[Serusers] Minor Help
Terry Mac Millan
serweb at finian.net
Fri Feb 11 14:39:11 CET 2005
Good day all,
I am running ser-0.8.14 and sems 2004-07-27 on a Linux box with the config
attached below.
The way that the config stands at the moment, It currently logs BYE and
PRACK traffice to syslog and the MySQL database. I have tried a few places
to try to get it to log the INVITE's so that I can account for the traffic.
This config is also a slightly modified version of the sample config from
the SIP.edu cookbook. At current I do not have a gateway box to the PSTN.
If it is possible, could someone with much more knowledge of ser assist me
in cleaning up of the route statements, and provide the correct location to
put the setflag(1); so that INVITE's are recorded to the accounting logs. Or
if possible, someone provide a config that will do what I am looking for
that I can adjust the settings to my setup and get working on my machine.
Thanks
Terry
----- Attached ser.cfg file -----
# ------------- version 0.8.11-0
# ------------- Initial global variables
debug=3
fork=yes
log_stderror=no
listen=216.94.106.12
listen=127.0.0.1
# hostname matching an alias will satisfy the condition uri==myself".
# dns - Uses dns to check if it is necessary to add a "received=" field
# to a via. Default is no.
# rev_dns - Same as dns but use reverse DNS.
dns=no
rev_dns=no
port=5061
children=4
# check_via - Turn on or off Via host checking when forwarding replies.
# Default is no. arcane. looks for discrepancy between name and
# ip address when forwarding replies.
check_via=yes
# syn_branch - Shall the server use stateful synonym branches? It is
# faster but not reboot-safe. Default is yes.
#syn_branch=yes
# memlog - Debugging level for final memory statistics report. Default
# is L_DBG -- memory statistics are dumped only if debug is set high.
memlog=3
# sip_warning - Should replies include extensive warnings? By default
# yes, it is good for trouble-shooting.
sip_warning=yes
# fifo - FIFO special file pathname
fifo="/tmp/ser_fifo"
# server_signature - Should locally-generated messages include server's
# signature? By default yes, it is good for trouble-shooting.
server_signature=yes
# reply_to_via - A hint to reply modules whether they should send reply
# to IP advertised in Via. Turned off by default, which means that
# replies are sent to IP address from which requests came.
reply_to_via=no
# user | uid - uid to be used by the server. 99 = nobody.
#uid="sip"
# group | gid - gid to be used by the server. 99 = nobody.
gid="sip"
# mhomed -- enable calculation of outbound interface; useful on
# multihomed servers.
mhomed=0
# ------------- external module loading
loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
loadmodule "/usr/local/lib/ser/modules/auth.so"
loadmodule "/usr/local/lib/ser/modules/auth_db.so"
loadmodule "/usr/local/lib/ser/modules/acc.so"
loadmodule "/usr/local/lib/ser/modules/exec.so"
loadmodule "/usr/local/lib/ser/modules/group.so"
loadmodule "/usr/local/lib/ser/modules/print.so"
loadmodule "/usr/local/lib/ser/modules/textops.so"
loadmodule "/usr/local/lib/ser/modules/uri.so"
# ------------- tm parameters
modparam("tm", "fr_timer", 12)
modparam("tm", "fr_inv_timer", 24)
# ------------- rr parameters
# set ";lr" tag to ";lr=true"
modparam("rr", "enable_full_lr", 1)
# ------------- accounting parameters
modparam("acc", "db_missed_flag", 3)
modparam("acc", "db_flag", 1)
modparam("acc", "log_missed_flag", 3)
modparam("acc", "log_level", 1)
modparam("acc", "log_flag", 1)
modparam("acc", "db_url", "sql://ser:xxxx@localhost/ser")
modparam("acc", "report_cancels", 0)
modparam("acc", "report_ack", 0)
modparam("acc", "log_fmt", "cdfimorstup")
modparam("acc", "failed_transactions", 1)
# ------------- usrloc parameters
# 2 enables write-back to persistent mysql storage for speed
# disable=0, write-through=1
modparam("usrloc", "db_mode", 2)
# minimize write back window - default is 60 seconds
modparam("usrloc", "timer_interval", 10)
# database location
modparam("usrloc", "db_url", "sql://ser:xxxx@localhost/ser")
# ------------- auth parameters
# database location
modparam("auth_db", "db_url", "sql://ser:xxxx@localhost/ser")
# allows clear text passwords in the mysql database
modparam("auth_db", "calculate_ha1", yes)
# name of password column in mysql database
modparam("auth_db", "password_column", "password")
# ------------- routing logic
route {
# ------------- routine checks
# stop forwarding at 10 hops to prevent infinite loops
if (!mf_process_maxfwd_header("10")) {
log(1, "LOG: Too many hops\n");
sl_send_reply("483", "Too many hops");
break;
};
# prevents private ip space from being used
if (search("^(Contact|m): .*@(192\.168\.|10\.|172\.16)")) {
if (method=="REGISTER") {
log(1, "LOG: Someone trying to register from private IP\n");
sl_send_reply("479", "Please don't use private IP addresses" );
break;
};
};
# separate the destination r-uri from the set of proxies that must be
traversed
loose_route();
# if the host portion of the request uri is not local, send it directly
# to route processing.
if (!(uri==myself)) {
route(2);
break;
};
# All REGISTER attempts are processed and must always be authenticated
if (method=="REGISTER") {
# make sure that users don't register infinite loops
if (search("^(Contact|m):
.*@(216\.94\.106\.12|(hostthe3rd\.)?rivernet\.net)")) {
log(1, "LOG: alert: someone trying to set aor==contact\n");
sl_send_reply("476", "No Server Address in Contacts Allowed" );
break;
};
# challenge/response
if (!www_authorize("hostthe3rd.rivernet.net", "subscriber")) {
www_challenge("hostthe3rd.rivernet.net", "0");
break;
};
# only registered users are allowed
if (!is_user("replicator") & !check_to()) {
log(1, "LOG: unregistered user registration attempt\n");
sl_send_reply("403", "Only registered users are allowed");
break;
};
# it is an authenticated request, update Contact database now
if (!save("location")) {
sl_reply_error();
};
break;
};
# process traffic local to BigU and the PSTN
# Find the canonical username
lookup("aliases");
# check domain again, if it is not still local after the alias
# table lookup, just send it on its way. We do not authenticate
# traffic we forward
if
(!(uri=~"^sip:(.+@)?(216\.94\.106\.12|(hostthe3rd\.)?rivernet\.net)([:;\?].*
)?$")) {
route(5);
break;
};
# now check for destinations through the gateway. 911 and 9911
# are always sent to the gateway. The assumption is that other all
# numeric usernames between 5 and 20 digits are really pstn numbers
# and so they are routed to the gateway
# if ( (uri=~"^sip:911 at .*") | (uri=~"^sip:9911 at .*") |
(uri=~"sip:[0-9]{5,20}@.*") ) {
# route(3);
# break;
# };
# does the user wish redirection on no availability? (i.e., is he
# in the voicemail (ser->grp) group?)
if (is_user_in("Request-URI", "voicemail")) {
t_on_failure("4");
setflag(4);
};
# handle local SIP destinations not found in usrloc db
# mostly offline or non-existent users
if (!lookup("location")) {
route(4);
break;
};
# check whether some inventive user has uploaded gateway
# contacts to usrloc to bypass authorization logic
if (uri=~"@216\.94\.106\.1([;:].*)*" ) {
log(1, "LOG: Gateway address in UsrLoc\n");
route(3);
break;
};
# this flag is used with the acc module to report missed calls
# to syslog.
setflag(3);
# do it (words to live by)
append_hf("P-hint: USRLOC\r\n");
if (!t_relay()) {
sl_reply_error();
break;
};
} /* end of initial routing logic */
# ------------- process traffic leaving BigU for Internet
route[2] {
# outbound requests are allowed only for registered BigU users
if (!(src_ip==216.94.106.12) &
!(proxy_authorize("hostthe3rd.rivernet.net", "subscriber"))) {
# ACK and CANCEL have no security mechanisms so they are just
# noted
if (method=="ACK" | method=="BYE") {
log(1, "LOG: failed outbound authentication for ACK granted\n");
} else if (method=="CANCEL") {
log(1, "LOG: failed outbound authentication for CANCEL granted\n");
} else {
setflag(1);
proxy_challenge("hostthe3rd.rivernet.net", "0");
break;
};
setflag(1);
};
# to maintain credibility of our proxy, we check From in INVITEs
if (!src_ip==216.94.106.12 & method=="INVITE" & !check_from()) {
log(1, "LOG: Spoofed from attempt\n");
sl_send_reply("403", "Use From=id next time");
break;
};
append_hf("P-hint: OUTBOUND ON INTERNET\r\n");
setflag(1);
if (!t_relay()) {
sl_reply_error();
break;
};
}
# ------------- process traffic leaving Internet for PSTN
#
# At this time, I have no external gateway to PSTN
#
route[3] {
# all calls through the gateway must be record routed to assure
# acl acceptance on the gateway
record_route();
# send out emergency calls to pstn gateway immediately
# if ( (uri=~"^sip:911 at .*") | (uri=~"^sip:9911 at .*") ) {
# rewritehostport("10.1.2.5:5060");
# forward(uri:host, uri:port);
# break;
# };
# five digit numeric addresses are internal freebies sent to the pbx
# without authentication
# if (uri=~"^sip:[0-9]{5}@(10.1.2.3|(proxy\,)?\.bigu\.edu)") {
# rewritehostport("10.1.2.5:5060");
# forward(uri:host, uri:port);
# break;
# };
# all numeric addresses beginning with 9 go to the pbx on the way
# to the PSTN
# first the caller needs to be authenticated
if (uri=~"^sip:9[0-9]*@(216.94.106.12|(hostthe3rd\.)?rivernet\.net)") {
if (!(src_ip==216.94.106.12 | method==ACK | method=="CANCEL" |
method=="BYE")) {
if (!proxy_authorize("hostthe3rd.rivernet.net", "subscriber")) {
proxy_challenge( "hostthe3rd.rivernet.net","0");
break;
} else if (method=="INVITE" & !check_from()) {
log(1, "LOG: Spoofed from attempt\n");
sl_send_reply("403", "Use From=id next time");
break;
};
};
# if (method=="INVITE") {
# if the r-uri begins 91, does the authenticated user have
# permission for long distance
# if (uri=~"sip:91[0-9]*@.*") {
# if (!is_user_in("credentials", "ld")) {
# sl_send_reply("403", "Local calls only");
# break;
# };
# };
# };
# authenticated and authorized, now accounting is set
setflag(1);
};
# rewritehostport("10.1.2.5:5060");
# append_hf("P-hint: GATEWAY\r\n");
# if (!t_relay()) {
# sl_reply_error();
# break;
# };
}
# ------------- process calls for users offline
route[4] {
if (!t_newtran()) {
sl_reply_error();
};
if (!t_reply("404", "Not Found")) {
sl_reply_error();
};
break;
}
# ------------- process aliased outbound traffic
# inbound requests that have been aliased to a non-BigU domain
# are not authenticated by BigU
route[5] {
append_hf("P-hint: ALIASED-OUTBOUND\r\n");
if (!t_relay()) {
sl_reply_error();
break;
};
}
# ------------- CC-Diversion to voicemail
#
# I have SEMS installed on the machine, just don't have the intigration code
in the cfg yet
#
failure_route[4] {
# append_branch("sip:80000 at 216.94.106.12");
append_urihf("CC-Diversion: ", "\r\n");
# append_hf("P-hint: OFFLINE-VOICEMAIL\r\n");
# t_relay();
}
More information about the sr-users
mailing list