[Users] pstn-to-openser, 403 Forbiden

Mike Williams mike at mikebwilliams.com
Thu Nov 9 14:26:44 CET 2006 

Ion,

I believe the group module (grp, I think) has this capability. Just add a user 
to a specific group such as "pstn" and then check if they are in it when they 
try to call the pstn.

Mike Williams


On Thursday 09 November 2006 02:36, Ion Minzu wrote:
> Hello Norman,
>   thanks, Norman
>   after I have closed the domain authorisation (proxy_authorize),
> everything works. It looks for me too sophisticated to use permission and
> domain module. I will try another method. now I want to make restrictions
> for voip users, I mean who has the right to make a call to pstn and who has
> not. someone has some ideeas?
>
> Wednesday, November 8, 2006, 2:35:34 PM, you wrote:
> > Hello Ion,
> >
> > Perhaps the "pstn" device is not responding to the authorization
> > request.  A SIP trace will show you if this is happening.
> >
> > "ngrep -W byline port 5060" should be all you need to trace SIP messages
> > (if you're listening on eth1, then you might want to add "-d eth1" when
> > invoking ngrep).  Older versions of ngrep did not have the "-W byline"
> > option.  If this is your case, you probably should upgrade ngrep.
> >
> > A possible solution to you problem might be to use the "permissions"
> > module and the "trusted" table.  Then, instead of
> > (www_authorize/www_challenge or in addition to, depending on your
> > particular situation) you might want to use the "allow_trusted()"
> > command to authenticate incoming INVITEs.
> >
> > Below is a little example
> >
> > <snip>
> >
> >       if (!is_from_local() && !allow_trusted()) {
> >         if (!proxy_authorize("","subscriber")) {
> >           proxy_challenge("","0");
> >           exit;
> >         } else if (!check_from()) {
> >           sl_send_reply("403", "Use From=ID");
> >           exit;
> >         };
> >       };
> >
> > </snip>
> >
> > Regards,
> > Norm
> >
> > Ion Minzu wrote:
> >> Hello ,
> >>
> >> I have connected openser with pstn through cisco. when I make a
> >> call from voip network to pstn it's ok.
> >> but from pstn to voip I have a problem:openser answers 403 forbiden.
> >> in openser I do the authorisation on mysql, I have disabled
> >> authorisation on sip gateway:
> >>
> >> if (src_ip!=X.X.X.X) {
> >>         if (!www_authorize("DOMAIN.COM","subscriber")) {
> >>         www_challenge("DOMAIN.COM","0");
> >>         exit;
> >>         }
> >>         };
> >>
> >> What is the problem?
> >>
> >>  X.X.X.X is cisco
> >>
> >> U X.X.X.X:54177 -> 172.17.6.2:5060
> >>   INVITE sip:820022 at 172.17.6.2:5060 SIP/2.0..Via: SIP/2.0/UDP
> >>   X.X.X.X:5060..From:
> >> <sip:022250699 at X.X.X.X>;tag=1A0FBC30-1472..To: <sip:820022 at 172.1
> >>   7.6.2>..Date: Wed, 08 Nov 2006 11:03:14 GMT..Call-ID:
> >>   906DA628-6E4F11DB-9034EA4F-E981BA1F at X.X.X.X..Supported:
> >> timer,100rel..Min-SE:  1800..Cisco-Guid
> >>
> >>   : 2422905184-1850675675-2419190351-3917593119..User-Agent:
> >>
> >> Cisco-SIPGateway/IOS-12.x..Allow: INVITE, OPTIONS, BYE, CANCEL,
> >> ACK, PRACK, COMET, REFER, SUBS
> >>   CRIBE, NOTIFY, INFO..CSeq: 101 INVITE..Max-Forwards:
> >> 6..Remote-Party-ID:
> >> <sip:022250699 at X.X.X.X>;party=calling;screen=yes;privacy=off..Timestamp:
> >> 116
> >>   2983794..Contact: <sip:022250699 at X.X.X.X:5060>..Expires:
> >> 180..Allow-Events: telephone-event..Content-Type:
> >> application/sdp..Content-Length: 235....v=
> >>   0..o=CiscoSystemsSIP-GW-UserAgent 1226 5023 IN IP4 X.X.X.X..s=SIP
> >>   Call..c=IN IP4 X.X.X.X..t=0 0..m=audio 16642 RTP/AVP 18 19..c=IN IP4
> >>   X.X.X.X..a=rtpmap:18 G729/8000..a=fmtp:18
> >> annexb=no..a=rtpmap:19 CN/8000..a=ptime:20..
> >> #
> >> U 172.17.6.2:5060 -> X.X.X.X:5060
> >>   SIP/2.0 403 Use From=ID..Via: SIP/2.0/UDP  X.X.X.X:5060..From:
> >>   <sip:022250699 at X.X.X.X>;tag=1A0FBC30-1472..To:
> >>
> >> <sip:820022 at 172.17.6.2>;tag=329cfeaa6ded039da25ff8cbb8668bd2.13ec..Call-
> >>ID: 906DA628-6E4F11DB-9034EA4F-E981BA1F at X.X.X.X..CSeq: 101
> >> INVITE..Server: OpenSer (1.1.0-tls (x86_64/linux))..C
> >>   ontent-Length: 0..Warning: 392 172.17.6.2:5060 "Noisy
> >> feedback tells:  pid=32240 req_src_ip=X.X.X.X req_src_port=54177
> >> in_uri=sip:820022 at 172.17.6.2:5
> >>   060 out_uri=sip:820022 at 172.17.6.2:5060 via_cnt==1"....
> >> #
> >> U X.X.X.X:54177 -> 172.17.6.2:5060
> >>   ACK sip:820022 at 172.17.6.2:5060 SIP/2.0..Via: SIP/2.0/UDP
> >>   X.X.X.X:5060..From:
> >> <sip:022250699 at X.X.X.X>;tag=1A0FBC30-1472..To: <sip:820022 at 172.17.6
> >>   .2>;tag=329cfeaa6ded039da25ff8cbb8668bd2.13ec..Date: Wed, 08 Nov
> >>   2006 11:03:14 GMT..Call-ID:
> >>   906DA628-6E4F11DB-9034EA4F-E981BA1F at X.X.X.X..Max-Forward
> >>   s: 6..Content-Length: 0..CSeq: 101 ACK....
> >>
> >>
> >> Best regards,
> >> Ion Minzu,
> >> Specialist Tehnologii Informationale,
> >> Administrator de sistem al Centrului de certificare,
> >> Administrator VoIP,
> >> I.S."Centrul de Telecomunicatii Speciale",
> >> tel:250-517 (office), 069501208 (mob), 382869185 (ICQ)
> >> mailto:ion.minzu at cts.md
> >>
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at openser.org
> >> http://openser.org/cgi-bin/mailman/listinfo/users

More information about the Users mailing list