<div dir="ltr">Thanks <span style="color:rgb(0,0,0);font-size:12.8px">Jurijs!</span><div><span style="color:rgb(0,0,0);font-size:12.8px"><br></span></div><div><span style="color:rgb(0,0,0);font-size:12.8px">Unfortunately we do need to use TLS.</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jun 1, 2016 at 1:26 PM, Jurijs Ivolga <span dir="ltr">&lt;<a href="mailto:jurijs.ivolga@gmail.com" target="_blank">jurijs.ivolga@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hi Oleg,<br><br></div>With iptables you can block based on what is inside SIP packet(off cause if you are not using TLS), take a look on link below:<br><br><a href="http://www.bertera.it/index.php/2014/01/22/sip-facket-filtering-with-iptables/" target="_blank">http://www.bertera.it/index.php/2014/01/22/sip-facket-filtering-with-iptables/</a><br><br></div>It is not best way to achieve what you need, cause as far as I know it is resource consuming operations. Best way will be to use Kamailio as SIP proxy in front.<br><br></div>With kind regards,<br><div class="gmail_extra"><br clear="all"><div><div data-smartmail="gmail_signature"><div dir="ltr">Jurijs<br></div></div></div><div><div class="h5">
<br><div class="gmail_quote">On Wed, Jun 1, 2016 at 11:05 PM, Oleg Stolyar <span dir="ltr">&lt;<a href="mailto:olegstolyar@gmail.com" target="_blank">olegstolyar@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Thanks guys!  IP tables is how we block most traffic but we can only block traffic by port.  In this case it&#39;s about invalid INVITES coming in on a valid port.<div><br></div><div>Do you think this functionality would be useful?  </div><div>Is it worth opening a feature request and perhaps putting a bounty on it?  </div><div>Any idea of the effort?</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On Wed, Jun 1, 2016 at 1:00 PM, Michael Jerris <span dir="ltr">&lt;<a href="mailto:mike@jerris.com" target="_blank">mike@jerris.com</a>&gt;</span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div><div style="word-wrap:break-word">The only way with our current sip module to accomplish either of these would be to put a sip proxy out front to handle that behavior, or to somehow use iptables to block the traffic<div><div><div><br><div><blockquote type="cite"><div>On Jun 1, 2016, at 3:40 PM, Oleg Stolyar &lt;<a href="mailto:olegstolyar@gmail.com" target="_blank">olegstolyar@gmail.com</a>&gt; wrote:</div><br><div><div dir="ltr"><div>Hi,</div><div><br></div>In order to protect against scanning attacks I&#39;d like for FS to not respond to INVITES unless they match certain conditions.  <div><br></div><div>I understand that currently FS always responds with 100 Trying right away before processing the call and then, if the call does not match anything in the dialplan, responds with a 302 Moved Temporarily.</div><div><br></div><div>The 302 can be replaced with another response code (for example 403 Forbidden which is what I am doing now) using the <b>respond</b> dialplan app.   However, that might encourage the scanner to keep trying.</div><div><br></div><div>So I guess there are two questions:</div><div><br></div><div>1. Is there a way not to send back 100 Trying at all?</div><div><br></div><div>2. Is there a way to not send any final response?</div></div></div></blockquote></div><br></div></div></div></div><br></div></div>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div></div></div></div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div>