i have configered kamailio with two domains sscc1.tk and sscc2.tk. it listen on both domains. each domain has users registered with it. user in domain sscc1 1 can call to user in domain sscc2. i want to allow call in between users of same domai. and block call between user of domain sscc1 to domain sscc2. please help
-- View this message in context: http://sip-router.1086192.n5.nabble.com/blocking-call-in-between-two-kamaili... Sent from the Users mailing list archive at Nabble.com.
Hello,
first be sure you enable use_domain parameter to relevant modules (e.g., usrloc, auth_db, ...) -- in this way you ensure that x@domain1 is different that x@domain2.
Then testing if the domain of the callee is the same as the domain of the caller can be done with:
if($rd!=$fd) { send_reply("403", "Call outside the domain"); exit; }
Cheers, Daniel
On 01/09/15 07:35, sscc wrote:
i have configered kamailio with two domains sscc1.tk and sscc2.tk. it listen on both domains. each domain has users registered with it. user in domain sscc1 1 can call to user in domain sscc2. i want to allow call in between users of same domai. and block call between user of domain sscc1 to domain sscc2. please help
-- View this message in context: http://sip-router.1086192.n5.nabble.com/blocking-call-in-between-two-kamaili... Sent from the Users mailing list archive at Nabble.com.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
On Tuesday 01 September 2015 08:58:30 Daniel-Constantin Mierla wrote:
if($rd!=$fd) { send_reply("403", "Call outside the domain"); exit; }
What is stopping from people from setting $fd to the desired domain? Isn't $ad a better var. for this since it isn't dependend on user supplied data (well it is but then authenication will fail). Otherwise $fd should be used for authentication challenge/response.
On 01/09/15 10:08, Daniel Tryba wrote:
On Tuesday 01 September 2015 08:58:30 Daniel-Constantin Mierla wrote:
if($rd!=$fd) { send_reply("403", "Call outside the domain"); exit; }
What is stopping from people from setting $fd to the desired domain? Isn't $ad a better var. for this since it isn't dependend on user supplied data (well it is but then authenication will fail). Otherwise $fd should be used for authentication challenge/response.
The From domain is used to fetch the password along with the authentication username, so should be safe, because if the user uses the wrong domain, it won't get the password from db.
The authorization header might not carry any domain for the user, a quick look at the source, $ad is pointing to the domain part of the username attribute in the authorization header. From my experience, username without domain in authorization header is the common.
Also, there should be checks that should not allow a From address that is not associated with the authentication username, with kamailio default config we enforce that From username is same as auth username.
Cheers, Daniel
thank you so much Daniel-Constantin Mierla and Daniel Tryba for thew guidance.
one more question where to put this code? in invite? or registrar?
reards sscc.
-- View this message in context: http://sip-router.1086192.n5.nabble.com/blocking-call-in-between-two-kamaili... Sent from the Users mailing list archive at Nabble.com.
On 01/09/15 11:30, Daniel Tryba wrote:
On Tuesday 01 September 2015 02:12:04 sscc wrote:
one more question where to put this code? in invite? or registrar?
It only makes sense for invites. Propably best to do it immediatly after lookup()/alias_db_lookup().
Actually, lookup will change the r-uri to the contact address of the target, which should be the local IP for the target phone/app. It is better to put the condition before.
Cheers, Daniel
-
Daniel Tryba -
Daniel-Constantin Mierla -
sscc