SOLVED: PJSIP: Access control on endpoints (~bind endpoints to transports with acl)

I have transport=… in my endpoint, but it’s available via other transports which are not referred as well. How to bind an endpoint to transport(s)?

Not sure if I understand you correctly but you define a transport in pjsip.conf in a section, and in another section you define your endpoint to use that transport.
E.g :
[6001]
type=endpoint
context=default
disallow=all
allow=ulaw
transport=simpletrans
auth=auth6001
aors=6001

[simpletrans]
type=transport
protocol=udp
bind=0.0.0.0

Exactly and if you add:

[6002]
type=endpoint
context=default
disallow=all
allow=ulaw
transport=advancedtrans
auth=auth6002
aors=6002

[advancedtrans]
type=transport
protocol=udp
bind=0.0.0.0:5069

6002 is available at simpletrans and 6001 is available at advancedtrans.

Ok. But what was your question then?

Not sure if that’s a valid config.
Wiki examples show bind ports defined as 0.0.0.0:5069

So why is 6002 available at simpletrans? It should be only at advancedtrans.
It doesn’t matter which transport is set, the endpoint is available via all transports.

What makes you think it is? You have defined it as advancedtrans.
Do a pjsip show endpoint 6002 on the CLI and it will tell you what transport it is using.

I have two transports on one ip address and on different ports. My endpoints can be reached at both although it has only one transport= line!

I don’t have to add the transport= line, my endpoints are reachable at every transport! Strange!
If I try to use a non-existent transport no error occurs. These lines are ignored!

What do you mean by “available at”? I’ve reread your post a few times and am still confused over exactly what the problem is. You need to be more detailed and specific over what you are expecting to happen.

The “transport” option on endpoints and other things configure PJSIP to use that specific transport for contacting a device. It doesn’t control whether a device can use that transport or not for incoming traffic, if that’s what you mean.

1 Like

That’s what I meant. Is it possible to do that another way?
My ITSP should not be able to register as one of my Asterisk users.

We provide endpoint matching and based on endpoint configuration (the configured AORs) what they can register as is limited. The order that endpoint matching occurs is also configurable (so IP can have priority). You can also set an ACL (IP based allow/deny) on endpoints to restrict them.

If your ITSP is somehow registering as a user you’ll need to show the traffic and configuration to provide insight into why.

Can you give me an example?

My argument was purely theoretical.

We provide configuration examples on the wiki[1] which includes for an ITSP. For ACLs there are some examples in the sample file[2].

[1] https://wiki.asterisk.org/wiki/display/AST/res_pjsip+Configuration+Examples
[2] https://github.com/asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample#L392

These ACLs are not linked to endpoints. Is a endpoint-based acl possbile?

Yes, they can be specified on endpoints[1].

[1] https://wiki.asterisk.org/wiki/display/AST/Asterisk+13+Configuration_res_pjsip#Asterisk13Configuration_res_pjsip-endpoint_acl

I’m sorry, obviously I’ve overlooked the option. Thanks, you’re doing a good job @jcolp!