[serusers]: trusted table(permissions module)

Nils Ohlmeier nils at iptel.org
Mon Nov 6 08:22:51 CET 2006 

Hi Kamal,

take a look at the Warning header in the 407: it tells you that the INVITE was 
relayed to your server again (in a loop) and in the second round your script 
replies with 407 (because this time it is not comming from the GW any more).

  Nils

On Monday 06 November 2006 06:46, Kamal.Mann at t-systems.com wrote:
> Hi Andrey
> Please find ethereal packet capture enclosed. SER n/w dump is 'SER_SERVER'
> and SIP_AS n/w dump is 'SAS_SERVER'. SER IP = 10.25.119.155
> SIP AS IP = 10.25.119.156
> To URI is registered at SER end (dilip)
>
> >From URI is Application Name (example) and neither created nor registered
> > (WakeUpService) with SER.
>
> Thanks in anticipation
> Kamal Mann
>
> -----Original Message-----
> From: serusers-bounces at lists.iptel.org
> [mailto:serusers-bounces at lists.iptel.org] On Behalf Of Andrey Kuprianov
> Sent: Monday, November 06, 2006 11:04 AM
> To: serusers at iptel.org
> Subject: Re: [serusers]: trusted table(permissions module)
>
>   Hi Kamal,
>
> Please (!), do network dump and send it here. Use tcpdump, ngrep,
> Ethereal, anything to catch your network traffic on port 5060.
>
>    Waiting for your traces,
>
>     Andrey.
>
> On 11/6/06, Kamal.Mann at t-systems.com <Kamal.Mann at t-systems.com> wrote:
> > Hi Andrey,
> > Yes you are right it not bypassing that part of code (route [3]).But why
> > it is so? Its not trusting SIP AS IP! I had recompiled permissions module
> > but still the same response!!
> >
> > Regards
> > Kamal Mann
> > -----Original Message-----
> > From: serusers-bounces at lists.iptel.org
> > [mailto:serusers-bounces at lists.iptel.org] On Behalf Of Andrey Kuprianov
> > Sent: Saturday, November 04, 2006 6:20 PM
> > To: serusers at iptel.org
> > Subject: Re: [serusers]: trusted table(permissions module)
> >
> > Hi Kamal,
> >
> > Really, there are only 2 places in your ser.cfg, where proxy_authorize
> > is called. One is inside route[3] block, and one, which is commented
> > out is inside the main route block. Since, one proxy_authorize is
> > commented out, this leaves the only a single proxy_authorize - the one
> > inside route[3] block. Now... In your previous mail you said,
> > "allow_trusted results 'true' and it directly bypasses this code."
> > This means only one thing - there are *no more* proxy_authorize left
> > to call...
> >
> > You also said "But after in route(1) its sending 407-proxy auth
> > required to trusted ip of sip_AS". That is impossible. Your route[1]
> > block cannot and does not send 407 response. There's simply no
> > proxy_authorize code in there and SER does not do it automatically!
> >
> > I have several ideas (some of them were already presented in previous
> > mails):
> >
> > 1. Something else (not SER) is sending 407 response. Catch network
> > traffic (i.e. traces) and send them here to the list. Do it on both
> > sides, SER and SIP-AS. This is critical.
> > 2. Your SER is using some other configuration file (it's my best guess
> > now), not the one that you've sent. Please, check thoroughly on this
> > issue.
> > 3. Do a fresh start with your configuration file. You will lose 1
> > (maximum 2) hours, but at least it's gonna work.
> >
> > I really wish you best of luck on this one, man!
> >
> >  Andrey.
> >
> > On 11/4/06, Kamal.Mann at t-systems.com <Kamal.Mann at t-systems.com> wrote:
> > > Hi All
> > > In current scenario when a sip invite message comes to SER from my
> > > SIP_AS; SER take this massage trusted (as I defined in trusted table)
> > > but after this in my INVITE route(3) it sends it to route(1) default
> > > message handler. I am enclosing my ser.cfg; please take a glance on it.
> > >
> > > Thanks in anticipation
> > > Kamal Mann
> > > -----Original Message-----
> > > From: John Shellhouse [mailto:jwshel at hotmail.com]
> > > Sent: Friday, November 03, 2006 9:17 PM
> > > To: Mann, Kamal
> > > Subject: RE: [serusers]: trusted table(permissions module)
> > >
> > > Hi,
> > >
> > > you've already tried something more filled in like this...
> > >
> > >
> > > if (!proxy_authorize("somedomain.com","subscriber")) {
> > > proxy_challenge("somedomain.com","0");
> > > break;
> > > } else if (method == "INVITE" & !check_from()) {
> > > log("from!=digest\n");
> > > sl_send_reply("403", "Use From=ID");
> > >
> > > break;
> > > };
> > > consume_credentials();
> > >
> > > T
> > >
> > > >From: <Kamal.Mann at t-systems.com>
> > > >To: <andrey.kouprianov at gmail.com>, <serusers at iptel.org>
> > > >Subject: RE: [serusers]: trusted table(permissions module)
> > > >Date: Fri, 3 Nov 2006 15:40:26 +0100
> > > >
> > > >Hi All
> > > >Now SER is trusting packates from trusted table IP and in the
> > > > following part of route(3) of Invite message handler allow_trusted
> > > > results 'true' and it directly bypasses this code.
> > > >if (!allow_trusted())
> > > >{
> > > >       if (!proxy_authorize("","subscriber"))
> > > >       {
> > > >               proxy_challenge("","0");
> > > >               break;
> > > >       }
> > > >       else if (!check_from())
> > > >       {
> > > >               sl_send_reply("403", "Use From=ID");
> > > >               break;
> > > >       };
> > > >       consume_credentials();
> > > >};
> > > >But after in route(1) its sending 407-proxy auth required to trusted
> > > > ip of sip_AS. Please help me out of this dilemma.
> > > >
> > > >Thanks in anticipation
> > > >Kamal Mann
> > > >
> > > >-----Original Message-----
> > > >From: serusers-bounces at lists.iptel.org
> > > >[mailto:serusers-bounces at lists.iptel.org] On Behalf Of Andrey
> > > > Kuprianov Sent: Thursday, November 02, 2006 1:13 PM
> > > >To: serusers at iptel.org
> > > >Subject: Re: [serusers]: trusted table(permissions module)
> > > >
> > > >The one you attached, didnt have a semicolon. Anyway, try using a
> > > >fresh copy of a ready made ser.cfg.
> > > >
> > > >   Bests,
> > > >
> > > >    Andrey.
> > > >
> > > >On 11/2/06, Kamal.Mann at t-systems.com <Kamal.Mann at t-systems.com> wrote:
> > > > > Yup I always do the same, Might be copy paste error. Its having
> > > >
> > > >semicolon & working fine here.
> > > >
> > > > > Regards
> > > > > Kamal Mann
> > > > >
> > > > > -----Original Message-----
> > > > > From: Andrey Kuprianov [mailto:andrey.kouprianov at gmail.com]
> > > > > Sent: Thursday, November 02, 2006 10:34 AM
> > > > > To: serusers at iptel.org
> > > > > Subject: Re: [serusers]: trusted table(permissions module)
> > > > >
> > > > > Hi Kamal,
> > > > >
> > > > > Whenever you modified your ser.cfg did you restart SER after? Did
> > > > > you check your ser.cfg for errors using "ser -c" command? I found
> > > > > some errors in your ser.cfg code. For instance, inside the main
> > > > > route block, your "if", which processes INVITEs, is missing a
> > > > > semicolon at the end of the block.
> > > > >
> > > > > if (method=="INVITE")
> > > > > {
> > > > > #       sl_send_reply("404", "INVITE  ");
> > > > >        route(3);
> > > > >                break;
> > > > > }   <----- missing semicolon here
> > > > >
> > > > >
> > > > > If you are comfortable with your current ser.cfg, that's ok, but
> > > > > I'd suggest you start with a fresh one, make your trusted table
> > > > > work, and then add a "REFER" processing, like in your currect
> > > > > ser.cfg. Just download one fresh ser.cfg from iptel.org site and
> > > > > add your allow_trusted() "if" clause there.
> > > > >
> > > > >  Regards,
> > > > >
> > > > >    Andrey.
> > > > >
> > > > > On 11/2/06, Kamal.Mann at t-systems.com <Kamal.Mann at t-systems.com> 
wrote:
> > > > > > Hi
> > > > > > Please find ser.cfg enclosed.
> > > > > >
> > > > > > Trusted table entry:
> > > > > > +---------------+-------+--------------+
> > > > > >
> > > > > > | src_ip        | proto | from_pattern |
> > > > > >
> > > > > > +---------------+-------+--------------+
> > > > > >
> > > > > > | 10.25.119.156 | any   | ^sip:.*$     |
> > > > > >
> > > > > > +---------------+-------+--------------+
> > > > > > 1 row in set (0.00 sec)
> > > > > >
> > > > > > Thanks in anticipation
> > > > > > Kamal Mann
> > > > > > -----Original Message-----
> > > > > > From: serusers-bounces at lists.iptel.org
> > > >
> > > >[mailto:serusers-bounces at lists.iptel.org] On Behalf Of Andrey
> > > > Kuprianov
> > > >
> > > > > > Sent: Wednesday, November 01, 2006 7:03 PM
> > > > > > To: serusers at iptel.org
> > > > > > Subject: Re: [serusers]: trusted table(permissions module)
> > > > > >
> > > > > >  Hi Kamal,
> > > > > >
> > > > > > I understand your setup. Nevertheless, it will be difficult to
> > > > > > figure out your problem, w/o your ser.cfg file at hand. Also,
> > > > > > send a trusted table query result (i.e. that row which contains
> > > > > > entry for your SIP-AS).
> > > > > >
> > > > > >   Regards,
> > > > > >
> > > > > >     Andrey.
> > > > > >
> > > > > > On 11/1/06, Kamal.Mann at t-systems.com <Kamal.Mann at t-systems.com> 
wrote:
> > > > > > > Hi All
> > > > > > > In my scenario I need ser to communicate with my SIP-AS. This
> > > > > > > SIP-AS
> > > >
> > > >is having an application xyz running on it. This XYZ sends an invite
> > > > to URI "A at xcv.de" which is a subscriber in SER and this is in TO
> > > > header of Invite msg & FROM header contains another URI test at xcv.de
> > > > but this URI (test at xcv.de) isn't registered / subscribed to SER. I
> > > > need SER trust all packets from SIP-AS ip. BUT SER is sending 407
> > > > reply of INVITE to XYZ application! IP in trusted table is of SIP-AS
> > > > on top of which XYZ application is running.
> > > >
> > > > > > > Thanks in anticipation
> > > > > > > Kamal Mann
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Maciej ¯wirski [mailto:mzwirek at poczta.fm]
> > > > > > > Sent: Wednesday, November 01, 2006 3:20 PM
> > > > > > > To: serusers at lists.iptel.org
> > > > > > > Subject: Re: [serusers]: trusted table(permissions module)
> > > > > > >
> > > > > > > Kamal.Mann at t-systems.com wrote:
> > > > > > > > Hi All
> > > > > > > >
> > > > > > > > I made an entry /"10.25.119.156, any, ^sip:.*$"/ into trusted
> > > >
> > > >table so
> > > >
> > > > > > > > that any packet sent from 10.25.119.156 would be trusted by
> > > > > > > > SER
> > > >
> > > >and
> > > >
> > > > > > > > don't ask for its credentials. But SER is replying *407-
> > > > > > > > proxy*
> > > >
> > > >auth
> > > >
> > > > > > > > needed!!  After this I tried with permissions.allow file:
> > > > > > >
> > > > > > > Hi,
> > > > > > > I had the same issue while interconnecting SER and Asterisk. It
> > > >
> > > >turned
> > > >
> > > > > > > out to be an issue on Asterisk side (I had the same user added
> > > > > > > for
> > > >
> > > >SER
> > > >
> > > > > > > and Asterisk, so the poor thing couldn't authorize either :))
> > > > > > > So you could check if the 407 you're getting is from SER or
> > > > > > > from the remote
> > > >
> > > >host.
> > > >
> > > > > > > Regards,
> > > > > > > Maciej Zwirski
> > > >
> > > >----------------------------------------------------------------------
> > > >
> > > > > > > Jestes kierowca? To poczytaj! >>> http://link.interia.pl/f199e
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Serusers mailing list
> > > > > > > Serusers at lists.iptel.org
> > > > > > > http://lists.iptel.org/mailman/listinfo/serusers
> > > > > > > _______________________________________________
> > > > > > > Serusers mailing list
> > > > > > > Serusers at lists.iptel.org
> > > > > > > http://lists.iptel.org/mailman/listinfo/serusers
> > > >
> > > >_______________________________________________
> > > >Serusers mailing list
> > > >Serusers at lists.iptel.org
> > > >http://lists.iptel.org/mailman/listinfo/serusers
> > >
> > > _________________________________________________________________
> > > Get FREE company branded e-mail accounts and business Web site from
> > > Microsoft Office Live
> > > http://clk.atdmt.com/MRT/go/mcrssaub0050001411mrt/direct/01/
> > >
> > >
> > > _______________________________________________
> > > Serusers mailing list
> > > Serusers at lists.iptel.org
> > > http://lists.iptel.org/mailman/listinfo/serusers
> >
> > _______________________________________________
> > Serusers mailing list
> > Serusers at lists.iptel.org
> > http://lists.iptel.org/mailman/listinfo/serusers
>
> _______________________________________________
> Serusers mailing list
> Serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers

More information about the sr-users mailing list