various patches from Alfred, anti-relay-to-private-address-space

protection added

etc/ser-oob.cfg

@@ -95,14 +95,14 @@
 #
 # Licensing
 # ----------
-# Copyright (C) 2005-2007 iptelorg GmbH
+# Copyright (C) 2005-2008 iptelorg GmbH
 # This file is part of SER, a free SIP server. It is available under the
 # terms of the  GNU General Public License.
 # Numerous folks have contributed to this file, including but not limited
 # to Andrei, Jan, Jiri, Michal, Miklos, Nils
 #
 #
-# .... that's it, enough of yadiyada, here the real config begin!
+# .... that's it, enough of yadiyada, here the real file config begins!
 
 
 # ----------- global configuration parameters ------------------------
@@ -219,7 +219,7 @@ loadmodule "/usr/lib/ser/modules/uri_db.so"
 loadmodule "/usr/lib/ser/modules/avp.so"
 loadmodule "/usr/lib/ser/modules/avp_db.so"
 loadmodule "/usr/lib/ser/modules/acc_db.so"
-loadmodule "/usr/lib/ser/modules/xmlrpc.so"
+#loadmodule "/usr/lib/ser/modules/xmlrpc.so"
 loadmodule "/usr/lib/ser/modules/options.so"
 loadmodule "/usr/lib/ser/modules/sanity.so"
 loadmodule "/usr/lib/ser/modules/nathelper.so"
@@ -238,7 +238,7 @@ flags
   FLAG_TOTAG          : 5,
   FLAG_PSTN_ALLOWED   : 6, # the user is allowed to use the PSTN
   FLAG_DONT_RM_CRED   : 7, # do not remove the credentials
-  FLAG_AUTH_OK        : 8, # authentication suceeded
+  FLAG_AUTH_OK        : 8, # authentication succeeded
   FLAG_SERWEB_RSVD1   : 9, # bit reserved for use with serweb
   FLAG_SERWEB_RSVD2   :10; # bit reserved for use with serweb
 
@@ -362,9 +362,9 @@ modparam("nathelper", "rtpproxy_sock", "udp:192.168.1.1:22222")
 #DEBCONF-NATPING_INTERVAL-START
 modparam("nathelper", "natping_interval", 15)
 #DEBCONF-NATPING_INTERVAL-END
-modparam("nathelper", "ping_nated_only", 1 )
+modparam("nathelper", "ping_nated_only", 1)
 # if this option is not set, simple 4-bytes ping is sent
-modparam("nathelper", "natping_method", "OPTIONS" )
+modparam("nathelper", "natping_method", "OPTIONS")
 #temporary statefull natping test (only in future versions)
 #modparam("nathelper", "natping_stateful", 1)
 
@@ -395,7 +395,7 @@ route{
 	# to PSTN; if email-like addresses are used, having a URI alias for
 	# processing incoming pstn-2-ip requests may be useful too
 	# important: the script is assuming one global pstn-gw for all domains!
-	# failure to allow gw_ip to be a domain-specic attribute would result
+	# failure to allow gw_ip to be a domain-specific attribute would result
 	# in security gaps (onsend_route checks only for one gateway)
 
 
@@ -495,10 +495,10 @@ route[INIT]
 	}
 
 	#if (msg:len >=  max_len ) {
-	if (msg:len >=  4096 ) {
-		sl_reply("513", "Message too big");
-		drop;
-	}
+	# if (msg:len >=  4096 ) {
+	#	sl_reply("513", "Message too big");
+ 	#		drop;
+	#}
 
 
 	# this flag is need for the onsend route
@@ -522,8 +522,8 @@ route[INIT]
 
 route[OPTIONS_REPLY]
 {
-	# if it an OPTIONS without a username in the RURI but one
-	# our IPs answer directly statelessly
+	# if it is an OPTIONS without a username in the RURI but one
+	# of our IPs answer directly statelessly
 	if (method=="OPTIONS" && @ruri.user=="" && (uri==myself||$t.did)) {
 		options_reply();
 		drop;
@@ -545,7 +545,7 @@ route[NAT_DETECTION]
 	# inapproprietely; (e.g., WM from other domains will fail); if worried
 	# about that, remove tests for maddr and recompile SER using HONOR_MADDR
 	# also note that possibly rewriting contacts may lead to client
-	# renying subseqent requests to them because they don't recognized
+	# denying subseqent requests to them because they don't recognized
 	# fixed contacts as their own; we haven't encountered such case
 	# yet; a possible solution a la usrloc would be to store the original
 	# information as a contact parameter and restore it on its way back
@@ -604,7 +604,7 @@ route[RR]
 			setflag(FLAG_ACC);
 		}
 
-		# restore the NAT flag is is present
+		# restore the NAT flag if present
 		if ($uac_nat == 1) {
 			setflag(FLAG_NAT);
 		}
@@ -657,7 +657,7 @@ route[DOMAIN_POLICY]
 	# as call-forwarding, subsequent requests may not include
 	# served domain neither as origination nor destination
 	# (a@A calls b@B that forwards to c@C; BYE is formed as
-	# BYE a's IP\n f: b@B \n t: a@A; C server doesnt't spot
+	# BYE a's IP\n f: b@B \n t: a@A; C server doesn't spot
 	# C domain anywhere despite BYE is legitimate)
 	if (!isflagset(FLAG_TOTAG) && !$t.did && !$f.did) {
 		sl_reply("403", "Relaying Forbidden");
@@ -1018,7 +1018,7 @@ failure_route[FAILURE_ROUTE]
 			#attr2uri("$tu.fwd_noanswer_target");
 			#route(FORWARD);
 			attr_destination("$tu.fwd_noanswer_target");
-			t_reply("302", "Redirect On Busy");
+			t_reply("302", "Redirect On No Answer");
 		}
 		# alternatively you could forward the request to SEMS/voicemail here
 	}
@@ -1038,7 +1038,7 @@ onreply_route[REPLY_ROUTE]
 	# which contains a body, start to use the RTP proxy
 	if (isflagset(FLAG_NAT) &&
 		status=~"(18[03])|(2[0-9][0-9])" &&
-		!search("^Content-Length: 0")) {
+		!search("^(Content-Length|l): 0")) {
 		force_rtp_proxy('r');
 	}
 }
@@ -1059,6 +1059,14 @@ onsend_route{
 		#xlog("L_ALERT", "non authorized packet for PSTN, dropping...\n%mb\n");
 		drop;
 	}
+	# RFC1918 relay protection -- useful if SER is attached to an administrative
+	# network using private IP address space and you wish to prevent UACs from
+	# relaying their packets there
+	if (to_ip==10.0.0.0/8 || to_ip==172.16.0.0/12 || to_ip==192.168.0.0/16) {
+		log(1, "ALERT: Packet targeted to an RFC1918 address dropped\n");
+		drop;
+	}
+
 }
 
 route[ON_1MIN_TIMER] {