I can't prevent pjsip extension register from outside

mtc · July 28, 2023, 7:52am

The server on cloud.
Even the “Match (Permit)” is empty (on the specific extension I connected), I can register from my home.
I try also, put there some Address (not my), I still can register.

So how prevent connect from outside?

jcolp · July 28, 2023, 8:19am

That’s a FreePBX option. You would be better served on the FreePBX forum at https://community.freepbx.org/ as it is what configures Asterisk. From an Asterisk level there are ACLs to prevent such things, but how that works in FreePBX I don’t know.

mtc · July 28, 2023, 11:25am

I supposed that is Asterisk setting:
The “Match (Permit)” of FreePBX setting write down into:
pjsip.identify.conf
[249-identify]
type=identify
endpoint=249
match=XX.XX.XX/32

That include on my machine by pjsip.conf.

jcolp · July 28, 2023, 11:26am

That’s for matching incoming traffic based on IP address. It’s not an ACL.

mtc · July 28, 2023, 2:01pm

According some posts, by the default asterisk not permit register from outside. unless ‘Match’ field for specific extension contain the permit IP’s string. I’m wrong?
(By the way on my machine I not found any ACL settings in asterisks conf files)

jcolp · July 28, 2023, 2:03pm

Within Asterisk, that is an incorrect and wrong statement. There is no requirement as such.

Pooh · July 28, 2023, 2:23pm

“According some posts”

Please give us a pointer to them.

Antony.

david551 · July 28, 2023, 2:31pm

Is it possible that FreePBX overloads that setting and uses it as ACL for what it calls extensions. If it doesn’t, given that it only supports inbound registration for “extensions” I wouldn’t expect the option to be available, at all.

In any case, that is a good reason to ask on the FreePBX forum, not here, as people here don’t know how FreePBX translates those settings into Asterisk .conf files.

mtc · July 29, 2023, 9:37pm

A:
“According some posts” like:

B:
I try google: asterisk extension acl
I not found anything.
So what is ACL you talking about?

C:
“as people here don’t know how FreePBX translates those settings into Asterisk .conf files.”
It’s written as:

david551 · July 29, 2023, 10:35pm

Asterisk extensions are directory numbers; they don’t have IP address associated with them, so ACL makes no sense. Asterisk does not use “extension” in the way that FreePBX uses it. It is not surprising that your search failed.

“asterisk pjsip acl” led me to:

github.com

asterisk/asterisk/blob/5c4cbeff8750424b983a4a11110a2c8bd074b658/configs/samples/pjsip.conf.sample#L46-L51


      
          ; Access Control Lists
          ;
          ; See the example ACL configuration in this file. Read the configuration help
          ; for the section and all of its options. Look over the samples in acl.conf
          ; and documentation at https://wiki.asterisk.org/wiki/x/uA80AQ
          ; If possible, restrict access to only networks and addresses you trust.

github.com

asterisk/asterisk/blob/5c4cbeff8750424b983a4a11110a2c8bd074b658/configs/samples/pjsip.conf.sample#L410-L458


      
          ;============EXAMPLE ACL CONFIGURATION==========================================
          ;
          ; The ACL or Access Control List section defines a set of permissions to permit
          ; or deny access to various address or addresses. Alternatively it references an
          ; ACL configuration already set in acl.conf.
          ;
          ; The ACL configuration is independent of individual endpoint configuration and
          ; operates on all inbound SIP communication using res_pjsip.
          
          ; Reference an ACL defined in acl.conf.
          ;
          ;[acl]
          ;type=acl
          ;acl=example_named_acl1
          
          ; Reference a contactacl specifically.
          ;
          ;[acl]
          ;type=acl
          ;contact_acl=example_contact_acl1

This file has been truncated. show original

which should probably have been the first place to look, anyway.

david551 · July 30, 2023, 12:35am

Unless it also sets identify_by, that’s not a sensible thing to do. If you know the /32 address, you should not be using registration at all, but FreePBX assumes that all of what it call extensions register.

Without identify_by being overridden, this represents an alternative way of identifying it. The correct From user name will still always be accepted.

Without its using contact rather than max_contacts, it also means the outbound IP address is learned from the registration, but the inbound address is fixed.

FreePBX should not be allowing you to enter anything for “extensions”, unless it supports static addresses, as well as registration, as any other use case would be weird. I think someone didn’t test this properly.

I wonder if FreePBX sets identify_by when creating outbound, or no registration, in FreePBX terms, trunks.

mtc · July 30, 2023, 1:21pm

I not sure what the diff between freePBX and Asterisk. the all field based on asterisk.

I found explain for identity hear:
https://wiki.asterisk.org/wiki/display/AST/PJSIP+Configuration+Sections+and+Relationships

I think, when have user name, Asterisk ignore IP on Match field. did it correct?

On regular sip, have deny/permit. and it work even we supply user. the pjsip have another approach.

Pooh · July 30, 2023, 2:09pm

The difference between FreePBX and Asterisk is the difference between a jet
engine you can buy from Pratt & Whitney, and a Boeing 747.

The engine is an essential part of an aeroplane, but you can’t fly it on its
own.

An aeroplane is a lot more complex than just the engine, and just because you
learn to fly one type doesn’t automatically mean another type from a different
manufacturer works the same.

Asterisk is the engine. It does SIP (and other protocols) and has all sorts
of functions which can be used to create a PBX, but until someone puts them
together in a particular way, it doesn’t let you make phone calls.

FreePBX is one way of combining a dialplan, a graphical interface, and a whole
load of other software, together with Asterisk, to make a fully working PBX
which can be managed (to a reasonable extent) by a non-techie.

In the same way as you wouldn’t go to Pratt & Whitney to ask how to put the
flaps down in a Boeing 747, it’s not ideal asking here on the Asterisk list
about how to make things work in FreePBX.

FreePBX has its own forums and support mechanisms. You should start from
https://community.freepbx.org/ and you’ll find people there who know the whole
system, not just one small but vital part of it.

Antony.

david551 · July 30, 2023, 2:12pm

Asterisk is a toolkit for creating telephony applications, which is configured by text files (and, less well supported, and not for all features, by database analogues of those text files).

FreePBX is an application of Asterisk limited to single tenant PABX use, with a web based GUI, and which works by supplying canned configurations and configurations generated from its own database, that control Asterisk.

It does not provide full access to Asterisk and it uses terminology which is not used by Asterisk.

As I understand it, features of the call are tried, in an order that is configurable, against endpoints and type=identify sections. They can only match if they are included in the identify_by section for the endpoint.

I think the default, for chan_pjsip, is to prefer a match by IP, but if the IP doesn’t match, it will still match by name. It’s an OR condition, not an AND one.

mtc · July 31, 2023, 8:53am

So anyway, the pjsip in contrast of sip, work or by ip or by user&pass.
Thanks for all answers.

david551 · July 31, 2023, 11:49am

It’s more complex than that. chan_sip can also match by both, although not the way that FreePBX uses it for “extensions”.

system · August 30, 2023, 11:50am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.