This would work too. Here though you do a db query for each call and can slow down the performance if that's important to you. Examining usernames' patterns can be faster.<div><br></div><div>You can also use the registered function instead of a db query:</div>
<div><br></div><div><div>if (registered("location","$fu")) {</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>xlog("caller is registered\n");</div><div>}</div></div><div>
<br></div><div><a href="http://www.opensips.org/html/docs/modules/1.8.x/registrar.html#id293162">http://www.opensips.org/html/docs/modules/1.8.x/registrar.html#id293162</a> </div><div><br></div><div>Regards,</div><div>Ali Pey<br>
<br><div class="gmail_quote">On Wed, Jul 25, 2012 at 4:23 PM, Schneur Rosenberg <span dir="ltr"><<a href="mailto:rosenberg11219@gmail.com" target="_blank">rosenberg11219@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I already did something similar look at snippet bellow so any call<br>
coming from a IP thats registered to our server will always do<br>
proxy_authorize(), other calls will assume that its a unauthenticated<br>
DID call or a call going to a local call<br>
<br>
if (!(method=="REGISTER"))<br>
{<br>
avp_db_query("select username from location where<br>
contact regexp '$si' or received like<br>
'sip:$si%'","$avp(is_registered)");<br>
}<br>
if (!(method=="REGISTER") && avp_check("$avp(is_registered)", "gt/1/g"))<br>
{<br>
if(!is_from_gw())<br>
{<br>
if (!proxy_authorize("sosglobal", "subscriber"))<br>
{<br>
append_hf("P-hint: Proxy auth failed\r\n");<br>
proxy_challenge("sosglobal", "0");<br>
exit;<br>
<div class="HOEnZb"><div class="h5"> }<br>
<br>
<br>
}<br>
<br>
<br>
On Wed, Jul 25, 2012 at 8:48 PM, Ali Pey <<a href="mailto:alipey@gmail.com">alipey@gmail.com</a>> wrote:<br>
> Schneur,<br>
><br>
> You can examine the src_ip first to see if the call if from your pbx or not.<br>
> Then you can also examine to request-uri to distinguish the call between a<br>
> pstn call or a sip client - assuming your sip clients have a different sip<br>
> address/pattern than pstn numbers. Things like this:<br>
><br>
> if ( src_ip == pbx1_ip || src_ip == pbx2_ip ){<br>
> # From PBXs<br>
> }<br>
><br>
> if ($rU=~"^\+?[0-9]{3,18}") {<br>
> # request-uri is for a PSTN number, send the message to whatever<br>
> route(1)<br>
> }<br>
><br>
> Basically you need to find a difference between the call attributes and<br>
> examine that, it can be the src_ip, ruri pattern, etc.<br>
><br>
> Regards,<br>
> Ali Pey<br>
><br>
> On Wed, Jul 25, 2012 at 9:41 AM, Schneur Rosenberg<br>
> <<a href="mailto:rosenberg11219@gmail.com">rosenberg11219@gmail.com</a>> wrote:<br>
>><br>
>> check_source_address won't work for me, my clients are behind Dynamic<br>
>> ip's, there is no way for me to know in advance their ip address<br>
>><br>
>> On Mon, Jul 23, 2012 at 8:55 PM, Brett Nemeroff <<a href="mailto:brett@nemeroff.com">brett@nemeroff.com</a>><br>
>> wrote:<br>
>> > Scot,<br>
>> > the function "is_from_local" uses the From URI and as such, will not<br>
>> > work if<br>
>> > the originator mangles the from uri (as in the case of your example<br>
>> > below).<br>
>> ><br>
>> > A more secure way to do this that may suit your needs is to use the<br>
>> > permissions module and actually check the source IP of the request:<br>
>> ><br>
>> ><br>
>> > <a href="http://www.opensips.org/html/docs/modules/1.8.x/permissions.html#id293503" target="_blank">http://www.opensips.org/html/docs/modules/1.8.x/permissions.html#id293503</a><br>
>> ><br>
>> > Look at the "check_source_address" and or "get_source_group". Either of<br>
>> > these can compare the source IP of the originator to a known list. From<br>
>> > there, you can perform script logic based on where the request came<br>
>> > from.<br>
>> ><br>
>> > Hope that helps!<br>
>> > -Brett<br>
>> ><br>
>> ><br>
>> > On Mon, Jul 23, 2012 at 11:38 AM, Schneur Rosenberg<br>
>> > <<a href="mailto:rosenberg11219@gmail.com">rosenberg11219@gmail.com</a>> wrote:<br>
>> >><br>
>> >> I'm using opensips as a registrar server and as a loadbalancer, all<br>
>> >> phones are registered to opensips and all incoming and outgoing calls<br>
>> >> go to Asterisk boxes via load balancing, therefore I have 3 kinds of<br>
>> >> calls going to opensips,<br>
>> >> 1) outgoing calls coming from one of the phones Registered to opensips,<br>
>> >> 2) incoming calls (we allow all incoming calls no matter from where<br>
>> >> they come, I call them unauthenticated DID)<br>
>> >> 3) Calls ringing to a phone registered to opensips, the Asterisk boxes<br>
>> >> will send the calls to the phone either after getting a call from a<br>
>> >> DID, or when a internal user wants to call another internal user<br>
>> >><br>
>> >> The way I differentiate between the calls is I do a if<br>
>> >> (!(method=="REGISTER") && is_from_local()) this will check credentials<br>
>> >> and send call to asterisk to process outgoing call, then I do a else<br>
>> >> if ((method=="INVITE")) which will check if the call is going to a<br>
>> >> local phone by doing if (!lookup("location", "m")) if that fails that<br>
>> >> it assumes its a incoming did call, and it will send it to asterisk<br>
>> >> with a prefix so asterisk knows its a unauthenticated incoming call,<br>
>> >> bellow I pasted a skeleton of the code I'm using.<br>
>> >><br>
>> >> Everything worked fine, until I connected a PBX to my opensips, then<br>
>> >> the from came in with the address of the PBX and the is_from_local()<br>
>> >> test was not true, so it did not work, I had the same problem when<br>
>> >> sending a call from a SPA3000 and blocking caller id, in that case it<br>
>> >> also obscured the from address, as follows "From: Anonymous<br>
>> >> <sip:anonymous@localhost>;tag=ea3ee097cd947aeeo0." , the only<br>
>> >> reference of the user or domain was in the RPID field and calls did<br>
>> >> not go through.<br>
>> >><br>
>> >> Is there anyway to check if a source IP is registered to our system<br>
>> >> and only then it should send a 407? this way if I have a BPX<br>
>> >> registered it will then ask for credentials, all others it will assume<br>
>> >> that either a call to the local phone or unauthenticated DID, I<br>
>> >> understand that I wont be able to send calls to the system only if<br>
>> >> registration was done before, but I have no problem with that, I<br>
>> >> could do it with avp_db_query() on the subscriber table, but I want to<br>
>> >> know if there is a better way.<br>
>> >><br>
>> >> If there is there a better solution then the above solution please let<br>
>> >> me<br>
>> >> know<br>
>> >><br>
>> >> if (!(method=="REGISTER") && is_from_local())<br>
>> >> {<br>
>> >> #check credentials<br>
>> >> }<br>
>> >> else if ((method=="INVITE")) #unathenticated did or call<br>
>> >> going to phone registered to opensips<br>
>> >> {<br>
>> >><br>
>> >> if (!lookup("location", "m")) #calling local phone<br>
>> >> {<br>
>> >> #send to phone registered to opensips<br>
>> >> }<br>
>> >> else<br>
>> >> {<br>
>> >> #incoming did send call to asterisk to process<br>
>> >> }<br>
>> >> }<br>
>> >> else<br>
>> >> {<br>
>> >> #outgoing calls route continues here<br>
>> >> }<br>
>> >> ...................................<br>
>> >><br>
>> >> _______________________________________________<br>
>> >> Users mailing list<br>
>> >> <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
>> >> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
>> ><br>
>> ><br>
>> ><br>
>> > _______________________________________________<br>
>> > Users mailing list<br>
>> > <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
>> > <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
>> ><br>
>><br>
>> _______________________________________________<br>
>> Users mailing list<br>
>> <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
>> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
><br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</div></div></blockquote></div><br></div>