Solved: Expressway CPL script - is a "reject status" required ?

bvanbenschoten · ‎01-05-2018

consider a typical rule to block common SIP scanning

<taa:rule unauthenticated-origin="(.+)@1.1.1.1" destination="(.*)"><reject status="403"/></taa:rule>

is is required that the Expressway send back a reject reason ?

can the message just be silently dropped ?

Patrick Sparkman · ‎01-05-2018

You must have a status, otherwise Expressway will fail to load the CPL and raise an alarm.

View solution in original post

Patrick Sparkman · ‎01-05-2018

You need to ether a Proxy or Reject, if you don't have one, that node within the CPL will never take affect.

bvanbenschoten · ‎01-05-2018

Can you have a Reject without sending a status message back ?

Such as:

<taa:rule unauthenticated-origin="(.+)@1.1.1.1" destination="(.*)"><reject status=""/></taa:rule>

OR

<taa:rule unauthenticated-origin="(.+)@1.1.1.1" destination="(.*)"><reject/></taa:rule>

Patrick Sparkman · ‎01-05-2018

You must have a status, otherwise Expressway will fail to load the CPL and raise an alarm.

Jonathan Schulenberg · ‎01-05-2018

One of the CLUS presentations last year on Expressway suggested an IPS in front of Expressway-E if you want a true stealth non-response.