Looks reasonable to me. My apologies it has taken so long to reply -- I've been traveling too much.
-Jiri
At 12:01 AM 3/16/2003, Lasse Jansson wrote:
Or perhaps I understand a little bit better now. I think the following script passage will work better. /Lasse P.S. To other beginners at SIP: Several clients can't handle the qop parameter correctly so it is safer to change the "1" to "0" in the challenges.
# REQUESTS DIRECTED TO MY DOMAIN if (uri=~"[@:]mydomain.com") {
# Challenge registrations if (method=="REGISTER") { if (!www_authorize("mydomain.com", "subscriber")) { www_challenge("mydomain.com", "1"); break; }; save("location"); break; };
# Challenge INVITE request where the sender has my domain in From if (method=="INVITE") { if (search("(f|From).*mydomain.com")) { if (!proxy_authorize("mydomain.com", "subscriber")) { proxy_challenge("mydomain.com", "1"); break; }; }; }; # native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); break; };
# REQUESTS DIRECTED TO OTHER DOMAINS } else {
# Challenge any INVITE request where the sender has my domain in From if (method=="INVITE") { if (search("(f|From).*mydomain.com")) { if (!proxy_authorize("mydomain.com", "subscriber")) { proxy_challenge("mydomain.com", "1"); break; };
# Drop INVITE requests where the sender does not have my domain in From } else { sl_send_reply("403", "Forbidden"); break; }; }; }; # forward to current uri now if (!t_relay()) { sl_reply_error(); };
On Friday 07 March 2003 00.49, Lasse Jansson wrote:
OK, I see what you mean.
<snip> > > I see two limitations: > > - if you only challenge INVITEs to outside domain, people out of your > > domain can call people in your domain and claim shamelessly your domain > > name in From, which is then sort of rubberstamped by the proxy; so I > > think you can combine challenging based on From along with "anti-spam" > > policy "drop invites which have my domain neither in From nor in r-uri" > > - if you apply such policies to other requests than BYE, you will run into > > troubles, better be permissive about non-INVITEs. See > > > > http://www.ietf.org/mail-archive/working-groups/sipping/current/msg04002. > >ht ml > > > > -Jiri > > > > At 10:10 PM 3/5/2003, Lasse Jansson wrote: > > >Thanks, > > > > > >One last question: I guess that if I want my server to offer <forwarding > > > of requests to other domains> only to authorized users in my domain I > > > should restrict the last part more, as follows: > > > > > ># For requests to other domains > > > if (!proxy_authorize("mydomain.com", "subscriber")) { > > > proxy_challenge("mydomain.com", "1"); > > > break; > > > }; > > > > > >(i.e. I can skip the (search("(f|From).*mydomain\.com")) condition in > > > this case) > > > > > >Lasse
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-- Jiri Kuthan http://iptel.org/~jiri/