Hi, in that trace line GnuGk only prints out which rule its has picked based on the longest prefix it could find. It doesn't print the source alias it has looked at to accept or deny. In your case the prefix is the full number so its not that clear. Usually it says something like 'prefix 01 matched for alias 0123456789' when you dialed 0123456789. Your rule actually blockes the call if 3194 is the only source alias. I tried that here. Regards, Jan pierlu wrote: > Hi Jan > > You say that "in the ARQ, the calling endpoint has two. > GnuGk finds the prefix match, looks at the first alias, notices > that it doesn't match the alias pattern and moves on to the next > rule. If the endpoint had only 3194 as alias, the rule would > block the call." > > In that case tho, I'd have expected to find the line *PrefixAuth rule > matched and could not reject or accept destination prefix '8501' for alias > 'DC PERS SI'* in the logs, while what I find is *PrefixAuth rule matched > and could not reject or accept destination prefix '8501' for alias '8501'* like > it's using destInfo for both the calling alias and the called alias. > > I still don't undestabd but I'll use SQLAuth instead, which I know for > sure will let me do what I look for, because I use it on another ini conf. > It's that I did not want to put up a database connection for this :) > > Thanks for your reply. Pierlu > > On Sat, Mar 12, 2016 at 2:35 AM, Jan Willamowius <jan@xxxxxxxxxxxxxx> wrote: > > > Hi Pierlu, > > > > authenticating endpoints by their alias is always problematic. > > > > As you can see in the ARQ, the calling endpoint has two. > > GnuGk finds the prefix match, looks at the first alias, notices > > that it doesn't match the alias pattern and moves on to the next > > rule. If the endpoint had only 3194 as alias, the rule would > > block the call. > > > > If you want to block a prefix, I'd suggest you try to find a > > better matching criteria, eg. by caller IP. > > > > Regards, > > Jan > > > > -- > > Jan Willamowius, Founder of the GNU Gatekeeper Project > > EMail : jan@xxxxxxxxxxxxxx > > Website: http://www.gnugk.org > > Support: http://www.willamowius.com/gnugk-support.html > > > > Relaxed Communications GmbH > > Frahmredder 91 > > 22393 Hamburg > > Geschäftsführer: Jan Willamowius > > HRB 125261 (Amtsgericht Hamburg) > > USt-IdNr: DE286003584 > > > > > > pierlu wrote: > > > Hi everyone. > > > I read in the manual that by adding the followind lines to the > > > configuration > > > > > > 09=deny alias:^188884.* > > > ALL=allow ipv4:0/0|allow ipv6:::/0 > > > > > > will end up in "endpoints having an alias beginning with 188884 are > > > not allowed to call prefix 09" > > > > > > So I expected that by adding the following lines to my configuration, > > > I would have prevented endpoint 3194 from calling the endpoint 8501 > > > (which is an MCU ad hoc room actually) > > > > > > [Gatekeeper::Auth] > > > PrefixAuth=required;ARQ > > > > > > [PrefixAuth] > > > 8501=deny alias:^3194.* > > > ALL=allow ipv4:0/0 > > > > > > But this does not work; I also try setting the rule to 8501=deny > > > alias:^3194 to no avail. > > > > > > So I dug into logs and what I see is perplexing me: because it says that > > > > > > *GKAUTH PrefixAuth rule matched and could not reject or accept > > > destination prefix '8501' for alias '8501'* > > > > > > i.e. the alias for the caller and the callee is the same; this is the > > > actual output (where ip address has been blanked out) > > > > > > 2016/03/11 12:38:07.515 3 RasSrv.cxx(251) RAS > > > admissionRequest { > > > requestSeqNum = 8596 > > > callType = pointToPoint <<null>> > > > callModel = gatekeeperRouted <<null>> > > > endpointIdentifier = 9 characters { > > > 0037 0038 0038 0036 005f 0065 006e 0064 7886_end > > > 0070 p > > > } > > > destinationInfo = 2 entries { > > > [0]=dialedDigits "8501" > > > [1]=dialedDigits "8501" > > > } > > > srcInfo = 2 entries { > > > [0]=h323_ID 10 characters { > > > 0044 0043 0020 0050 0045 0052 0053 0020 DC PERS > > > 0053 0049 SI > > > } > > > [1]=dialedDigits "3194" > > > } > > > srcCallSignalAddress = ipAddress { > > > ip = 4 octets { > > > xx xx xx xx .... > > > } > > > port = 60008 > > > } > > > bandWidth = 15360 > > > callReferenceValue = 2331 > > > conferenceID = 16 octets { > > > 02 87 73 31 e2 b2 03 14 1d a9 56 34 34 34 34 ef ..s1......V4444. > > > } > > > activeMC = false > > > answerCall = false > > > canMapAlias = false > > > callIdentifier = { > > > guid = 16 octets { > > > 02 87 73 31 e2 b2 03 14 1d a8 56 34 34 34 34 ef > > ..s1......V4444. > > > } > > > } > > > gatekeeperIdentifier = 5 characters { > > > 0047 006e 0075 0047 006b GnuGk > > > } > > > willSupplyUUIEs = false > > > } > > > 2016/03/11 12:38:07.531 5 job.cxx(338) JOB > > Worker threads: 15 > > > total - 15 busy, 0 idle > > > 2016/03/11 12:38:07.531 5 job.cxx(180) JOB > > Starting Job ARQ > > > at Worker thread 364 > > > 2016/03/11 12:38:07.531 1 RasSrv.cxx(382) RAS > > ARQ Received from > > > xx.xx.xx.xx:1719*2016/03/11 12:38:07.531 4 > > > gkauth.cxx(1941) GKAUTH PrefixAuth rule matched and could not > > reject > > > or accept destination prefix '8501' for alias '8501'* > > > 2016/03/11 12:38:07.531 5 gkauth.cxx(1735) GKAUTH > > Prefix auth > > > rule 'allow ip(32):0/0' matched > > > 2016/03/11 12:38:07.531 4 gkauth.cxx(1926) GKAUTH > > PrefixAuth > > > rule matched and accepted destination prefix 'ALL' for alias '8501' > > > 2016/03/11 12:38:07.531 3 gkauth.cxx(795) GKAUTH > > PrefixAuth ARQ check ok > > > > > > > > > The output is the same even when the calling endpoint is a different > > > one from 3194. > > > > > > What am I not understading? > > > > > > My Gnugk Version is Gatekeeper(GNU) Version(3.4.0) > > > > > Ext(pthreads=0,radius=1,mysql=1,pgsql=1,firebird=1,odbc=1,sqlite=1,large_fdset=0,crypto/ssl=1,h46018=1,h46023=1,ldap=1,ssh=0,ipv6=1,h235media=1,lua=0,h46017=1,snmp=1,h46026=0) > > > H323Plus(1.25.3) PTLib(2.10.1) Build(Sep 19 2013, 19:57:17) Sys(Server > > > 2003 i586 (Model=1 Stepping=2) v5.2.3790) > > > > > > > > > Thank you very much. Pierlu ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140 _______________________________________________________ Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users Homepage: http://www.gnugk.org/
