Asterisk Forums

[RDouro]

Hi all,


Same one can help me about these error ?
I use asterisk version 11.18.0 .

in var/log/asterisk/message appears these error :


PLEASE NOTE: Setting 'nat' for a peer/user that differs from the global setting can make
[Dec 10 18:33:39] WARNING[27964] chan_sip.c: !!! the name of that peer/user discoverable by an attacker. Replies for non-existent peers/users
[Dec 10 18:33:39] WARNING[27964] chan_sip.c: !!! will be sent to a different port than replies for an existing peer/user. If at all possible,
[Dec 10 18:33:39] WARNING[27964] chan_sip.c: !!! use the global 'nat' setting and do not set 'nat' per peer/user.


how i can solve ?

Tank´s,

[david55]

There are no errors in your article, only warnings.

If you really need to set nat in that way and not have the warnings, you need to edit them out of the source code. That will not affect what the code actually does.

Also, this is not a general discussion topic, so should have been in Asterisk Support.

[david55]

Although 11.18.0 doesn't appear to be in SVN, this is from 11.17.1. The logic seems to be that an attacker can tell the difference between not found and incorrect password by looking at the port to which the response is sent, so this will compromise always auth reject. I'm not sure that there is a problem without always auth reject, so I'm not sure why they don't take that into consideration. However the important thing to note is that this is called for all peer configurations, and it only outputs warnings; it doesn't change any state information.

Code: Select all

static void display_nat_warning(const char *cat, int reason, struct ast_flags *flags) {
   int global_nat, specific_nat;

   if (reason == CHANNEL_MODULE_LOAD && (specific_nat = ast_test_flag(&flags[0], SIP_NAT_FORCE_RPORT)) != (global_nat = ast_test_flag(&global_flags[0], SIP_NAT_FORCE_RPORT))) {
      ast_log(LOG_WARNING, "!!! PLEASE NOTE: Setting 'nat' for a peer/user that differs from the  global setting can make\n");
      ast_log(LOG_WARNING, "!!! the name of that peer/user discoverable by an attacker. Replies for non-existent peers/users\n");
      ast_log(LOG_WARNING, "!!! will be sent to a different port than replies for an existing peer/user. If at all possible,\n");
      ast_log(LOG_WARNING, "!!! use the global 'nat' setting and do not set 'nat' per peer/user.\n");
      ast_log(LOG_WARNING, "!!! (config category='%s' global force_rport='%s' peer/user force_rport='%s')\n", cat, AST_CLI_YESNO(global_nat), AST_CLI_YESNO(specific_nat));
   }
}