Permit/deny not working

I have an account with callcentric and they require “allowguest=yes” in order to work right. So I decided to add the lines:

deny= ; allow connections only from callcentric

To my callcentric peer in sip.conf. OTher than that, its configured exactly as callcentric requires on their web page. The idea here was that it would allow guest access, but only from callcentric servers. The problem is that the deny/permit lines above don’t do anything. I made an unregistered direct sip call from my softphone and it went through just fine. The softphone IP is something like 192.168… so it should have refused it. Yet, there it is.

My assumption is that the deny line above blocks all IPs and the two permits let in just those groups. But its not working.

Also in the peer is the line:

Is this a secret code that means “ignore permit/deny lines”?

They restrict access to the callcentric peer, but you are not using that for inbound calls. If you use allowguest, you need to set the restrictions in your firewall.

I’m pretty new to asterisk. So you are saying that putting the permit/deny in the peer section of sip.conf is blocking outgoing rather than incoming calls? Where is the correct place to put those statements to restrict guest access to only callcentric?

If I restrict sip access to the server at the firewall, then nobody but callcentric will be able to call me. I want to have access from anywhere because I frequently use my smartphone from random hot spots.

Is there a way to have asterisk listen on multiple ports? That way I could stick callcentric on another port and firewall that while still allowing others to come in as registered users on 5060.

The reason callcentric needs guest access is because the IP you register on is usually different from the IP that they use when a call comes in. Because its a different IP that hasn’t been registered, it gets rejected.

They affect incoming calls that match the peer (or user) entry. As guest calls don’t match, they don’t get filtered.

Your safest approach is probably to create a peer entry for every possible address that callcentric use. They should not be advising the use of allowguest without providing warnings about its use. If you use allowguest without a firewall you will get large numbers of toll fraud attempts, so your dialplan had better be robust.

So would it be possible to put asterisk on port 5061 and then register=> callcentric to 5060?

Then I might be able to use iptables to filter on callcentric’s IP’s so that only callcentric can use 5060 and then port forward 5060 to 5061 after its done its filtering???

If that is true, then I could put the real asterisk port on 5061 or anywhere. That makes it harder for hackers to find.

Does that sound feasible?

this is very insecure!!!

If you use allowguest=yes and also want register your softphone frome anywhere then you will be hacked in a few days I think. It’s only a matter of guesing the diaplan.

Yes, very true. But the real question is how do I make it all work without getting hacked?