All right, that makes perfect sense now. Thank you very much! Have a nice day, pierlu. > On 13 Mar 2016, at 05:05, Jan Willamowius <jan@xxxxxxxxxxxxxx> wrote: > > Hi, > > in that trace line GnuGk only prints out which rule its has picked based > on the longest prefix it could find. It doesn't print the source alias > it has looked at to accept or deny. > > In your case the prefix is the full number so its not that clear. > Usually it says something like 'prefix 01 matched for alias > 0123456789' when you dialed 0123456789. > > Your rule actually blockes the call if 3194 is the only source alias. I > tried that here. > > Regards, > Jan > > pierlu wrote: >> Hi Jan >> >> You say that "in the ARQ, the calling endpoint has two. >> GnuGk finds the prefix match, looks at the first alias, notices >> that it doesn't match the alias pattern and moves on to the next >> rule. If the endpoint had only 3194 as alias, the rule would >> block the call." >> >> In that case tho, I'd have expected to find the line *PrefixAuth rule >> matched and could not reject or accept destination prefix '8501' for alias >> 'DC PERS SI'* in the logs, while what I find is *PrefixAuth rule matched >> and could not reject or accept destination prefix '8501' for alias '8501'* like >> it's using destInfo for both the calling alias and the called alias. >> >> I still don't undestabd but I'll use SQLAuth instead, which I know for >> sure will let me do what I look for, because I use it on another ini conf. >> It's that I did not want to put up a database connection for this :) >> >> Thanks for your reply. Pierlu >> >>> On Sat, Mar 12, 2016 at 2:35 AM, Jan Willamowius <jan@xxxxxxxxxxxxxx> wrote: >>> >>> Hi Pierlu, >>> >>> authenticating endpoints by their alias is always problematic. >>> >>> As you can see in the ARQ, the calling endpoint has two. >>> GnuGk finds the prefix match, looks at the first alias, notices >>> that it doesn't match the alias pattern and moves on to the next >>> rule. If the endpoint had only 3194 as alias, the rule would >>> block the call. >>> >>> If you want to block a prefix, I'd suggest you try to find a >>> better matching criteria, eg. by caller IP. >>> >>> Regards, >>> Jan >>> >>> -- >>> Jan Willamowius, Founder of the GNU Gatekeeper Project >>> EMail : jan@xxxxxxxxxxxxxx >>> Website: http://www.gnugk.org >>> Support: http://www.willamowius.com/gnugk-support.html >>> >>> Relaxed Communications GmbH >>> Frahmredder 91 >>> 22393 Hamburg >>> Geschäftsführer: Jan Willamowius >>> HRB 125261 (Amtsgericht Hamburg) >>> USt-IdNr: DE286003584 >>> >>> >>> pierlu wrote: >>>> Hi everyone. >>>> I read in the manual that by adding the followind lines to the >>>> configuration >>>> >>>> 09=deny alias:^188884.* >>>> ALL=allow ipv4:0/0|allow ipv6:::/0 >>>> >>>> will end up in "endpoints having an alias beginning with 188884 are >>>> not allowed to call prefix 09" >>>> >>>> So I expected that by adding the following lines to my configuration, >>>> I would have prevented endpoint 3194 from calling the endpoint 8501 >>>> (which is an MCU ad hoc room actually) >>>> >>>> [Gatekeeper::Auth] >>>> PrefixAuth=required;ARQ >>>> >>>> [PrefixAuth] >>>> 8501=deny alias:^3194.* >>>> ALL=allow ipv4:0/0 >>>> >>>> But this does not work; I also try setting the rule to 8501=deny >>>> alias:^3194 to no avail. >>>> >>>> So I dug into logs and what I see is perplexing me: because it says that >>>> >>>> *GKAUTH PrefixAuth rule matched and could not reject or accept >>>> destination prefix '8501' for alias '8501'* >>>> >>>> i.e. the alias for the caller and the callee is the same; this is the >>>> actual output (where ip address has been blanked out) >>>> >>>> 2016/03/11 12:38:07.515 3 RasSrv.cxx(251) RAS >>>> admissionRequest { >>>> requestSeqNum = 8596 >>>> callType = pointToPoint <<null>> >>>> callModel = gatekeeperRouted <<null>> >>>> endpointIdentifier = 9 characters { >>>> 0037 0038 0038 0036 005f 0065 006e 0064 7886_end >>>> 0070 p >>>> } >>>> destinationInfo = 2 entries { >>>> [0]=dialedDigits "8501" >>>> [1]=dialedDigits "8501" >>>> } >>>> srcInfo = 2 entries { >>>> [0]=h323_ID 10 characters { >>>> 0044 0043 0020 0050 0045 0052 0053 0020 DC PERS >>>> 0053 0049 SI >>>> } >>>> [1]=dialedDigits "3194" >>>> } >>>> srcCallSignalAddress = ipAddress { >>>> ip = 4 octets { >>>> xx xx xx xx .... >>>> } >>>> port = 60008 >>>> } >>>> bandWidth = 15360 >>>> callReferenceValue = 2331 >>>> conferenceID = 16 octets { >>>> 02 87 73 31 e2 b2 03 14 1d a9 56 34 34 34 34 ef ..s1......V4444. >>>> } >>>> activeMC = false >>>> answerCall = false >>>> canMapAlias = false >>>> callIdentifier = { >>>> guid = 16 octets { >>>> 02 87 73 31 e2 b2 03 14 1d a8 56 34 34 34 34 ef >>> ..s1......V4444. >>>> } >>>> } >>>> gatekeeperIdentifier = 5 characters { >>>> 0047 006e 0075 0047 006b GnuGk >>>> } >>>> willSupplyUUIEs = false >>>> } >>>> 2016/03/11 12:38:07.531 5 job.cxx(338) JOB >>> Worker threads: 15 >>>> total - 15 busy, 0 idle >>>> 2016/03/11 12:38:07.531 5 job.cxx(180) JOB >>> Starting Job ARQ >>>> at Worker thread 364 >>>> 2016/03/11 12:38:07.531 1 RasSrv.cxx(382) RAS >>> ARQ Received from >>>> xx.xx.xx.xx:1719*2016/03/11 12:38:07.531 4 >>>> gkauth.cxx(1941) GKAUTH PrefixAuth rule matched and could not >>> reject >>>> or accept destination prefix '8501' for alias '8501'* >>>> 2016/03/11 12:38:07.531 5 gkauth.cxx(1735) GKAUTH >>> Prefix auth >>>> rule 'allow ip(32):0/0' matched >>>> 2016/03/11 12:38:07.531 4 gkauth.cxx(1926) GKAUTH >>> PrefixAuth >>>> rule matched and accepted destination prefix 'ALL' for alias '8501' >>>> 2016/03/11 12:38:07.531 3 gkauth.cxx(795) GKAUTH >>> PrefixAuth ARQ check ok >>>> >>>> >>>> The output is the same even when the calling endpoint is a different >>>> one from 3194. >>>> >>>> What am I not understading? >>>> >>>> My Gnugk Version is Gatekeeper(GNU) Version(3.4.0) >>> Ext(pthreads=0,radius=1,mysql=1,pgsql=1,firebird=1,odbc=1,sqlite=1,large_fdset=0,crypto/ssl=1,h46018=1,h46023=1,ldap=1,ssh=0,ipv6=1,h235media=1,lua=0,h46017=1,snmp=1,h46026=0) >>>> H323Plus(1.25.3) PTLib(2.10.1) Build(Sep 19 2013, 19:57:17) Sys(Server >>>> 2003 i586 (Model=1 Stepping=2) v5.2.3790) >>>> >>>> >>>> Thank you very much. Pierlu > > ------------------------------------------------------------------------------ > Transform Data into Opportunity. > Accelerate data analysis in your applications with > Intel Data Analytics Acceleration Library. > Click to learn more. > http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140 > _______________________________________________________ > > Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx > Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users > Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users > Homepage: http://www.gnugk.org/ ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140 _______________________________________________________ Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users Homepage: http://www.gnugk.org/
