7 Mar
2003
7 Mar
'03
1:49 a.m.
OK, I see what you mean. I think the policy you recommend will do just fine in
order to stop the most obvious types of abuse of a sip server. (If you want
more paranoid "firewalling" you need to know sip really well, and there is
always a risk that you stop legal cases).
Thanks for yor advice. The following script should do the trick then, huh ?
Lasse
# REQUESTS DIRECTED TO MY DOMAIN
if (uri=~"[@:]mydomain\.com") {
# Challenge registrations
if (method=="REGISTER") {
if (!www_authorize("mydomain.com", "subscriber")) {
www_challenge("mydomain.com", "1");
break;
};
save("location");
break;
};
# Challenge any other request where the sender has my domain in From
if (search("(f|From).*mydomain\.com")) {
if (!proxy_authorize("mydomain.com", "subscriber")) {
proxy_challenge("mydomain.com", "1");
break;
};
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
break;
};
# REQUESTS DIRECTED TO OTHER DOMAINS
} else {
# Challenge any request where the sender has my domain in From
if (search("(f|From).*mydomain\.com")) {
if (!proxy_authorize("mydomain.com", "subscriber")) {
proxy_challenge("mydomain.com", "1");
break;
};
# Drop INVITE requests where the sender does not have my domain in From
} else {
if (method=="INVITE") {
sl_send_reply("403", "Forbidden");
break;
};
};
};
# forward to current uri now
if (!t_relay()) {
sl_reply_error();
};
On Wednesday 05 March 2003 23.05, Jiri Kuthan wrote:
Lasse,
I see two limitations:
- if you only challenge INVITEs to outside domain, people out of your
domain can call people in your domain and claim shamelessly your domain
name in From, which is then sort of rubberstamped by the proxy; so I
think you can combine challenging based on From along with "anti-spam"
policy "drop invites which have my domain neither in From nor in r-uri" -
if you apply such policies to other requests than BYE, you will run into
troubles, better be permissive about non-INVITEs. See
http://www.ietf.org/mail-archive/working-groups/sipping/current/msg04002.ht
ml
-Jiri
At 10:10 PM 3/5/2003, Lasse Jansson wrote:
Thanks,
One last question: I guess that if I want my server to offer <forwarding
of requests to other domains> only to authorized users in my domain I
should restrict the last part more, as follows:
# For requests to other domains
if (!proxy_authorize("mydomain.com", "subscriber")) {
proxy_challenge("mydomain.com", "1");
break;
};
(i.e. I can skip the (search("(f|From).*mydomain\.com")) condition in this
case)
Lasse
On Wednesday 05 March 2003 02.08, Jiri Kuthan wrote:
> At 10:43 PM 3/4/2003, Lasse Jansson wrote:
> >Thanks for your answer !
> >
> >I guess then that the following lines (based on the default script)
> > would work to implement all of Michael's example ?
> >
> >Lasse
> >
> > if (uri=~mydomain.com) {
>
> perhaps better (uri=~"[@:]mydomain\.com"). Everything else seems
> reasonable to me.
>
> -Jiri
>
> _______________________________________________
> Serusers mailing list
> serusers(a)lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
--
Jiri Kuthan http://iptel.org/~jiri/
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers