (is_method("SUBSCRIBE") && $rd == "your.server.ip.address") { ## # in-dialog subscribe requests ## route(2); ## exit; ##} if ( is_method("ACK") ) { if ( t_check_trans() ) { # non loose-route, but stateful ACK; must be an ACK after # a 487 or e.g. 404 from upstream server t_relay(); exit; } else { # ACK without matching transaction -> # ignore and discard exit; } } sl_send_reply("404","Not here"); } exit; } #initial requests # CANCEL processing if (is_method("CANCEL")) { if (t_check_trans()) t_relay(); exit; } t_check_trans(); if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/ { # Here is where I check that the INVITE comes from my servers if(!check_source_address("0")){ sl_send_reply("403", "Forbidden"); if (!proxy_authorize("", "subscriber")) { proxy_challenge("", "0"); exit; } if (!db_check_from()) { sl_send_reply("403","Forbidden auth ID"); exit; } consume_credentials(); # caller authenticated } } # preloaded route checking if (loose_route()) { xlog("L_ERR", "Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]"); if (!is_method("ACK")) sl_send_reply("403","Preload Route denied"); exit; } # record routing if (!is_method("REGISTER|MESSAGE")) record_route(); # account only INVITEs if (is_method("INVITE")) { setflag(1); # do accounting } if (!uri==myself) { append_hf("P-hint: outbound\r\n"); # Do not act as an open relay # only allow requests from handled domains if(from_uri==myself){ route(1); } else { sl_send_reply("403", "Not here"); } } # requests for my domain if (is_method("PUBLISH")) { sl_send_reply("503", "Service Unavailable"); exit; } if (is_method("REGISTER")) { # authenticate the REGISTER requests (uncomment to enable auth) if (!www_authorize("", "subscriber")) { www_challenge("", "0"); exit; } if (!db_check_to()) { sl_send_reply("403","Forbidden auth ID"); exit; } if (!save("location")) sl_reply_error(); exit; } if ($rU==NULL) { # request with no Username in RURI sl_send_reply("484","Address Incomplete"); exit; } # ROUTING happens here - - - - - - - - - # route[1] { # for INVITEs enable some additional helper routes if (is_method("INVITE")) { t_on_branch("2"); t_on_reply("2"); t_on_failure("1"); } if (!t_relay()) { sl_reply_error(); }; exit; } # request with no Username in RURI sl_send_reply("484","Address Incomplete"); exit; } Thank you in advance, and any explanation of WHERE and WHAT I did wrong would be a great help to secure my installation. Regards, Alex _______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users _______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users