Re: How to configure asterisk to only accept SIP from kamailio@localhost but exchange RTP on all interfaces?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Alex,

Am Donnerstag, den 20.02.2014, 13:48 -0500 schrieb Alex Villací­s Lasso:
> I have a setup with asterisk-11.7.0 and kamailio-4.1.1. I am following
> the setup guide at
> http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb . I want to run asterisk and kamailio on the same server, with SIP realtime configuration 
> (MySQL database) so that kamailio authenticates and then forwards the
> registration to asterisk on localhost. The setup calls for asterisk to
> be configured to listen for SIP traffic on all interfaces, on a
> nonstandard port (I chose 5080). It also calls for 
> blanking of the password for the SIP peer (in my case, a softphone),
> so that it will not request for authentication again. I have managed
> to make a call with working audio from the softphone to an extension
> on asterisk through kamailio.
> 
> My concern is that asterisk is left listening for SIP through all
> interfaces and with no SIP passwords. I want to secure the setup
> against directed traffic to the asterisk UDP port (5080), that
> bypasses the kamailio process. I tried setting 
> bindaddr=127.0.0.1 so asterisk will only listen for SIP traffic on
> localhost, but this has the side effect of also removing audio - the
> call appears to be successful on the softphone and on the asterisk
> logs, but no audio is actually heard. My theory is 
> that the RTP traffic is being sent to kamailio instead of the
> softphone.
> 
> How can I set up asterisk so that it can send RTP anywhere but reject
> any SIP traffic that does not come from the kamailio process on
> localhost?
> 

If You bind asterisk to 127.0.0.1 I think the media connection is set
for this IP. Your Softphone can not reach the correct 127.0.0.1
(localhost is everywhere).

I would suggest, You setup asterisk on eth0 address or 0.0.0.0. In the
sip.conf You could secure Your setup with
        deny = 0.0.0.0/0.0.0.0
        permit = Your-LAN-Adress
This way asterisk accepts SIP from Your box only.

HTH,

Karsten


-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users





[Index of Archives]     [Asterisk Announcements]     [Asterisk App Development]     [PJ SIP]     [Gnu Gatekeeper]     [IETF Sipping]     [Info Cyrus]     [ALSA User]     [Fedora Linux Users]     [Linux SCTP]     [DCCP]     [Gimp]     [Yosemite News]     [Deep Creek Hot Springs]     [Yosemite Campsites]     [ISDN Cause Codes]     [Asterisk Books]