Schneur, can't you use dyndns sort of service between your client and opensips ! you may need a custom corontab script running in 30 sec to update the opensips permission table based on dyndns replies !
On Tue, Jul 31, 2012 at 12:12 PM, Schneur Rosenberg < [email protected]> wrote: > Ali, problem is that some most customers have dynamic ip's > On Jul 31, 2012 5:06 AM, "Ali Pey" <[email protected]> wrote: > >> Schneur, >> >> Not disagreeing with the way you are doing it, but you can use the >> permissions module for the pbxs only. This way you can add the ips in the >> address table and keep track of who is allowed and block any other >> requests. There won't be any script change or reload required. A new pbx >> would require a new ip address in the table and a reload command. >> >> Regards, >> Ali Pey >> >> On Mon, Jul 30, 2012 at 7:39 PM, Schneur Rosenberg < >> [email protected]> wrote: >> >>> Ali I can't compare PBX addresses, we are a voip company and I can't >>> manually edit my script for every PBX our customer installs, I ended >>> up doing the avp_db_query() and then rewriting the from header with >>> uac_replace_from("","sip:$au@$si") which will retrieve the username >>> from the Proxy-Authorization: field, I had to use uac_replace_from >>> because $fu is read only. >>> >>> On Wed, Jul 25, 2012 at 11:58 PM, Ali Pey <[email protected]> wrote: >>> > This would work too. Here though you do a db query for each call and >>> can >>> > slow down the performance if that's important to you. Examining >>> usernames' >>> > patterns can be faster. >>> > >>> > You can also use the registered function instead of a db query: >>> > >>> > if (registered("location","$fu")) { >>> > xlog("caller is registered\n"); >>> > } >>> > >>> > >>> http://www.opensips.org/html/docs/modules/1.8.x/registrar.html#id293162 >>> > >>> > Regards, >>> > Ali Pey >>> > >>> > >>> > On Wed, Jul 25, 2012 at 4:23 PM, Schneur Rosenberg >>> > <[email protected]> wrote: >>> >> >>> >> I already did something similar look at snippet bellow so any call >>> >> coming from a IP thats registered to our server will always do >>> >> proxy_authorize(), other calls will assume that its a unauthenticated >>> >> DID call or a call going to a local call >>> >> >>> >> if (!(method=="REGISTER")) >>> >> { >>> >> avp_db_query("select username from location where >>> >> contact regexp '$si' or received like >>> >> 'sip:$si%'","$avp(is_registered)"); >>> >> } >>> >> if (!(method=="REGISTER") && avp_check("$avp(is_registered)", >>> >> "gt/1/g")) >>> >> { >>> >> if(!is_from_gw()) >>> >> { >>> >> if (!proxy_authorize("sosglobal", >>> "subscriber")) >>> >> { >>> >> append_hf("P-hint: Proxy auth >>> >> failed\r\n"); >>> >> proxy_challenge("sosglobal", "0"); >>> >> exit; >>> >> } >>> >> >>> >> >>> >> } >>> >> >>> >> >>> >> On Wed, Jul 25, 2012 at 8:48 PM, Ali Pey <[email protected]> wrote: >>> >> > Schneur, >>> >> > >>> >> > You can examine the src_ip first to see if the call if from your >>> pbx or >>> >> > not. >>> >> > Then you can also examine to request-uri to distinguish the call >>> between >>> >> > a >>> >> > pstn call or a sip client - assuming your sip clients have a >>> different >>> >> > sip >>> >> > address/pattern than pstn numbers. Things like this: >>> >> > >>> >> > if ( src_ip == pbx1_ip || src_ip == pbx2_ip ){ >>> >> > # From PBXs >>> >> > } >>> >> > >>> >> > if ($rU=~"^\+?[0-9]{3,18}") { >>> >> > # request-uri is for a PSTN number, send the message to whatever >>> >> > route(1) >>> >> > } >>> >> > >>> >> > Basically you need to find a difference between the call attributes >>> and >>> >> > examine that, it can be the src_ip, ruri pattern, etc. >>> >> > >>> >> > Regards, >>> >> > Ali Pey >>> >> > >>> >> > On Wed, Jul 25, 2012 at 9:41 AM, Schneur Rosenberg >>> >> > <[email protected]> wrote: >>> >> >> >>> >> >> check_source_address won't work for me, my clients are behind >>> Dynamic >>> >> >> ip's, there is no way for me to know in advance their ip address >>> >> >> >>> >> >> On Mon, Jul 23, 2012 at 8:55 PM, Brett Nemeroff < >>> [email protected]> >>> >> >> wrote: >>> >> >> > Scot, >>> >> >> > the function "is_from_local" uses the From URI and as such, will >>> not >>> >> >> > work if >>> >> >> > the originator mangles the from uri (as in the case of your >>> example >>> >> >> > below). >>> >> >> > >>> >> >> > A more secure way to do this that may suit your needs is to use >>> the >>> >> >> > permissions module and actually check the source IP of the >>> request: >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> http://www.opensips.org/html/docs/modules/1.8.x/permissions.html#id293503 >>> >> >> > >>> >> >> > Look at the "check_source_address" and or "get_source_group". >>> Either >>> >> >> > of >>> >> >> > these can compare the source IP of the originator to a known >>> list. >>> >> >> > From >>> >> >> > there, you can perform script logic based on where the request >>> came >>> >> >> > from. >>> >> >> > >>> >> >> > Hope that helps! >>> >> >> > -Brett >>> >> >> > >>> >> >> > >>> >> >> > On Mon, Jul 23, 2012 at 11:38 AM, Schneur Rosenberg >>> >> >> > <[email protected]> wrote: >>> >> >> >> >>> >> >> >> I'm using opensips as a registrar server and as a loadbalancer, >>> all >>> >> >> >> phones are registered to opensips and all incoming and outgoing >>> >> >> >> calls >>> >> >> >> go to Asterisk boxes via load balancing, therefore I have 3 >>> kinds of >>> >> >> >> calls going to opensips, >>> >> >> >> 1) outgoing calls coming from one of the phones Registered to >>> >> >> >> opensips, >>> >> >> >> 2) incoming calls (we allow all incoming calls no matter from >>> where >>> >> >> >> they come, I call them unauthenticated DID) >>> >> >> >> 3) Calls ringing to a phone registered to opensips, the Asterisk >>> >> >> >> boxes >>> >> >> >> will send the calls to the phone either after getting a call >>> from a >>> >> >> >> DID, or when a internal user wants to call another internal user >>> >> >> >> >>> >> >> >> The way I differentiate between the calls is I do a if >>> >> >> >> (!(method=="REGISTER") && is_from_local()) this will check >>> >> >> >> credentials >>> >> >> >> and send call to asterisk to process outgoing call, then I do a >>> >> >> >> else >>> >> >> >> if ((method=="INVITE")) which will check if the call is going >>> to a >>> >> >> >> local phone by doing if (!lookup("location", "m")) if that >>> fails >>> >> >> >> that >>> >> >> >> it assumes its a incoming did call, and it will send it to >>> asterisk >>> >> >> >> with a prefix so asterisk knows its a unauthenticated incoming >>> call, >>> >> >> >> bellow I pasted a skeleton of the code I'm using. >>> >> >> >> >>> >> >> >> Everything worked fine, until I connected a PBX to my opensips, >>> then >>> >> >> >> the from came in with the address of the PBX and the >>> >> >> >> is_from_local() >>> >> >> >> test was not true, so it did not work, I had the same problem >>> when >>> >> >> >> sending a call from a SPA3000 and blocking caller id, in that >>> case >>> >> >> >> it >>> >> >> >> also obscured the from address, as follows "From: Anonymous >>> >> >> >> <sip:anonymous@localhost>;tag=ea3ee097cd947aeeo0." , the only >>> >> >> >> reference of the user or domain was in the RPID field and >>> calls did >>> >> >> >> not go through. >>> >> >> >> >>> >> >> >> Is there anyway to check if a source IP is registered to our >>> system >>> >> >> >> and only then it should send a 407? this way if I have a BPX >>> >> >> >> registered it will then ask for credentials, all others it will >>> >> >> >> assume >>> >> >> >> that either a call to the local phone or unauthenticated DID, I >>> >> >> >> understand that I wont be able to send calls to the system only >>> if >>> >> >> >> registration was done before, but I have no problem with that, >>> I >>> >> >> >> could do it with avp_db_query() on the subscriber table, but I >>> want >>> >> >> >> to >>> >> >> >> know if there is a better way. >>> >> >> >> >>> >> >> >> If there is there a better solution then the above solution >>> please >>> >> >> >> let >>> >> >> >> me >>> >> >> >> know >>> >> >> >> >>> >> >> >> if (!(method=="REGISTER") && is_from_local()) >>> >> >> >> { >>> >> >> >> #check credentials >>> >> >> >> } >>> >> >> >> else if ((method=="INVITE")) #unathenticated did or >>> call >>> >> >> >> going to phone registered to opensips >>> >> >> >> { >>> >> >> >> >>> >> >> >> if (!lookup("location", "m")) #calling local >>> phone >>> >> >> >> { >>> >> >> >> #send to phone registered to opensips >>> >> >> >> } >>> >> >> >> else >>> >> >> >> { >>> >> >> >> #incoming did send call to asterisk to >>> >> >> >> process >>> >> >> >> } >>> >> >> >> } >>> >> >> >> else >>> >> >> >> { >>> >> >> >> #outgoing calls route continues here >>> >> >> >> } >>> >> >> >> ................................... >>> >> >> >> >>> >> >> >> _______________________________________________ >>> >> >> >> Users mailing list >>> >> >> >> [email protected] >>> >> >> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > _______________________________________________ >>> >> >> > Users mailing list >>> >> >> > [email protected] >>> >> >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>> >> >> > >>> >> >> >>> >> >> _______________________________________________ >>> >> >> Users mailing list >>> >> >> [email protected] >>> >> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>> >> > >>> >> > >>> >> > >>> >> > _______________________________________________ >>> >> > Users mailing list >>> >> > [email protected] >>> >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>> >> > >>> >> >>> >> _______________________________________________ >>> >> Users mailing list >>> >> [email protected] >>> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>> > >>> > >>> > >>> > _______________________________________________ >>> > Users mailing list >>> > [email protected] >>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>> > >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>> >> >> >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > >
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
