Since we're chatting about tftp servers... Let's say I have a new customer with Cisco 79xx phones, and he desires to SIP register on my Asterisk system. I would have to provide the SIP<mac>.cnf and SIPDefault.cnf files on my tftp server for his phones. These files would be world readable, which I don't want. Is the solution to put the tftp server behind the firewall and port redirect based on the customer's IP, or is there a better way of restricting access? Thanks, Mike
Well the best solution would be to create a VPN between your network and the one of your customer but that's only possible if you have a VPN router on both side. Otherwise I don't see much solution then the one you already consider doing. Martin From: Michael Welter <mike@introspect.com> Since we're chatting about tftp servers... Let's say I have a new customer with Cisco 79xx phones, and he desires to SIP register on my Asterisk system. I would have to provide the SIP<mac>.cnf and SIPDefault.cnf files on my tftp server for his phones. These files would be world readable, which I don't want. Is the solution to put the tftp server behind the firewall and port redirect based on the customer's IP, or is there a better way of restricting access? Thanks, Mike
On Thu, 2005-01-27 at 03:34, Michael Welter wrote:> Since we're chatting about tftp servers... > > Let's say I have a new customer with Cisco 79xx phones, and he desires > to SIP register on my Asterisk system. I would have to provide the > SIP<mac>.cnf and SIPDefault.cnf files on my tftp server for his phones. > These files would be world readable, which I don't want. > > Is the solution to put the tftp server behind the firewall and port > redirect based on the customer's IP, or is there a better way of > restricting access?TFTP on an open server is a definite no-no. Port redirection is better _if_ you have a static IP - but what are you going to do about dynamic IPs.> > Thanks, > Mike > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-- Howard. LANNet Computing Associates; Your Linux people <http://www.lannetlinux.com> ------------------------------------------ "When you just want a system that works, you choose Linux; when you want a system that just works, you choose Microsoft." ------------------------------------------ "Flatter government, not fatter government; Get rid of the Australian states."
TFTP is inherently insecure :-) This insecurity is how I got my BroadVoice SIP UID and Pass a long time ago before they supported Asterisk, told them the MAC of my Cisco phone and just grabbed the config file off their tftp server, interesting stuff. FireWall is your only true solution but that stops the phone from being able to be mobile. -----Original Message----- From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Michael Welter Sent: Wednesday, January 26, 2005 11:34 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [Asterisk-Users] TFTP Server Facing the Internet Since we're chatting about tftp servers... Let's say I have a new customer with Cisco 79xx phones, and he desires to SIP register on my Asterisk system. I would have to provide the SIP<mac>.cnf and SIPDefault.cnf files on my tftp server for his phones. These files would be world readable, which I don't want. Is the solution to put the tftp server behind the firewall and port redirect based on the customer's IP, or is there a better way of restricting access? Thanks, Mike _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users