On 7/08/10 3:47 PM, Frank Church wrote: > On 7 August 2010 03:54, Bruce Ferrell<[email protected]> wrote: >> On 08/06/2010 07:30 PM, Bruce Ferrell wrote: >>> On 08/06/2010 02:16 PM, Frank Church wrote: >>> >>>> On 6 August 2010 16:21, Bruce Ferrell<[email protected]> wrote: >>>> >>>> >>>>> On 08/06/2010 07:45 AM, Frank Church wrote: >>>>> >>>>> >>>>>> I have been seeing some attempts to register devices on my Asterisk >>>>>> and I want to reconfigure it so that devices will be registered only >>>>>> if they are from the correct address, ie 192.168.1.8/255.255.255.255. >>>>>> >>>>>> I thought using a config like >>>>>> >>>>>> deny=0.0.0.0/0.0.0.0 >>>>>> permit=192.168.1.8/255.255.255.255 >>>>>> >>>>>> but it is not working the way I thought? >>>>>> >>>>>> Does that need a host=static.ip entry to work, rather than the >>>>>> deny/permit option? >>>>>> >>>>>> Does using a host=dynamic setting override any deny/permit and >>>>>> port=5060 options? >>>>>> >>>>>> Does being a peer or a user make a difference here? >>>>>> >>>>>> >>>>>> >>>>>> >>>>> I had this same problem once. host=<ip address> or host=dynamic if you >>>>> want to use permit/deny. Permit/deny and host=dynamic allows a sip peer >>>>> or user to have a range of addresses. >>>>> >>>>> -- >>>>> >>>>> >>>> Does permit/deny have any influence on registration, or is it related >>>> to the destinations it can call to or receive call from? >>>> >>>> How do you stop an asterisk server from accepting registrations when >>>> the IP is outside a subnet even if the username and secret are >>>> correct? >>>> >>>> When host=dynamic registrations are accepted even if the pemit IP is >>>> different from the registered device's IP address. Does permit/deny >>>> work on a single IP address eg 192.168.4.111/255.255.255.2555 >>>> >>>> >>>> The same seems to apply in the [general] section, with contactdeny and >>>> contacnt permit >>>> >>>> When I set >>>> >>>> contactdeny=0.0.0.0/0.0.0.0 >>>> contactpermit=192.168.4.111/255.255.255.255 >>>> >>>> Devices whose IP is not 192.168.4.111 are able to register. >>>> >>>> >>>> >>> When I've used permit/deny, I did it in conjunction with insecure set to >>> port,invite to allow gateways that didn't register and don't use >>> username/secret to originate calls but only from the ip range in >>> permit. In fact it was for a provider that had gateways on a large >>> number of IP addresses, all in the same CIDR block and I didn't want to >>> do an entry for each of more than 100 gateways. >>> >>> contactpermit/contactdeny *should* work as you are suggesting that you >>> want I've never tried that. I may attempt it tonight and see on my 1.4 >>> system. >>> >>> >> >> To follow up on my own reply. I just tried this with one of my standard >> peers that I use for a softphone on a 1.6.2.10 and see the registration >> attempt come in at the console and a warning comes up >> >> : Host '192.0.2.40' disallowed by contact ACL (violating IP 192.0.2.40) >> : Registration denied because of contact ACL >> >> The peer does show in sip show peers and the softphone (twinkle) shows a >> Registration Fails with a 603 denied. >> >> So I'd say it's working >> >> -- > > I am using 1.4.27 and it doesn't seem to work. > > I should probably try the 1.6 series
Are you using deny before permit? -- Cheers, Matt Riddell _______________________________________________ http://www.venturevoip.com/news.php (Daily Asterisk News) http://www.venturevoip.com/exchange.php (Full ITSP Solution) http://www.venturevoip.com/st.php (SmoothTorque Predictive Dialer) -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
