Hi Daryl,
maybe you should add some checks to the route 1 (for INVITEs that don't
match "uri==myself"). I don't know your exact setup, but it could be
possible
that sending an INVITE to your proxy with "INVITE <number>@<your pstn
gateway>" is directly t_relayed to your pstn gw.
Regards,
Jonas
Am Mittwoch 28 März 2007 schrieb Daryl Sanders:
Hi Everyone,
I aparently have something in my openser.cfg that is allowing
unauthorized calls to go through to our PSTN gateways. I have included
my config below for review. I would appreciate any help understanding
how this might be happening.
I am currently reviewing the CDRs from my PSTN gateways for clues as well.
This is a pretty basic configuration with no NAT involved.
Regards,
Daryl
route {
# -----------------------------------------------------------------
# Sanity Check Section
# -----------------------------------------------------------------
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483", "Too Many Hops");
exit;
};
if (msg:len > max_len) {
sl_send_reply("513", "Message Overflow");
exit;
};
if (method=="INVITE" || method=="ACK" || method=="BYE")
{
setflag(1);
};
if (method=="INVITE") {
if (is_user_in("From","inactive")) {
if (uri =~ "^sip:911@") {
xlog("L_NOTICE", "[$Tf] R1: $ci -- Allowing 911
Emergency Call on Inactive User\n" );
} else {
sl_send_reply("403", "Forbidden");
xlog("L_NOTICE", "[$Tf] R1: $ci -- User Inactive\n"
);
return;
};
};
};
# -----------------------------------------------------------------
# Record Route Section
# -----------------------------------------------------------------
if (method!="REGISTER") {
record_route();
};
# -----------------------------------------------------------------
# Loose Route Section
# -----------------------------------------------------------------
if (loose_route()) {
xlog( "L_NOTICE", "[$Tf] RR: $ci -- Loose Route $rm
($rd).\n"
); if (!t_relay()) {
sl_reply_error();
};
return;
};
# -----------------------------------------------------------------
# Call Type Processing Section
# -----------------------------------------------------------------
if (uri!=myself) {
route(1);
return;
};
if (method=="ACK") {
route(1);
return;
} else if (method=="REGISTER") {
route(2);
return;
} else if (method=="INVITE") {
route(3);
return;
} else if (method=="BYE" || method=="CANCEL") {
t_relay();
exit;
}
lookup("aliases");
if (uri!=myself) {
route(1);
return;
};
if (!lookup("location")) {
sl_send_reply("404", "User Not Found");
return;
};
route(1);
}
route[1] {
# -----------------------------------------------------------------
# Default Message Handler
# -----------------------------------------------------------------
t_on_reply("1");
t_on_failure("2");
if (!t_relay()) {
sl_reply_error();
};
}
route[2] {
# -----------------------------------------------------------------
# REGISTER Message Handler
# -----------------------------------------------------------------
sl_send_reply("100", "Trying");
if (!www_authorize("","subscriber")) {
www_challenge("","0");
exit;
};
consume_credentials();
if (!save("location")) {
sl_reply_error();
};
}
route[3] {
# -----------------------------------------------------------------
# INVITE Message Handler
# -----------------------------------------------------------------
# Trusted Provider IPs
if (!src_ip==x.x.x.x)&&(!src_ip==x.x.x.x)&&(!src_ip==x.x.x.x) {
if (!proxy_authorize("","subscriber")) {
proxy_challenge("","0");
exit;
};
consume_credentials();
};
lookup("aliases");
if (uri!=myself) {
route(1);
return;
};
if (uri=~"[@:](192\.168\.|10\.|172\.16)" &&
!search("^Route:")){
sl_send_reply("479", "We do not forward to private IP
addresses");
};
if ((uri =~ "^sip:0@")|| /* Operator Assistance */
(uri =~ "^sip:911@")|| /* 911 Emergency */
(uri =~ "^sip:411@")|| /* Directory Assistance */
(uri =~ "^sip:1[0-9]{10}@")) { /* Domestic PSTN */
route(4);
return;
};
if (uri=~"^sip:0111[0-9]*@") { # Kill calls to 011+1... (invalid
dialing) sl_send_reply("406", "Not Acceptable");
return;
}
if (uri=~"^sip:011[0-9]*@") { # International PSTN
if(!is_user_in("From","gateway1")) {
strip(3); # Remove 011 for Gateway2
}
route(4);
return;
};
if (!lookup("location")) {
sl_send_reply("404", "User Not Found");
return;
};
route(1);
}
route[4] {
# -----------------------------------------------------------------
# PSTN Handler
# -----------------------------------------------------------------
prefix("+"); # add "+" to Request URI
append_hf("P-Asserted-Identity:
\"User\"<sip:+1$avp(s:rpid)@x.x.x.x>\r\n");
uac_replace_from("$fn","sip:+$fU@$fd:5060");
if(is_user_in("From","gateway1")) {
force_send_socket(x.x.x.x:5060);
xlog("L_NOTICE", "[$Tf] Message sent via IP-1\n" );
} else {
force_send_socket(x.x.x.x:5060);
xlog("L_NOTICE", "[$Tf] Message sent via IP-2\n" );
};
ds_select_domain("1","0");
route(1);
}
onreply_route[1] {
# we are checking here for a progressing return... ie a 180 Ringing
or # 183 session progress -- if this occurs we don't care from here on #
about failures as a gateway is handling the call...
if( status =~ "18[0-9]" ) {
xlog( "L_INFO", "[$Tf] ORR: $ci -- SIP-$rs Reset
t_on_failure()\n");
t_on_failure("0");
} else {
xlog( "L_INFO", "[$Tf] ORR: $ci -- $rs $rr\n" );
}
}
failure_route[2] {
# 408 -- timeout -- typically the end party has not answered
# Since we cancel t_on_failure() on a provisional response we
should not be
# getting a 408 timeout from a gateway at this stage.. it will
just "fall through"
# If fr_timer expires t_check_status("408") is true, although
$rs is <null>
if( t_check_status("408") ){
xlog( "L_NOTICE", "[$Tf] FR: $ci -- TIMEOUT for Gateway
$rd\n" ); } else {
xlog( "L_NOTICE", "[$Tf] FR: $ci -- $rs reason $rr\n"
);
}
# 403 -- Not a valid number, or possibly no permission to use the
gateway if( t_check_status("403") ){
xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs
Forbidden\n" );
return;
}
# 486 -- User Busy
if( t_check_status("486") ){
xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Destination
Busy\n" ); return;
}
# 487 -- Request Cancelled (usually in response to a CANCEL
transaction) if( t_check_status("487") ){
xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Request
Cancelled\n" );
return;
}
# At this stage we try the next gateway, if no next gateway we bail.
if( ds_next_domain() ){
t_on_reply("1");
t_on_failure("2");
xlog( "L_NOTICE", "[$Tf] FR: $ci Next gateway $fU ->
$tU via $rd\n" );
if( !t_relay() ){
xlog( "L_WARN", "[$Tf] FR: $ci -- ERROR - Can
not t_relay()\n" );
return;
}
return;
} else {
xlog( "L_WARN", "[$Tf] FR: $ci No more gateways ->
503.\n"
); t_reply("503", "Service unavailable -- no more gateways" );
return;
}
}
_______________________________________________
Users mailing list
Users(a)openser.org
http://openser.org/cgi-bin/mailman/listinfo/users