# # /etc/siproxd.conf - siproxd configuration file # # !! This is a sample file, adapt it to your needs before using it !! # # !! Strings may contain spaces (since 0.8.1) # ###################################################################### # The interface names of INBOUND and OUTBOUND interface. # # If siproxd is not running on the host doing the masquerading # but on a host within the private network segment, "in front" of # the masquerading router: define if_inbound and if_outbound to # point to the same interface (the inbound interface). In *addition* # define 'host_outbound' to hold your external (public) IP address # or a hostname that resolves to that address (use a dyndns address for # example). # if_inbound = eth0 if_outbound = ppp0 # uncomment the following line ONLY IF YOU KNOW WHAT YOU ARE DOING! # READ THE FAQ FIRST! #host_outbound = 1.2.3.4 ###################################################################### # Access control. # Access lists in the form: IP/mask (ex. 10.0.0.1/24) # Multiple entries may be separated by commas NO SPACES ARE ALLOWED!! # Empty list means 'does not apply' - no filtering is done then. # For *allow* lists this means: always allow, for *deny* lists that # this means never deny. # # hosts_allow_reg: defines nets from which we accept registrations # Registrations are *ONLY* allowed from INBOUND! # hosts_allow_sip: defines nets from which we accept SIP traffic # hosts_deny_sip: defines nets from which we deny SIP traffic # # - The deny list takes precedence over the allow lists. # - The allow_reg list also implies allowance for sip. # # Example for usage: # local private net -> allow_reg list # external nets (from which we accept incoming calls) -> allow_sip # # NOTE: Improper setting here will result in dropped SIP packets! # Usually you do NOT want to define hosts_allow_sip! # #hosts_allow_reg = 192.168.1.8/24 #hosts_allow_sip = 123.45.0.0/16,123.46.0.0/16 #hosts_deny_sip = 10.0.0.0/8,11.0.0.0/8 ###################################################################### # Port to listen for incoming SIP messages. # 5060 is usually the correct choice - don't change this unless you # know what you're doing # sip_listen_port = 5060 ###################################################################### # Shall we daemonize? # daemonize = 1 ###################################################################### # What shall I log to syslog? # 0 - DEBUGs, INFOs, WARNINGs and ERRORs # 1 - INFOs, WARNINGs and ERRORs (this is the default) # 2 - WARNINGs and ERRORs # 3 - only ERRORs # 4 - absolutely nothing (be careful - you will have no way to # see what siproxd is doing - or NOT doing) silence_log = 1 ###################################################################### # Secure Enviroment settings: # user: uid/gid to switch to after startup # chrootjail: path to chroot to (chroot jail) user = nobody #chrootjail = /var/lib/siproxd/ ###################################################################### # Memory settings # # THREAD_STACK_SIZE IS AN EXPERIMENTAL FEATURE! # It may be used to reduce the stack size allocated # by pthreads. This may reduce the overall memory footprint # of siproxd and could be helpful on embedded systems. # If you don't know what I'm saying above, do not enable this setting! # USE AT YOUR OWN RISK! # Too small stack size may lead to unexplainable crashes! #thread_stack_size = 512 ###################################################################### # Registration file: # Where to store the current registrations. # An empty value means we do not save registrations. Make sure that # the specified directory path does exist! # Note: If running in chroot jail, this path starts relative # to the jail. registration_file = /var/lib/siproxd/siproxd_registrations ###################################################################### # Automatically save current registrations every 'n' seconds # autosave_registrations = 300 ###################################################################### # PID file: # Where to create the PID file. # This file holds the PID of the main thread of siproxd. # Note: If running in chroot jail, this path starts relative # to the jail. pid_file = /var/run/siproxd/siproxd.pid ###################################################################### # global switch to control the RTP proxy behaviour # 0 - RTP proxy disabled # 1 - RTP proxy (UDP relay of siproxd) # # Note: IPCHAINS and IPTABLES(netfilter) support is no longer present! # rtp_proxy_enable = 1 ###################################################################### # Port range to allocate listen ports from for incoming RTP traffic # This should be a range that is not blocked by the firewall # rtp_port_low = 7070 rtp_port_high = 7089 ###################################################################### # Timeout for RTP streams # after this number of seconds, an RTP stream is considered dead # and proxying for it will be stopped. # Be aware that this timeout also applies to streams that are # in HOLD. # rtp_timeout = 300 ###################################################################### # DSCP value for sent RTP packets # The Differentiated Service Code Point is a selector for # router's per-hop behaviours. # RFC2598 defined a "expedited forwarding" service. This service # is designed to allow ISPs to offer a service with attributes # similar to a "leased line". This service offers the ULTIMATE IN LOW # LOSS, LOW LATENCY AND LOW JITTER by ensuring that there is always # sufficent room in output queues for the contracted expedited forwarding # traffic. # The Expedited Forwarding service has a DSCP of 46. # Putting a 0 here means that siproxd does NOT set the DSCP field. # Siproxd must be started as root for this to work. # rtp_dscp = 46 ###################################################################### # DSCP value for sent SIP packets # Same as above but for SIP signalling. # sip_dscp = 0 ###################################################################### # Dejitter value # Artificial delay to be used to de-jitter RTP data streams. # This time is in microseconds. # 0 - completely disable dejitter (default) # rtp_input_dejitter = 0 rtp_output_dejitter = 0 ###################################################################### # TCP SIP settings: # TCP inactivity timeout: # For TCP SIP signalling, this indicates the inactivity timeout # (seconds) after that an idling TCP connection is disconnected. # Note that making this too short may cause multiple parallell # registrations for the same phone. This timeout must be set larger # than the used registration interval. # tcp_timeout = 600 # # Timeout for connection attempts in msec: # How many msecs shall siproxd wait for an successful connect # when establishing an outgoing SIP signalling connection. This # should be kept as short as possible as waiting for an TCP # connection to establish is a BLOCKING operation - while waiting # for a connect to succeed not SIP messages are processed (RTP is # not affected). # tcp_connect_timeout = 500 # # TCP keepalive period # For TCP SIP signalling: if > 0 empty SIP packets will be sent # every 'n' seconds to keep the connection alive. Default is off. # tcp_keepalive = 20 ###################################################################### # Proxy authentication # If proxy_auth_realm is defined (a string), clients will be forced # to authenticate themselfes at the proxy (for registration only). # To disable Authentication, simply comment out this line. # Note: The proxy_auth_pwfile is independent of the chroot jail. # #proxy_auth_realm = Authentication_Realm # # the (global) password to use (will be the same for all local clients) # #proxy_auth_passwd = password # # OR use individual per user passwords stored in a file # #proxy_auth_pwfile = /etc/siproxd_passwd.cfg # # 'proxy_auth_pwfile' has precedence over 'proxy_auth_passwd' ###################################################################### # Debug level... (setting to -1 will enable everything) # # DBCLASS_BABBLE 0x00000001 // babble (like entering/leaving func) # DBCLASS_NET 0x00000002 // network # DBCLASS_SIP 0x00000004 // SIP manipulations # DBCLASS_REG 0x00000008 // Client registration # DBCLASS_NOSPEC 0x00000010 // non specified class # DBCLASS_PROXY 0x00000020 // proxy # DBCLASS_DNS 0x00000040 // DNS stuff # DBCLASS_NETTRAF 0x00000080 // network traffic # DBCLASS_CONFIG 0x00000100 // configuration # DBCLASS_RTP 0x00000200 // RTP proxy # DBCLASS_ACCESS 0x00000400 // Access list evaluation # DBCLASS_AUTH 0x00000800 // Authentication # DBCLASS_PLUGIN 0x00001000 // Plugins # DCLASS_RTPBABL 0x00002000 // RTP babble # debug_level = 0x00000000 ###################################################################### # TCP debug port # # You may connect to this port from a remote machine and # receive the debug output. This allows bettwer creation of # odebug output on embedded systems that do not have enough # memory for large disk files. # Port number 0 means this feature is disabled. # debug_port = 0 ###################################################################### # Mask feature (experimental) # # Some UAs will always use the host/ip they register with as # host part in the registration record (which will be the inbound # ip address / hostname of the proxy) and can not be told to use a # different host part in the registration record (like sipphone, FWD, # iptel, ...) # This Mask feature allows to force such a UA to be masqueraded to # use different host. # -> Siemens SIP Phones seem to need this feature. # # Unles you really KNOW that you need this, don't enable it. # # mask_host= # masked_host= # # mask_host=10.0.1.1 -- inbound IP address of proxy # masked_host=my.public.host -- outbound hostname proxy ###################################################################### # User Agent Masquerading # # Siproxd can masquerade the User Agent string of your local UAs. # Useful for Providers that do not work with some specific UAs # (e.g. sipcall.ch - it does not work if your outgoing SIP # traffic contains an Asterisk UA string...) # Default is to do no replacement. # #ua_string = Siproxd-UA ###################################################################### # Use ;rport in via header # # may be required in some cases where you have a NAT router that # remaps the source port 5060 to something different and the # registrar sends back the responses to port 5060. # Default is disabled # 0 - do not add ;rport to via header # 1 - do add ;rport to INCOMING via header only # 2 - do add ;rport to OUTGOING via header only # 3 - do add ;rport to OUTGOING and INCOMING via headers # # use_rport = 0 ###################################################################### # Outbound proxy # # Siproxd itself can be told to send all traffic to another # outbound proxy. # You can use this feature to 'chain' multiple siproxd proxies # if you have several masquerading firewalls to cross. # # outbound_proxy_host = my.outboundproxy.org # outbound_proxy_port = 5060 ###################################################################### # Outbound proxy (Provider specific) # # Outbound proxies can be specified on a per-domain base. # This allows to use an outbound proxy needed for ProviderA # and none (or another) for ProviderB. # #outbound_domain_name = freenet.de #outbound_domain_host = proxy.for.domain.freende.de #outbound_domain_port = 5060 # outbound_domain_name = easybell.de outbound_domain_host = sip.easybell.de outbound_domain_port = 5060 ###################################################################### # Loadable Plug-ins # # The plugins are loaded in the order they appear here. Also # the processing order is given by the load order. # # plugin_dir: MUST be terminated with '/' plugindir=/usr/lib/siproxd/ # # List of plugins to load. MUST use the .la file extension! #load_plugin=plugin_demo.la #load_plugin=plugin_shortdial.la load_plugin=plugin_logcall.la #load_plugin=plugin_defaulttarget.la #load_plugin=plugin_fix_bogus_via.la #load_plugin=plugin_fix_DTAG.la #load_plugin=plugin_stun.la #load_plugin=plugin_prefix.la #load_plugin=plugin_regex.la #load_plugin=plugin_stripheader.la #load_plugin=plugin_codecfilter.la #load_plugin=plugin_siptrunk.la #load_plugin=plugin_fix_fbox_anoncall.la #load_plugin=plugin_stats.la #load_plugin=plugin_blacklist.la ###################################################################### # Plugin_demo # plugin_demo_string = This_is_a_string_passed_to_the_demo_plugin ###################################################################### # Plugin_shortdial # # Quick Dial (Short Dial) # ability to define quick dial numbers that can be accessed by # dialing "*00" from a local phone. '00' corresponds to the entry number # (pi_shortdial_entry) below. The '*' character can be chosen freely # (pi_shortdial_akey). # Note: If this module is enabled, there does NOT exist a way to dial # a "real" number like *01, siproxd will try to replace it by it's # quick dial entry. # # The first character is the "key", the following characters give # the length of the number string. E.g. "*00" allows speed dials # from *01 to *99. (the number "*100" will be passed through unprocessed) plugin_shortdial_akey = *00 # # *01 sipphone echo test plugin_shortdial_entry = 17474743246 # *02 sipphone welcome message plugin_shortdial_entry = 17474745000 ###################################################################### # Plugin_defaulttarget # # Log redirects to syslog plugin_defaulttarget_log = 1 # target must be a full SIP URI with the syntax # sip:user@host[:port] plugin_defaulttarget_target = sip:internal@dddd:port ###################################################################### # Plugin_fix_bogus_via # # Incoming (from public network) SIP messages are checked for broken # SIP Via headers. If the IP address in the latest Via Header is # part of the list below, it will be replaced by the IP where the # SIP message has been received from. plugin_fix_bogus_via_networks = 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 ###################################################################### # Plugin_fix_DTAG # # This plugin attempts to work-around some SIP issues with # T-ONLINE SIP (as of 2015). T-Online.de sends broken Via headers in # responses, causing the received SIP response to be discarded by # any SIP client that properly checks the Via chain. # DTAG_networks: Network where DTAG messages are received from. plugin_fix_DTAG_networks = 217.0.23.100/32 ###################################################################### # Plugin_stun # # Uses an external STUN server to determine the public IP # address of siproxd. Useful for "in-front-of-NAT-router" # scenarios. plugin_stun_server = stun.stunprotocol.org plugin_stun_port = 3478 # period in seconds to request IP info from STUN server plugin_stun_period = 300 ###################################################################### # Plugin_prefix # # unconditionally prefixes all outgoing calls with the # "akey" prefix specified below. plugin_prefix_akey = 0 ###################################################################### # Plugin_regex # # Applies an extended regular expression to the 'To' URI. A typical # SIP URI looks like (port number is optional): # sip:12345@some.provider.net # sips:12345@some.provider.net:5061 # # Backreferences \1 .. \9 are supported. # plugin_regex_desc = Test Regex 1 plugin_regex_pattern = ^(sips?:)00 plugin_regex_replace = \1+ plugin_regex_desc = Test Regex 2 plugin_regex_pattern = ^(sips?:)01 plugin_regex_replace = \1+a plugin_regex_desc = Test Regex 3 plugin_regex_pattern = ^(sips?:)01 plugin_regex_replace = \1:001 ###################################################################### # Plugin_stripheader # # unconditionally strip the specified SIP header from the packet. # May be used to workaround IP fragmentation by removing "unimportant" # SIP headers - this is clearly a ugly hack but sometimes saves on # from headache. # Format is
[:], the : part is optional - if not # present the full header will be removed. # # remove entire header (all values attached to this header) plugin_stripheader_remove = Allow plugin_stripheader_remove = User-Agent # remove only a particular value from a header (no spaces allowed) plugin_stripheader_remove = Supported:100rel ###################################################################### # Plugin_codecfilter # # Removes blacklisted (plugin_codecfilter_blacklist) codecs # from any passing SDP payload in both (incoming and outgoing) # directions. This allows the proxy to force the exclusion of # particular codecs in the negotiation between a local UA and a # remote side. # The match is done as case-insensitive substring match. The config # string "726" would match the codecs "G726-32/800", "g726", etc. plugin_codecfilter_blacklist = G722 plugin_codecfilter_blacklist = G726 plugin_codecfilter_blacklist = G729 plugin_codecfilter_blacklist = GSM ###################################################################### # Plugin_siptrunk # # Plugin to handle SIP Trunks where using *one* single SIP account a # whole number block is routed. This means asn incoming INVITE does carry # the target number (in SIP URI or To: header field) but does not really # carry any clear indications to which account it belongs to. # Thus, we need some help - a mapping of the number blocks used in a SIP # trunk and the corresponding SIP account (as used during REGISTER) # # ..._name: any name, pure documentation # ..._account: SIP account in the form of 'sip:user@host', # identical as used for registration. # ..._numbers_regex: REGEX that matches the whole number block associated # with this account # # NOTE: plugin_siptrunk is mutually exclusive with plugin_defaulttarget! # if the defaulttartet 'plugin is also active, then all incoming calls # on SIP trunks will be redirected to the default target. # #plugin_siptrunk_name = Example Trunk, 555-123100 ... 555-123112 #plugin_siptrunk_account = sip:user@sip.example.org #plugin_siptrunk_numbers_regex = ^555123(10[0-9]|11[012])$ ###################################################################### # Plugin_fix_fbox_anoncall # # This plugin attempts to work-around some SIP issues with # Fritzbox devices and anonymous calls. Fritzbox devices do change their # Contact header when answering an anonymous call (supressed CLID) - this # in turn confuses siproxd. This plugin attempts to work around this by # sanitizing the Contact Header before processing. # anoncall_networks: Local Networks where such Fritzboxes are located. Only SIP # messages originating in those ranges will be sanitized. plugin_fix_fbox_anoncall_networks = 192.168.0.0/16,10.0.0.0/8,172.16.0.0/20 ###################################################################### # Plugin_stats # # This plugin does write statistics info about currently active RTP streams. # It can either be triggered by sendin a signal SIGUSR1 and/or periodically # every n seconds (rounded up to 5 seconds). # # ..._to_syslog: 0: disabled, -1 only by SIGUSR1, >0 every 'n' seconds # ..._to_file: 0: disabled, -1 only by SIGUSR1, >0 every 'n' seconds # ..._filename: where to write the file. Siproxd mus have write access. # #plugin_stats_to_syslog = 300 #plugin_stats_to_file = 300 #plugin_stats_filename = /var/lib/siproxd/siproxd_stats ###################################################################### # Plugin_blacklist # # This plugin maintains count of failed REGISTER attempts of # individual local UACs (clients) and does block outgoing requests # from such a UAC once a limit /hitcount) has been reached. The # duration of the block is configurable. It is required that a blocked # UAC does *not* send any packets that are going to be blocked # during the duration to recover (the UAC must remain silent during # this period). # # ...dbpath: path where the database is located # ...db_sync_mode: SQLite "PRAGMA SYNCHRONOUS" setting (OFF|NORMAL|FULL) # ...simulate: 0: block UACs once the failure count limit has been reached # 1: simulate, only log but don't block # ...duration: block duration in seconds, 0: forever # ...hitcount: required failed REGISTER attempts until blocked. # ...register_window: time window within which a response to a REGISTER must # be received, otherwise the REGISTER response will be # ignored for blacklisting # plugin_blacklist_dbpath = /var/lib/siproxd/blacklist.sqlite #plugin_blacklist_db_sync_mode = OFF plugin_blacklist_simulate = 0 plugin_blacklist_duration = 3600 plugin_blacklist_hitcount = 10 plugin_blacklist_register_window = 30