Hi Everyone,
I aparently have something in my openser.cfg that is allowing
unauthorized calls to go through to our PSTN gateways. I have included
my config below for review. I would appreciate any help understanding
how this might be happening.
I am currently reviewing the CDRs from my PSTN gateways for clues as well.
This is a pretty basic configuration with no NAT involved.
Regards,
Daryl
route {
# -----------------------------------------------------------------
# Sanity Check Section
# -----------------------------------------------------------------
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483", "Too Many Hops");
exit;
};
if (msg:len > max_len) {
sl_send_reply("513", "Message Overflow");
exit;
};
if (method=="INVITE" || method=="ACK" || method=="BYE") {
setflag(1);
};
if (method=="INVITE") {
if (is_user_in("From","inactive")) {
if (uri =~ "^sip:911@") {
xlog("L_NOTICE", "[$Tf] R1: $ci -- Allowing 911
Emergency Call on Inactive User\n" );
} else {
sl_send_reply("403", "Forbidden");
xlog("L_NOTICE", "[$Tf] R1: $ci -- User Inactive\n" );
return;
};
};
};
# -----------------------------------------------------------------
# Record Route Section
# -----------------------------------------------------------------
if (method!="REGISTER") {
record_route();
};
# -----------------------------------------------------------------
# Loose Route Section
# -----------------------------------------------------------------
if (loose_route()) {
xlog( "L_NOTICE", "[$Tf] RR: $ci -- Loose Route $rm ($rd).\n" );
if (!t_relay()) {
sl_reply_error();
};
return;
};
# -----------------------------------------------------------------
# Call Type Processing Section
# -----------------------------------------------------------------
if (uri!=myself) {
route(1);
return;
};
if (method=="ACK") {
route(1);
return;
} else if (method=="REGISTER") {
route(2);
return;
} else if (method=="INVITE") {
route(3);
return;
} else if (method=="BYE" || method=="CANCEL") {
t_relay();
exit;
}
lookup("aliases");
if (uri!=myself) {
route(1);
return;
};
if (!lookup("location")) {
sl_send_reply("404", "User Not Found");
return;
};
route(1);
}
route[1] {
# -----------------------------------------------------------------
# Default Message Handler
# -----------------------------------------------------------------
t_on_reply("1");
t_on_failure("2");
if (!t_relay()) {
sl_reply_error();
};
}
route[2] {
# -----------------------------------------------------------------
# REGISTER Message Handler
# -----------------------------------------------------------------
sl_send_reply("100", "Trying");
if (!www_authorize("","subscriber")) {
www_challenge("","0");
exit;
};
consume_credentials();
if (!save("location")) {
sl_reply_error();
};
}
route[3] {
# -----------------------------------------------------------------
# INVITE Message Handler
# -----------------------------------------------------------------
# Trusted Provider IPs
if (!src_ip==x.x.x.x)&&(!src_ip==x.x.x.x)&&(!src_ip==x.x.x.x) {
if (!proxy_authorize("","subscriber")) {
proxy_challenge("","0");
exit;
};
consume_credentials();
};
lookup("aliases");
if (uri!=myself) {
route(1);
return;
};
if (uri=~"[@:](192\.168\.|10\.|172\.16)" && !search("^Route:")){
sl_send_reply("479", "We do not forward to private IP addresses");
};
if ((uri =~ "^sip:0@")|| /* Operator Assistance */
(uri =~ "^sip:911@")|| /* 911 Emergency */
(uri =~ "^sip:411@")|| /* Directory Assistance */
(uri =~ "^sip:1[0-9]{10}@")) { /* Domestic PSTN */
route(4);
return;
};
if (uri=~"^sip:0111[0-9]*@") { # Kill calls to 011+1... (invalid dialing)
sl_send_reply("406", "Not Acceptable");
return;
}
if (uri=~"^sip:011[0-9]*@") { # International PSTN
if(!is_user_in("From","gateway1")) {
strip(3); # Remove 011 for Gateway2
}
route(4);
return;
};
if (!lookup("location")) {
sl_send_reply("404", "User Not Found");
return;
};
route(1);
}
route[4] {
# -----------------------------------------------------------------
# PSTN Handler
# -----------------------------------------------------------------
prefix("+"); # add "+" to Request URI
append_hf("P-Asserted-Identity: \"User\"<sip:+1$avp(s:rpid)@x.x.x.x>\r\n");
uac_replace_from("$fn","sip:[EMAIL PROTECTED]:5060");
if(is_user_in("From","gateway1")) {
force_send_socket(x.x.x.x:5060);
xlog("L_NOTICE", "[$Tf] Message sent via IP-1\n" );
} else {
force_send_socket(x.x.x.x:5060);
xlog("L_NOTICE", "[$Tf] Message sent via IP-2\n" );
};
ds_select_domain("1","0");
route(1);
}
onreply_route[1] {
# we are checking here for a progressing return... ie a 180 Ringing or
# 183 session progress -- if this occurs we don't care from here on
# about failures as a gateway is handling the call...
if( status =~ "18[0-9]" ) {
xlog( "L_INFO", "[$Tf] ORR: $ci -- SIP-$rs Reset
t_on_failure()\n");
t_on_failure("0");
} else {
xlog( "L_INFO", "[$Tf] ORR: $ci -- $rs $rr\n" );
}
}
failure_route[2] {
# 408 -- timeout -- typically the end party has not answered
# Since we cancel t_on_failure() on a provisional response we
should not be
# getting a 408 timeout from a gateway at this stage.. it will
just "fall through"
# If fr_timer expires t_check_status("408") is true, although
$rs is <null>
if( t_check_status("408") ){
xlog( "L_NOTICE", "[$Tf] FR: $ci -- TIMEOUT for Gateway $rd\n" );
} else {
xlog( "L_NOTICE", "[$Tf] FR: $ci -- $rs reason $rr\n" );
}
# 403 -- Not a valid number, or possibly no permission to use the gateway
if( t_check_status("403") ){
xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Forbidden\n" );
return;
}
# 486 -- User Busy
if( t_check_status("486") ){
xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Destination Busy\n" );
return;
}
# 487 -- Request Cancelled (usually in response to a CANCEL transaction)
if( t_check_status("487") ){
xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Request
Cancelled\n" );
return;
}
# At this stage we try the next gateway, if no next gateway we bail.
if( ds_next_domain() ){
t_on_reply("1");
t_on_failure("2");
xlog( "L_NOTICE", "[$Tf] FR: $ci Next gateway $fU ->
$tU via $rd\n" );
if( !t_relay() ){
xlog( "L_WARN", "[$Tf] FR: $ci -- ERROR - Can
not t_relay()\n" );
return;
}
return;
} else {
xlog( "L_WARN", "[$Tf] FR: $ci No more gateways -> 503.\n" );
t_reply("503", "Service unavailable -- no more gateways" );
return;
}
}
_______________________________________________
Users mailing list
[email protected]
http://openser.org/cgi-bin/mailman/listinfo/users
