16 Mar
2003
16 Mar
'03
1:01 a.m.
Or perhaps I understand a little bit better now. I think the following script
passage will work better. /Lasse
P.S. To other beginners at SIP: Several clients can't handle the qop parameter
correctly so it is safer to change the "1" to "0" in the challenges.
# REQUESTS DIRECTED TO MY DOMAIN
if (uri=~"[@:]mydomain\.com") {
# Challenge registrations
if (method=="REGISTER") {
if (!www_authorize("mydomain.com", "subscriber")) {
www_challenge("mydomain.com", "1");
break;
};
save("location");
break;
};
# Challenge INVITE request where the sender has my domain in From
if (method=="INVITE") {
if (search("(f|From).*mydomain\.com")) {
if (!proxy_authorize("mydomain.com", "subscriber")) {
proxy_challenge("mydomain.com", "1");
break;
};
};
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
break;
};
# REQUESTS DIRECTED TO OTHER DOMAINS
} else {
# Challenge any INVITE request where the sender has my domain in From
if (method=="INVITE") {
if (search("(f|From).*mydomain\.com")) {
if (!proxy_authorize("mydomain.com", "subscriber")) {
proxy_challenge("mydomain.com", "1");
break;
};
# Drop INVITE requests where the sender does not have my domain in From
} else {
sl_send_reply("403", "Forbidden");
break;
};
};
};
# forward to current uri now
if (!t_relay()) {
sl_reply_error();
};
On Friday 07 March 2003 00.49, Lasse Jansson wrote:
OK, I see what you mean.
<snip>
> I see two limitations:
> - if you only challenge INVITEs to outside domain, people out of your
> domain can call people in your domain and claim shamelessly your domain
> name in From, which is then sort of rubberstamped by the proxy; so I
> think you can combine challenging based on From along with "anti-spam"
> policy "drop invites which have my domain neither in From nor in r-uri"
> - if you apply such policies to other requests than BYE, you will run into
> troubles, better be permissive about non-INVITEs. See
>
> http://www.ietf.org/mail-archive/working-groups/sipping/current/msg04002.
>ht ml
>
> -Jiri
>
> At 10:10 PM 3/5/2003, Lasse Jansson wrote:
> >Thanks,
> >
> >One last question: I guess that if I want my server to offer <forwarding
> > of requests to other domains> only to authorized users in my domain I
> > should restrict the last part more, as follows:
> >
> ># For requests to other domains
> > if (!proxy_authorize("mydomain.com",
"subscriber")) {
> > proxy_challenge("mydomain.com",
"1");
> > break;
> > };
> >
> >(i.e. I can skip the (search("(f|From).*mydomain\.com")) condition in
> > this case)
> >
> >Lasse