error in chan_sip

General discussions about Asterisk.

Moderators: Moderator, Support

error in chan_sip

Postby RDouro » Sat Dec 12, 2015 4:59 am

Hi all,


Same one can help me about these error ?
I use asterisk version 11.18.0 .

in var/log/asterisk/message appears these error :


PLEASE NOTE: Setting 'nat' for a peer/user that differs from the global setting can make
[Dec 10 18:33:39] WARNING[27964] chan_sip.c: !!! the name of that peer/user discoverable by an attacker. Replies for non-existent peers/users
[Dec 10 18:33:39] WARNING[27964] chan_sip.c: !!! will be sent to a different port than replies for an existing peer/user. If at all possible,
[Dec 10 18:33:39] WARNING[27964] chan_sip.c: !!! use the global 'nat' setting and do not set 'nat' per peer/user.


how i can solve ?

Tank´s,

:cry:
RDouro
Newsterisk
 
Posts: 38
Joined: Tue Jan 10, 2012 8:28 am
Location: Portugal

Re: error in chan_sip

Postby david55 » Sat Dec 12, 2015 6:06 am

There are no errors in your article, only warnings.

If you really need to set nat in that way and not have the warnings, you need to edit them out of the source code. That will not affect what the code actually does.

Also, this is not a general discussion topic, so should have been in Asterisk Support.
david55
Moves Like Spencer
 
Posts: 12570
Joined: Fri Sep 26, 2008 5:03 am

Re: error in chan_sip

Postby david55 » Sat Dec 12, 2015 6:20 am

Although 11.18.0 doesn't appear to be in SVN, this is from 11.17.1. The logic seems to be that an attacker can tell the difference between not found and incorrect password by looking at the port to which the response is sent, so this will compromise always auth reject. I'm not sure that there is a problem without always auth reject, so I'm not sure why they don't take that into consideration. However the important thing to note is that this is called for all peer configurations, and it only outputs warnings; it doesn't change any state information.

Code: Select all
static void display_nat_warning(const char *cat, int reason, struct ast_flags *flags) {
   int global_nat, specific_nat;

   if (reason == CHANNEL_MODULE_LOAD && (specific_nat = ast_test_flag(&flags[0], SIP_NAT_FORCE_RPORT)) != (global_nat = ast_test_flag(&global_flags[0], SIP_NAT_FORCE_RPORT))) {
      ast_log(LOG_WARNING, "!!! PLEASE NOTE: Setting 'nat' for a peer/user that differs from the  global setting can make\n");
      ast_log(LOG_WARNING, "!!! the name of that peer/user discoverable by an attacker. Replies for non-existent peers/users\n");
      ast_log(LOG_WARNING, "!!! will be sent to a different port than replies for an existing peer/user. If at all possible,\n");
      ast_log(LOG_WARNING, "!!! use the global 'nat' setting and do not set 'nat' per peer/user.\n");
      ast_log(LOG_WARNING, "!!! (config category='%s' global force_rport='%s' peer/user force_rport='%s')\n", cat, AST_CLI_YESNO(global_nat), AST_CLI_YESNO(specific_nat));
   }
}
david55
Moves Like Spencer
 
Posts: 12570
Joined: Fri Sep 26, 2008 5:03 am


Return to Asterisk General

Who is online

Users browsing this forum: No registered users and 1 guest

cron