Hi,
I'd like to trust HTTP requests from internal subnets and use the trusted table to manage permissions from external networks.
Is there a way to configure permissions.allow to trust everything on a local subnet and use the DB table for everything else? Does the permissions module even work in that way (i.e. to use two sources of trust)?
If so, what is the permissions.allow syntax to trust a CIDR?
Or is it better to split the trust up based on listening ports (i.e. define the route blocks so that requests to the port listening for internal traffic is not subject to the trusted table)?
I guess I could also add the trusted internal subnet to the trusted table, but this would be mixing application level stuff with devops stuff.
TIA,
Ben
On Mon, Mar 5, 2018 at 9:42 AM, Ben Hood 0x6e6562@gmail.com wrote:
I'd like to trust HTTP requests from internal subnets and use the trusted table to manage permissions from external networks.
Is there a way to configure permissions.allow to trust everything on a local subnet and use the DB table for everything else? Does the permissions module even work in that way (i.e. to use two sources of trust)?
If so, what is the permissions.allow syntax to trust a CIDR?
In the end I put a subnet check into the xhttp route:
event_route[xhttp:request] { if(src_ip!=172.16.176.0/24) { xhttp_reply("403", "Forbidden", "text/html", "<html><body>Really not allowed from $si</body></html>"); exit; } ... }
This HTTP event handling appears to be independent of the permissions module, which is what I wanted to achieve.
On 05.03.18 17:40, Ben Hood wrote:
On Mon, Mar 5, 2018 at 9:42 AM, Ben Hood 0x6e6562@gmail.com wrote:
I'd like to trust HTTP requests from internal subnets and use the trusted table to manage permissions from external networks.
Is there a way to configure permissions.allow to trust everything on a local subnet and use the DB table for everything else? Does the permissions module even work in that way (i.e. to use two sources of trust)?
If so, what is the permissions.allow syntax to trust a CIDR?
In the end I put a subnet check into the xhttp route:
event_route[xhttp:request] { if(src_ip!=172.16.176.0/24) { xhttp_reply("403", "Forbidden", "text/html", "<html><body>Really not allowed from $si</body></html>"); exit; } ... }
This HTTP event handling appears to be independent of the permissions module, which is what I wanted to achieve.
I would suggest to use address table with permissions module, if you want to keep the list of ip or subnet addresses in database. Then you can use allow_source_address("...") in kamailio.cfg. Inside address table, you can group addresses by an id, which is then given as parameter to the config function.
Cheers, Daniel
-
Ben Hood -
Daniel-Constantin Mierla