<html>Dear,<br /><br /><u>I enabled two softphone with ADDRESS.</u><br /><br />- codec1 : ip 192.168.30.241/32 5060<br />- codec2 : ip 192.168.30.242/32 5060<br /><br /><u>I enable one softphone with SUBSCRIBER</u><br /><br />- codec3 : is registered (login/passwd)<br /><br />codec4 is not part of the domain, is not subriber and address.<br /><br /><u>Kamailio proxy</u><br /><br />- kamailio : ip 192.168.30.240/32 5060<br /><br />In the kamailio.cfg<br /><br />ROUTE[AUTH]<div style="color: #d4d4d4;background-color: #1e1e1e;font-family: Consolas, 'Courier New', monospace;font-weight: normal;font-size: 14px;line-height: 19px;white-space: pre;"><div><span style="color: #6a9955;"># IP authorization and user authentication</span></div><div><span style="color: #4ec9b0;">route</span><span style="color: #dcdcaa;">[AUTH]</span><span style="color: #d4d4d4;"> {</span></div><div><span style="color: #569cd6;">#!ifdef WITH_AUTH</span></div> <div><span style="color: #569cd6;">#!ifdef WITH_IPAUTH</span></div><div><span style="color: #d4d4d4;">    </span><span style="color: #c586c0;">if</span><span style="color: #d4d4d4;">((!is_method(</span><span style="color: #ce9178;">"REGISTER"</span><span style="color: #d4d4d4;">)) && allow_source_address()) {</span></div><div><span style="color: #d4d4d4;">        </span><span style="color: #6a9955;"># source IP allowed</span></div><div><span style="color: #d4d4d4;">        </span><span style="color: #dcdcaa;">return</span><span style="color: #d4d4d4;">;</span></div><div><span style="color: #d4d4d4;">    }</span></div><div><span style="color: #569cd6;">#!endif</span></div> <div><span style="color: #d4d4d4;">    </span><span style="color: #c586c0;">if</span><span style="color: #d4d4d4;"> (is_method(</span><span style="color: #ce9178;">"REGISTER"</span><span style="color: #d4d4d4;">) || </span><span style="color: #9cdcfe;">from_uri</span><span style="color: #d4d4d4;">==</span><span style="color: #569cd6;">myself</span><span style="color: #d4d4d4;">) {</span></div><div><span style="color: #d4d4d4;">        </span><span style="color: #6a9955;"># authenticate requests</span></div><div><span style="color: #d4d4d4;">        </span><span style="color: #c586c0;">if</span><span style="color: #d4d4d4;"> (!auth_check(</span><span style="color: #ce9178;">"$fd"</span><span style="color: #d4d4d4;">, </span><span style="color: #ce9178;">"subscriber"</span><span style="color: #d4d4d4;">, </span><span style="color: #ce9178;">"1"</span><span style="color: #d4d4d4;">)) {</span></div><div><span style="color: #d4d4d4;">            auth_challenge(</span><span style="color: #ce9178;">"$fd"</span><span style="color: #d4d4d4;">, </span><span style="color: #ce9178;">"0"</span><span style="color: #d4d4d4;">);</span></div><div><span style="color: #d4d4d4;">            </span><span style="color: #dcdcaa;">exit</span><span style="color: #d4d4d4;">;</span></div><div><span style="color: #d4d4d4;">        }</span></div><div><span style="color: #d4d4d4;">        </span><span style="color: #6a9955;"># user authenticated - remove auth header</span></div><div><span style="color: #d4d4d4;">        </span><span style="color: #c586c0;">if</span><span style="color: #d4d4d4;">(!is_method(</span><span style="color: #ce9178;">"REGISTER|PUBLISH"</span><span style="color: #d4d4d4;">))</span></div><div><span style="color: #d4d4d4;">            consume_credentials();</span></div><div><span style="color: #d4d4d4;">    }</span></div><div><span style="color: #d4d4d4;">    </span><span style="color: #6a9955;"># if caller is not local subscriber, then check if it calls</span></div><div><span style="color: #d4d4d4;">    </span><span style="color: #6a9955;"># a local destination, otherwise deny, not an open relay here</span></div><div><span style="color: #d4d4d4;">    </span><span style="color: #c586c0;">if</span><span style="color: #d4d4d4;"> (</span><span style="color: #9cdcfe;">from_uri</span><span style="color: #d4d4d4;">!=</span><span style="color: #569cd6;">myself</span><span style="color: #d4d4d4;"> && </span><span style="color: #9cdcfe;">uri</span><span style="color: #d4d4d4;">!=</span><span style="color: #569cd6;">myself</span><span style="color: #d4d4d4;">) {</span></div><div><span style="color: #d4d4d4;">        sl_send_reply(</span><span style="color: #ce9178;">"403"</span><span style="color: #d4d4d4;">,</span><span style="color: #ce9178;">"Not relaying"</span><span style="color: #d4d4d4;">);</span></div><div><span style="color: #d4d4d4;">        </span><span style="color: #dcdcaa;">exit</span><span style="color: #d4d4d4;">;</span></div><div><span style="color: #d4d4d4;">    }</span></div> <div><span style="color: #569cd6;">#!else</span></div> <div><span style="color: #d4d4d4;">    </span><span style="color: #6a9955;"># authentication not enabled - do not relay at all to foreign networks</span></div><div><span style="color: #d4d4d4;">    </span><span style="color: #c586c0;">if</span><span style="color: #d4d4d4;">(</span><span style="color: #9cdcfe;">uri</span><span style="color: #d4d4d4;">!=</span><span style="color: #569cd6;">myself</span><span style="color: #d4d4d4;">) {</span></div><div><span style="color: #d4d4d4;">        sl_send_reply(</span><span style="color: #ce9178;">"403"</span><span style="color: #d4d4d4;">,</span><span style="color: #ce9178;">"Not relaying"</span><span style="color: #d4d4d4;">);</span></div><div><span style="color: #d4d4d4;">        </span><span style="color: #dcdcaa;">exit</span><span style="color: #d4d4d4;">;</span></div><div><span style="color: #d4d4d4;">    }</span></div> <div><span style="color: #569cd6;">#!endif</span></div><div><span style="color: #d4d4d4;">    </span><span style="color: #dcdcaa;">return</span><span style="color: #d4d4d4;">;</span></div><div><span style="color: #d4d4d4;">}</span></div></div><br />Regarding the condition<br /> <div style="color: #d4d4d4;background-color: #1e1e1e;font-family: Consolas, 'Courier New', monospace;font-weight: normal;font-size: 14px;line-height: 19px;white-space: pre;"><div><span style="color: #569cd6;">#!ifdef WITH_IPAUTH</span></div><div><span style="color: #d4d4d4;">    </span><span style="color: #c586c0;">if</span><span style="color: #d4d4d4;">((!is_method(</span><span style="color: #ce9178;">"REGISTER"</span><span style="color: #d4d4d4;">)) && allow_source_address()) {</span></div><div><span style="color: #d4d4d4;">        </span><span style="color: #6a9955;"># source IP allowed</span></div><div><span style="color: #d4d4d4;">        </span><span style="color: #dcdcaa;">return</span><span style="color: #d4d4d4;">;</span></div><div><span style="color: #d4d4d4;">    }</span></div><div><span style="color: #569cd6;">#!endif</span></div></div><br /><br /><u><strong>USE CASE :</strong></u><br /><br />If codec4 (not registered or same domain) tries to INVITE codec3 (in subscriber) the codec, an INVITE MESSAGE is sent and the codec3 could ACK.<br /><br />- But I don't want to allow the INVITE, I 'd like to not allow the codec4 to reach codec3.<br />- But if codec1 or codec2 tries to reach codec3, kamailio will allow the INVITE.<br /><br />Best Regards,<br /><br />--<br /><span style="font-size:11pt"><span style="font-family:Calibri, sans-serif"><b><span style="font-size:10.0pt" lang="EN-US"><span style="font-family:"Verdana",sans-serif"><span style="color:#1f497d">Youssef BOUJRAF</span></span></span></b></span></span></html>