ruhnet
/
kazoo-configs-kamailio
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 183 Wiki Activity
Browse Source

allow trusted IPs to bypass all checks

3.17
karl anderson 12 years ago
parent
b4aae404f9
commit
cf1c8b19da
7 changed files with 23 additions and 24 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +6
    -3
      kamailio/default.cfg
  2. +1
    -17
      kamailio/dispatcher-role.cfg
  3. +1
    -1
      kamailio/kamailio.cfg
  4. +1
    -1
      kamailio/local.cfg
  5. +1
    -1
      kamailio/nat-traversal-role.cfg
  6. +1
    -1
      kamailio/presence-role.cfg
  7. +12
    -0
      kamailio/registrar-role.cfg

+ 6
- 3
kamailio/default.cfg View File

@ -22,7 +22,8 @@ flags
FLAG_INTERNALLY_SOURCED: 1, FLAG_INTERNALLY_SOURCED: 1,
FLAG_ASSOCIATE_SERVER: 2, FLAG_ASSOCIATE_SERVER: 2,
FLAG_SKIP_NAT_CORRECTION: 3, FLAG_SKIP_NAT_CORRECTION: 3,
FLAG_ASSOCIATE_USER: 4;
FLAG_ASSOCIATE_USER: 4,
FLAG_TRUSTED_SOURCE: 5;
#!define FLB_NATB 1 #!define FLB_NATB 1
#!define FLB_NATSIPPING 2 #!define FLB_NATSIPPING 2
@ -274,7 +275,8 @@ route[HANDLE_OPTIONS]
if (is_method("OPTIONS")) { if (is_method("OPTIONS")) {
if (isflagset(FLAG_INTERNALLY_SOURCED)) { if (isflagset(FLAG_INTERNALLY_SOURCED)) {
route(INTERNAL_TO_EXTERNAL_RELAY); route(INTERNAL_TO_EXTERNAL_RELAY);
} else if ($rd =~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}") {
} else if (!isflagset(FLAG_TRUSTED_SOURCE)
&& $rd =~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}") {
xlog("L_WARN", "$ci|end|dropping OPTIONS request with IP domain"); xlog("L_WARN", "$ci|end|dropping OPTIONS request with IP domain");
} else { } else {
sl_send_reply("200", "Rawr!!"); sl_send_reply("200", "Rawr!!");
@ -408,7 +410,8 @@ route[DOS_PREVENTION]
{ {
# allow request from internal network or from whitelist # allow request from internal network or from whitelist
if (isflagset(FLAG_INTERNALLY_SOURCED) || allow_source_address(TRUSTED_ADR_GROUP)) { if (isflagset(FLAG_INTERNALLY_SOURCED) || allow_source_address(TRUSTED_ADR_GROUP)) {
xlog("L_DBG", "$ci|log|request from trusted IP");
xlog("L_INFO", "$ci|log|request from trusted IP");
setflag(FLAG_TRUSTED_SOURCE);
return; return;
} }


+ 1
- 17
kamailio/dispatcher-role.cfg View File

@ -78,23 +78,7 @@ route[DISPATCHER_FIND_ROUTES]
sl_send_reply("480", "All servers busy"); sl_send_reply("480", "All servers busy");
exit; exit;
} }
} else {
# if we selected from group 1 and there are less than 3 available servers, choose from group 2
if ($var(ds_group) == 1 && $var(ds_cnt)< 3) {
# clear $avp(ds_dst) and search in group 2
$(avp(ds_dst)[*]) = $null;
if (!ds_select_dst("2", "0")) {
xlog("L_ERR", "$ci|end|no servers avaliable in group 2");
sl_send_reply("480", "All servers busy");
exit;
}
}
}
}
$var(contact_uri) = $(ct{tobody.user}) + "@" + $(ct{tobody.host}); $var(contact_uri) = $(ct{tobody.user}) + "@" + $(ct{tobody.host});
$var(from_uri) = @from.uri.user + "@" + @from.uri.host; $var(from_uri) = @from.uri.user + "@" + @from.uri.host;


+ 1
- 1
kamailio/kamailio.cfg View File

@ -9,4 +9,4 @@ include_file "default.cfg"
####### Local Configuration ######## ####### Local Configuration ########
include_file "local.cfg" include_file "local.cfg"
## vim:set tabstop=4 softtabstop=4 shiftwidth=4 expandtab
# vim: tabstop=4 softtabstop=4 shiftwidth=4 expandtab

+ 1
- 1
kamailio/local.cfg View File

@ -47,4 +47,4 @@ modparam("auth_db|usrloc", "db_url", "kazoo://guest:guest@127.0.0.1:5672/callmgr
modparam("presence", "db_url", "kazoo://guest:guest@127.0.0.1:5672/dialoginfo") modparam("presence", "db_url", "kazoo://guest:guest@127.0.0.1:5672/dialoginfo")
#!endif #!endif
## vim:set tabstop=4 softtabstop=4 shiftwidth=4 expandtab
# vim: tabstop=4 softtabstop=4 shiftwidth=4 expandtab

+ 1
- 1
kamailio/nat-traversal-role.cfg View File

@ -34,4 +34,4 @@ route[NAT_TEST_AND_CORRECT]
} }
} }
## vim:set tabstop=4 softtabstop=4 shiftwidth=4 expandtab
# vim: tabstop=4 softtabstop=4 shiftwidth=4 expandtab

+ 1
- 1
kamailio/presence-role.cfg View File

@ -45,4 +45,4 @@ route[HANDLE_PUBLISH]
} }
} }
## vim:set tabstop=4 softtabstop=4 shiftwidth=4 expandtab
# vim: tabstop=4 softtabstop=4 shiftwidth=4 expandtab

+ 12
- 0
kamailio/registrar-role.cfg View File

@ -91,6 +91,10 @@ route[HANDLE_REGISTER]
# AUTH: check to see if user if present in failed_auth_hash # AUTH: check to see if user if present in failed_auth_hash
route[PREVENT_BRUTEFORCE] route[PREVENT_BRUTEFORCE]
{ {
if (isflagset(FLAG_TRUSTED_SOURCE)) {
return(1);
}
if($sht(failed_auth_hash=>$Au::count) >= 2) { if($sht(failed_auth_hash=>$Au::count) >= 2) {
$var(exp) = $Ts - 120; $var(exp) = $Ts - 120;
if($sht(failed_auth_hash=>$Au::last) > $var(exp)){ if($sht(failed_auth_hash=>$Au::last) > $var(exp)){
@ -106,6 +110,10 @@ route[PREVENT_BRUTEFORCE]
#AUTH: add to failed_auth_hash in case of authentication password error #AUTH: add to failed_auth_hash in case of authentication password error
route[FAILED_AUTH_COUNT] route[FAILED_AUTH_COUNT]
{ {
if (isflagset(FLAG_TRUSTED_SOURCE)) {
return;
}
if ($rc == -2) { if ($rc == -2) {
if($sht(failed_auth_hash=>$Au::count) == $null) { if($sht(failed_auth_hash=>$Au::count) == $null) {
$sht(failed_auth_hash=>$Au::count) = 0; $sht(failed_auth_hash=>$Au::count) = 0;
@ -117,6 +125,10 @@ route[FAILED_AUTH_COUNT]
route[DOMAIN_FORMAT_CHECK] route[DOMAIN_FORMAT_CHECK]
{ {
if (isflagset(FLAG_TRUSTED_SOURCE)) {
return;
}
if ($rd =~ "([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})" || if ($rd =~ "([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})" ||
$td =~ "([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})" ) { $td =~ "([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})" ) {
xlog("L_WARN", "$ci|end|denying request with IP domain in From or To header"); xlog("L_WARN", "$ci|end|denying request with IP domain in From or To header");


Write Preview
Loading…
Cancel
Save