[SR-Users] Forcing a TCP Connection Closed?

Mark Boyce mark at darkorigins.com
Mon Oct 9 12:17:03 CEST 2017


Hi Daniel, 

Thanks, I see tcpops lets us set the lifetime … although it’s not really the length of the lifetime that concerns me. 

I guess I’m thinking more a SIP TCP Firewall type of system.  If someone is scanning/ddos/etc I don’t think we should be sending a response at all, unless there’s something I’ve missed?  We could just use fail2ban but that would mean spawning an executable or writing each attempt to logs.

Maybe I’m doing things the wrong way round but I can’t help feeling that letting kamailio see the attempts and log stats, sources, etc is more useful than an iptables drop?

Cheers,
Mark


> On 9 Oct 2017, at 10:51, Daniel-Constantin Mierla <miconda at gmail.com> wrote:
> 
> Hello,
> 
> tcpops module offers a function to set the lifetime of a tcp connection,
> so you can set it to 1 second:
> 
>   -https://www.kamailio.org/docs/modules/stable/modules/tcpops.html
> 
> Core offers a function to instruct closing the connection once a reply
> has been sent, but it seems you don't want to send anything back.
> 
> Cheers,
> Daniel
> 
> 
> On 08.10.17 22:11, Mark Boyce wrote:
>> Hi all
>> 
>> Just working on some connections security filters on a Kamailio install.   The security goes something like this;
>> 
>> In REQINT … if source_ip  is not in customers IP white-list then just exit
>> 
>> This works fine for UDP where packets are just ignored if they don’t come from a trusted IP.
>> 
>> However on TCP this leads to the connection staying open until it either times out or the source disconnects.   Which feels untidy.
>> 
>> Is there a way to say close the TCP connection from within the config script?
>> 
>> Thanks
>> 
>> Mark
> 
> -- 
> Daniel-Constantin Mierla
> www.twitter.com/miconda -- www.linkedin.com/in/miconda
> Kamailio Advanced Training - www.asipto.com
> Kamailio World Conference - www.kamailioworld.com
> 




More information about the sr-users mailing list