Thanks Arsen

My perspective is evolving and I see we can go with two alternate scenarios
- we can register everything to Kamailio and then let asterisk find the clients at Kamilio as well as accept clients from Kamailio. This requires some testing for us to make sure asterisk thinks of the UAs happily but we have that kind of working ok with repro but want to step up to Kamailio
- Alternately we can proxy through Kamailio to asterisk which is more standard and if we implement the various security checks that will help a lot. How hard is it to also add a check that the user registration passed through is in an approved list, and then to segregate that by trusted networks and external networks? I am thinking its just another check in the registration route block that looks up a db table for the source ip and the registration details.
- where should I put such a check? Is it one place or many?

I think we like option 2 for now. One day we can move to option 1 and just use asterisk as a media server and have kamailio be the full front end

Cheers Duncan




On Thu, Jul 29, 2021 at 9:50 PM Arsen Semenov <arsperger@gmail.com> wrote:
Hi Duncan,

There are plenty of options here.

I think here is good place to start: https://www.kamailio.org/wiki/tutorials/security/kamailio-security

You also can check https://www.apiban.org/doc.html


Regards,

On Thu, Jul 29, 2021 at 8:37 AM Duncan Turnbull <duncan@turnbull.co.nz> wrote:
Hi Arsen

Thanks very much, I am looking at that now

Is there an easy way to control the extensions that are proxied through to asterisk so that we restrict the ability of outside scanning of extension lists. I would like to limit the registrations for extensions passed through to asterisk that come from an unknown / external ips.

Thanks again

Cheers Duncan

On Wed, Jul 28, 2021 at 11:11 PM Arsen Semenov <arsperger@gmail.com> wrote:
You can check how Path works, it is described in rfc3327, this is probably what you need.
From the Asterisk side; however, I can't tell whether it is supported by pjsip, there was some issue as I know, but at least chan_sip should support it.
Also docs for kamailio registrar module.
What do you mean by "limit the user ids that go through to asterisk"?

On Wed, Jul 28, 2021 at 12:50 PM Duncan Turnbull <duncan@turnbull.co.nz> wrote:
Hi Arsen

Thanks very much for your reply

We were using repro which does that but are interested in the wider capabilities of kamailio.

We are wanting to limit the user ids that go through to asterisk and eventually have two kamailio servers that provide some failover

I saw a slide pack from Fred Posner talking about fronting asterisk with kamailio and I probably jumped to uac without fully understanding what it’s purpose is

I also saw that shared line appearance can be simulated using kamailio, and perhaps it needs the uac module to achieve that.

My general understanding is new and growing so I am grateful for all advice or questions 

Thanks again

Cheers Duncan

On 28/07/2021, at 3:34 PM, Arsen Semenov <arsperger@gmail.com> wrote:


Hi Duncan,

This scenario is quite new for me, not sure I got it right.. but why have you decided not to proxying requests to asterisks? 
By leveraging Path and Record-route headers Asterisk will know how to route the response back as well as new requests. 
And the proxy will know how to handle them.
This is how kamailio is usually set as a front-end for media servers. 



On Wed, Jul 28, 2021 at 8:35 AM Duncan Turnbull <duncan@turnbull.co.nz> wrote:
Hi there

I am a new user of Kamailio and we are trying to use it to be as a front end for our asterisk pbx. We are running on Ubuntu 18.04 and Kamailio 5.3.8 with Siremis

Rather than proxying the request through to asterisk we are trying to use uacreg to send a login to asterisk. Asterisk will think all the users are appear from the proxy but thats okay. Initially this is just for external users but eventually all phones etc will register via Kamailio and we will have the trunks there (and split them across another kamailio but thats another job)

If I add a user to the uacreg then when I register to Kamailio it sends a register request but to the realm in the uacreg table and the matching port Kamailio is running on.

Is this because somewhere we have set Kamailio to directly proxy on and we need to turn that off first?

This is our uacreg table

mysql> select * from uacreg;
+----+--------+------------+------------+------------+-----------+-----------+---------------+---------------+----------+--------------------+---------+-------+-----------+--------+
| id | l_uuid | l_username | l_domain   | r_username | r_domain  | realm     | auth_username | auth_password | auth_ha1 | auth_proxy         | expires | flags | reg_delay | socket |
+----+--------+------------+------------+------------+-----------+-----------+---------------+---------------+----------+--------------------+---------+-------+-----------+--------+
|  1 | testuser | testuser     | ourdomain.com | 88         | 10.8.8.20 | 10.8.8.20 | 88            | password  | ''       | sip:10.8.8.20:5060 |     360 |     0 |         3 |        |
+----+--------+------------+------------+------------+-----------+-----------+---------------+---------------+----------+--------------------+---------+-------+-----------+--------+
1 row in set (0.00 sec)

All pointer, guides and recommendations will be welcome

Thanks very much

Cheers Duncan




__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
  * sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users


--
Arsen Semenov

__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
 * sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
 * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
  * sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users


--
Arsen Semenov

__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
  * sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
  * sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users


--
Arsen Semenov

__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
  * sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users