borderrule (borderrule)

Description

Static rule for filtering incoming SIP requests. Used to defend against attacks by SIP roles at the edge of the deployed system «Incoplax».
Other SIP roles force filtering by sender address, allowing only packets from other internal servers.

The system applies the highest-priority rule that fits the conditions.

The IP address value can be an IP address (e.g. 192.168.0.10), subnet mask (e.g. 192.168.0.0/24), IP address range (e.g. 192.168.0.0/24). 172.25.0.50+10).

Incoming messages go through a double check cycle. First, among the rules are selected those where only the filter by IP address/mask of the remote party is set. This check does not require a lot of resources. If the message is not filtered, it is allowed into the system, and after the parser all the rules are applied to the parsed message, including those with filters on domain, user name, user agent, etc. This should be taken into account when creating whitelists.

Rules where only IP address/mask filtering is specified result in banning addresses from the dynamic ban list (exceeding the number of authorization attempts with different credentials within a short time interval).

Limitations

  • The collection is only available in the master domain.

Fields

Entity structure
{
  "id": uuid,
  "priority": str,
  "site": str,
  "domain": str,
  "username": str,
  "useragent": str,
  "remoteipmask": str,
  "action": str,
  "opts": {
    "title": str,
    "comment": str
  },
  "ext": {
    "ct": date,
    "lwt": date
  }
}
json

Description of the specification’s characteristics

Table 1. Fields
Specification Description

Field: id
Mode: inout
Type: uuid
Default: generated

Identifier. Can be specified at creation, otherwise generated by the system.

Field: enabled
Mode: in
Type: intbool
Default: 1

Rule switch

Field: priority
Mode: in
Type: int
Default: required

Priority. A lower value means a higher priority.

Field: site
Mode: in
Type: str
Default: "*"

The site where the rule applies.
"*" – applies to all sites.

Field: service
Mode: in
Type: str
Default: "*"

The service on which the rule applies.
Types of services

Field: domain
Mode: in
Type: str
Default: empty

Sender domain or regular expression.

Field: username
Mode: in
Type: str
Default: empty

Username or regular expression.

Field: useragent
Mode: in
Type: str
Default: empty

The value of the UserAgent field in the SIP request or regular expression.

Field: remoteipmask
Mode: in
Type: str
Default: "0.0.0.0.0/0"

Sender IP address mask.
IP address values can be:

  • IP-address (e.g. '192.168.0.10'),* Subnet mask (e.g. '192.168.0.0/24'),* IP address range (e.g. '172.25.0.50+10')

Field: action
Mode: in
Type: str
Default: required

Actions when receiving incoming requests.

Field: opts
Mode: in
Type: object
Composite field

Field: opts.title
Mode: in
Type: str
Default: empty

Arbitrary header

Field: opts.comment
Mode: in
Type: str
Default: empty

Arbitrary comment

Field: ext
Mode: inout
Type: object
Compound field

Allows you to extend the compound with arbitrary keys and values

Field: ext.ct
Mode: out
Type: date
Default: generated

Object creation time

Field: ext.lwt
Mode: out
Type: date
Default: generated

Time of last modification of the object

Actions when receiving incoming requests

Table 2. Actions when receiving incoming requests
Value Description

"allow"

Authorized

"drop"

Prohibited. Ignoring a request without sending a response.

"deny"

Prohibited. Returning a reply with a rejection.

Types of services

Table 3. Types of services
Value Description

"ws"

Applies only on web server for HTTP(S) and WS(S) requests to the API.

"sg"

Applies only to sg (TCP, UDP, TLS, WS, WSS).

"esg"

Applies only to esg (TCP, UDP, TLS).

"ap"

Applies only to autoprovision (TFTP).

"sip"

Applies to all SIP edge services: sg, esg, ap.

"*"

Applies to all of the above services.

See also

API

Logical roles

  • sg realizes SBC (Session Border Controller).

  • esg realizes SBC (Session Border Controller).