9. SIP Proxy

Figure 5.35. SIP Proxy

SIP Proxy

sip-proxy is the proxy daemon for the Session Initiation Protocol (RFC 3261 et al.), i.e. mainly Internet telephone calls and related services.

The proxy is configured in the sip section. In the sample configuration depicted in Figure 5.35, “SIP Proxy”, chroot-dir defines directory into which it should be chrooted. The proxy listens transparently for requests at Kernun UTM's internal address at port 5060. However, due to the hop-by-hop logic of the protocol, the proxy must listen on this port non-transparently on all internal and external interfaces as well. As usually, the proxy must be referenced by at least one ACL in the system section. In order to enable incoming calls, we will need to allow also sessions from the external network.

sip-proxy uses two-phase ACLs. The first phase, session-acl, is checked once for each client connection. It permits or denies client access and sets some connection parameters. This is where the administrator can specify that some important data that is usually stored in SIP messages headers (e.g. internal addresses) is to be hidden. The second phase, request-acl, is checked once for each request and it can be used e.g. to change the target server according to the Request-URI.

sip-proxy requires specification of the maximum of sessions and data channels used in parallel. An estimate is three times number of the phones for sessions-table-size and two times number of the phones for sockets-table-size. Finally, the proxy requires a file to store the registration data of clients (local phones).

The complete resulting configuration can be found in /usr/local/kernun/conf/samples/cml/sip-proxy.cml. See sip-proxy(8) and sip-proxy(5) to learn more about sip-proxy.