Schneur,<div><br></div><div>Not disagreeing with the way you are doing it, but you can use the permissions module for the pbxs only. This way you can add the ips in the address table and keep track of who is allowed and block any other requests. There won't be any script change or reload required. A new pbx would require a new ip address in the table and a reload command. </div>
<div><br></div><div>Regards,</div><div>Ali Pey<br><br><div class="gmail_quote">On Mon, Jul 30, 2012 at 7:39 PM, Schneur Rosenberg <span dir="ltr"><<a href="mailto:rosenberg11219@gmail.com" target="_blank">rosenberg11219@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Ali I can't compare PBX addresses, we are a voip company and I can't<br>
manually edit my script for every PBX our customer installs, I ended<br>
up doing the avp_db_query() and then rewriting the from header with<br>
uac_replace_from("","sip:$au@$si") which will retrieve the username<br>
from the Proxy-Authorization: field, I had to use uac_replace_from<br>
because $fu is read only.<br>
<div class="HOEnZb"><div class="h5"><br>
On Wed, Jul 25, 2012 at 11:58 PM, Ali Pey <<a href="mailto:alipey@gmail.com">alipey@gmail.com</a>> wrote:<br>
> This would work too. Here though you do a db query for each call and can<br>
> slow down the performance if that's important to you. Examining usernames'<br>
> patterns can be faster.<br>
><br>
> You can also use the registered function instead of a db query:<br>
><br>
> if (registered("location","$fu")) {<br>
> xlog("caller is registered\n");<br>
> }<br>
><br>
> <a href="http://www.opensips.org/html/docs/modules/1.8.x/registrar.html#id293162" target="_blank">http://www.opensips.org/html/docs/modules/1.8.x/registrar.html#id293162</a><br>
><br>
> Regards,<br>
> Ali Pey<br>
><br>
><br>
> On Wed, Jul 25, 2012 at 4:23 PM, Schneur Rosenberg<br>
> <<a href="mailto:rosenberg11219@gmail.com">rosenberg11219@gmail.com</a>> wrote:<br>
>><br>
>> I already did something similar look at snippet bellow so any call<br>
>> coming from a IP thats registered to our server will always do<br>
>> proxy_authorize(), other calls will assume that its a unauthenticated<br>
>> DID call or a call going to a local call<br>
>><br>
>> if (!(method=="REGISTER"))<br>
>> {<br>
>> avp_db_query("select username from location where<br>
>> contact regexp '$si' or received like<br>
>> 'sip:$si%'","$avp(is_registered)");<br>
>> }<br>
>> if (!(method=="REGISTER") && avp_check("$avp(is_registered)",<br>
>> "gt/1/g"))<br>
>> {<br>
>> if(!is_from_gw())<br>
>> {<br>
>> if (!proxy_authorize("sosglobal", "subscriber"))<br>
>> {<br>
>> append_hf("P-hint: Proxy auth<br>
>> failed\r\n");<br>
>> proxy_challenge("sosglobal", "0");<br>
>> exit;<br>
>> }<br>
>><br>
>><br>
>> }<br>
>><br>
>><br>
>> On Wed, Jul 25, 2012 at 8:48 PM, Ali Pey <<a href="mailto:alipey@gmail.com">alipey@gmail.com</a>> wrote:<br>
>> > Schneur,<br>
>> ><br>
>> > You can examine the src_ip first to see if the call if from your pbx or<br>
>> > not.<br>
>> > Then you can also examine to request-uri to distinguish the call between<br>
>> > a<br>
>> > pstn call or a sip client - assuming your sip clients have a different<br>
>> > sip<br>
>> > address/pattern than pstn numbers. Things like this:<br>
>> ><br>
>> > if ( src_ip == pbx1_ip || src_ip == pbx2_ip ){<br>
>> > # From PBXs<br>
>> > }<br>
>> ><br>
>> > if ($rU=~"^\+?[0-9]{3,18}") {<br>
>> > # request-uri is for a PSTN number, send the message to whatever<br>
>> > route(1)<br>
>> > }<br>
>> ><br>
>> > Basically you need to find a difference between the call attributes and<br>
>> > examine that, it can be the src_ip, ruri pattern, etc.<br>
>> ><br>
>> > Regards,<br>
>> > Ali Pey<br>
>> ><br>
>> > On Wed, Jul 25, 2012 at 9:41 AM, Schneur Rosenberg<br>
>> > <<a href="mailto:rosenberg11219@gmail.com">rosenberg11219@gmail.com</a>> wrote:<br>
>> >><br>
>> >> check_source_address won't work for me, my clients are behind Dynamic<br>
>> >> ip's, there is no way for me to know in advance their ip address<br>
>> >><br>
>> >> On Mon, Jul 23, 2012 at 8:55 PM, Brett Nemeroff <<a href="mailto:brett@nemeroff.com">brett@nemeroff.com</a>><br>
>> >> wrote:<br>
>> >> > Scot,<br>
>> >> > the function "is_from_local" uses the From URI and as such, will not<br>
>> >> > work if<br>
>> >> > the originator mangles the from uri (as in the case of your example<br>
>> >> > below).<br>
>> >> ><br>
>> >> > A more secure way to do this that may suit your needs is to use the<br>
>> >> > permissions module and actually check the source IP of the request:<br>
>> >> ><br>
>> >> ><br>
>> >> ><br>
>> >> > <a href="http://www.opensips.org/html/docs/modules/1.8.x/permissions.html#id293503" target="_blank">http://www.opensips.org/html/docs/modules/1.8.x/permissions.html#id293503</a><br>
>> >> ><br>
>> >> > Look at the "check_source_address" and or "get_source_group". Either<br>
>> >> > of<br>
>> >> > these can compare the source IP of the originator to a known list.<br>
>> >> > From<br>
>> >> > there, you can perform script logic based on where the request came<br>
>> >> > from.<br>
>> >> ><br>
>> >> > Hope that helps!<br>
>> >> > -Brett<br>
>> >> ><br>
>> >> ><br>
>> >> > On Mon, Jul 23, 2012 at 11:38 AM, Schneur Rosenberg<br>
>> >> > <<a href="mailto:rosenberg11219@gmail.com">rosenberg11219@gmail.com</a>> wrote:<br>
>> >> >><br>
>> >> >> I'm using opensips as a registrar server and as a loadbalancer, all<br>
>> >> >> phones are registered to opensips and all incoming and outgoing<br>
>> >> >> calls<br>
>> >> >> go to Asterisk boxes via load balancing, therefore I have 3 kinds of<br>
>> >> >> calls going to opensips,<br>
>> >> >> 1) outgoing calls coming from one of the phones Registered to<br>
>> >> >> opensips,<br>
>> >> >> 2) incoming calls (we allow all incoming calls no matter from where<br>
>> >> >> they come, I call them unauthenticated DID)<br>
>> >> >> 3) Calls ringing to a phone registered to opensips, the Asterisk<br>
>> >> >> boxes<br>
>> >> >> will send the calls to the phone either after getting a call from a<br>
>> >> >> DID, or when a internal user wants to call another internal user<br>
>> >> >><br>
>> >> >> The way I differentiate between the calls is I do a if<br>
>> >> >> (!(method=="REGISTER") && is_from_local()) this will check<br>
>> >> >> credentials<br>
>> >> >> and send call to asterisk to process outgoing call, then I do a<br>
>> >> >> else<br>
>> >> >> if ((method=="INVITE")) which will check if the call is going to a<br>
>> >> >> local phone by doing if (!lookup("location", "m")) if that fails<br>
>> >> >> that<br>
>> >> >> it assumes its a incoming did call, and it will send it to asterisk<br>
>> >> >> with a prefix so asterisk knows its a unauthenticated incoming call,<br>
>> >> >> bellow I pasted a skeleton of the code I'm using.<br>
>> >> >><br>
>> >> >> Everything worked fine, until I connected a PBX to my opensips, then<br>
>> >> >> the from came in with the address of the PBX and the<br>
>> >> >> is_from_local()<br>
>> >> >> test was not true, so it did not work, I had the same problem when<br>
>> >> >> sending a call from a SPA3000 and blocking caller id, in that case<br>
>> >> >> it<br>
>> >> >> also obscured the from address, as follows "From: Anonymous<br>
>> >> >> <sip:anonymous@localhost>;tag=ea3ee097cd947aeeo0." , the only<br>
>> >> >> reference of the user or domain was in the RPID field and calls did<br>
>> >> >> not go through.<br>
>> >> >><br>
>> >> >> Is there anyway to check if a source IP is registered to our system<br>
>> >> >> and only then it should send a 407? this way if I have a BPX<br>
>> >> >> registered it will then ask for credentials, all others it will<br>
>> >> >> assume<br>
>> >> >> that either a call to the local phone or unauthenticated DID, I<br>
>> >> >> understand that I wont be able to send calls to the system only if<br>
>> >> >> registration was done before, but I have no problem with that, I<br>
>> >> >> could do it with avp_db_query() on the subscriber table, but I want<br>
>> >> >> to<br>
>> >> >> know if there is a better way.<br>
>> >> >><br>
>> >> >> If there is there a better solution then the above solution please<br>
>> >> >> let<br>
>> >> >> me<br>
>> >> >> know<br>
>> >> >><br>
>> >> >> if (!(method=="REGISTER") && is_from_local())<br>
>> >> >> {<br>
>> >> >> #check credentials<br>
>> >> >> }<br>
>> >> >> else if ((method=="INVITE")) #unathenticated did or call<br>
>> >> >> going to phone registered to opensips<br>
>> >> >> {<br>
>> >> >><br>
>> >> >> if (!lookup("location", "m")) #calling local phone<br>
>> >> >> {<br>
>> >> >> #send to phone registered to opensips<br>
>> >> >> }<br>
>> >> >> else<br>
>> >> >> {<br>
>> >> >> #incoming did send call to asterisk to<br>
>> >> >> process<br>
>> >> >> }<br>
>> >> >> }<br>
>> >> >> else<br>
>> >> >> {<br>
>> >> >> #outgoing calls route continues here<br>
>> >> >> }<br>
>> >> >> ...................................<br>
>> >> >><br>
>> >> >> _______________________________________________<br>
>> >> >> Users mailing list<br>
>> >> >> <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
>> >> >> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
>> >> ><br>
>> >> ><br>
>> >> ><br>
>> >> > _______________________________________________<br>
>> >> > Users mailing list<br>
>> >> > <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
>> >> > <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
>> >> ><br>
>> >><br>
>> >> _______________________________________________<br>
>> >> Users mailing list<br>
>> >> <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
>> >> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
>> ><br>
>> ><br>
>> ><br>
>> > _______________________________________________<br>
>> > Users mailing list<br>
>> > <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
>> > <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
>> ><br>
>><br>
>> _______________________________________________<br>
>> Users mailing list<br>
>> <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
>> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
><br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</div></div></blockquote></div><br></div>