The asterisk wiki states that it needs SIP, IAX2, IAX and RTP open to the world to work. Is this necessarily true, or does it only need some of these outgoing? I'm concerned as anyone that could guess an extension number&password could use my server to make outgoing calls. It would help if the extensions had a netmask/allowable IP setting like the iax.conf file uses, but there isn't one documented... Tony -- Te audire no possum. Musa sapientum fixa est in aure. Tony Hoyle <tmh@nodomain.org> Key ID: 104D/4F4B6917 2003-09-13 Fingerprint: 063C AFB4 3026 F724 0AA2 02B8 E547 470E 4F4B 6917
I personally only allow IAX2 in and out from my asterisk box, due to the simplicity of one (udp) port. I do not relish the thought of trying to open the port ranges for SIP securely! As long as your inbound stuff in iax.conf lands in a sensible context, inbound connections would only be able to call your internal extensions, and not make "cost" calls. Hope that helps.... Karl> -----Original Message----- > From: asterisk-users-admin@lists.digium.com [mailto:asterisk-users- > admin@lists.digium.com] On Behalf Of Tony Hoyle > Sent: 22 May 2004 23:11 > To: asterisk-users@lists.digium.com > Subject: [Asterisk-Users] Asterisk firewall config > > The asterisk wiki states that it needs SIP, IAX2, IAX and RTP open tothe> world to work. Is this necessarily true, or does it only need some of > these > outgoing? > > I'm concerned as anyone that could guess an extension number&password > could > use my server to make outgoing calls. It would help if the extensionshad> a > netmask/allowable IP setting like the iax.conf file uses, but thereisn't> one > documented... > > Tony > > -- > Te audire no possum. Musa sapientum fixa est in aure. > > Tony Hoyle <tmh@nodomain.org> Key ID: 104D/4F4B6917 2003-09-13 > Fingerprint: 063C AFB4 3026 F724 0AA2 02B8 E547 470E 4F4B 6917 > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > >________________________________________________________________________> This e-mail has been scanned for all viruses by Star Internet. The > service is powered by MessageLabs. For more information on a proactive > anti-virus service working around the clock, around the globe, visit: > http://www.star.net.uk >________________________________________________________________________ ________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________
Hi Il dom, 2004-05-23 alle 00:11, Tony Hoyle ha scritto:> The asterisk wiki states that it needs SIP, IAX2, IAX and RTP open to the > world to work. Is this necessarily true, or does it only need some of these > outgoing?all depends on what you need to do. if you use only zap channels and no Voip, perhaps the only port you need to open is ssh (if using it, of course) if you plan to do only IAX, only port 4569 UDP needs to be opened. but if you plan to do only sip you need only port 5060 UDP and 10000 to 20000 UDP for sip rtp stream (configurable into rtp.conf) so... all depends :)> I'm concerned as anyone that could guess an extension number&password could > use my server to make outgoing calls. It would help if the extensions had a > netmask/allowable IP setting like the iax.conf file uses, but there isn't one > documented...mmmh... setting into the extension seems to me the same as setting into iax.conf (or sip.conf), or not? otherwise... use very strange passwords along with superstrange usernames.... I bet someone to get a login data like username : 2h729872pcnt with pw : inr2.f2f2232DDFW3r or not :) ? -- Brancaleoni Matteo <mbrancaleoni@espia.it> Espia - Emmegi Srl
> The asterisk wiki states that it needs SIP, IAX2, IAX and RTP open to the > world to work. Is this necessarily true, or does it only need some of these > outgoing? > > I'm concerned as anyone that could guess an extension number&password could > use my server to make outgoing calls. It would help if the extensions had a > netmask/allowable IP setting like the iax.conf file uses, but there isn't one > documented...Tony, What you open up (and how you restrict access) is really a function of the resources you have available. Example, on some firewalls you can open a ton of ports, but then limit which IP's can actually use them. I think there is a "permit=" statement for sip def's that limit which IP's can use that sip definition. If that's not enough, implement IP tables as another mechanism to restrict access. All depends on what you've got available. Rich
If your firewall has some form of sip inspect then you will not need to leave open the rtp ports. Chris ----- Original Message ----- From: "Tony Hoyle" <tmh@nodomain.org> To: <asterisk-users@lists.digium.com> Sent: Saturday, May 22, 2004 11:11 PM Subject: [Asterisk-Users] Asterisk firewall config> The asterisk wiki states that it needs SIP, IAX2, IAX and RTP open to the > world to work. Is this necessarily true, or does it only need some ofthese> outgoing? > > I'm concerned as anyone that could guess an extension number&passwordcould> use my server to make outgoing calls. It would help if the extensions hada> netmask/allowable IP setting like the iax.conf file uses, but there isn'tone> documented... > > Tony > > -- > Te audire no possum. Musa sapientum fixa est in aure. > > Tony Hoyle <tmh@nodomain.org> Key ID: 104D/4F4B6917 2003-09-13 > Fingerprint: 063C AFB4 3026 F724 0AA2 02B8 E547 470E 4F4B 6917 > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
Ah yes..... I too would like to see ip_conntrack_sip :) -----Original Message----- From: asterisk-users-admin@lists.digium.com [mailto:asterisk-users-admin@lists.digium.com] On Behalf Of Chris Stenton Sent: 24 May 2004 08:57 To: asterisk-users@lists.digium.com Subject: Re: [Asterisk-Users] Asterisk firewall config If your firewall has some form of sip inspect then you will not need to leave open the rtp ports. Chris ----- Original Message ----- From: "Tony Hoyle" <tmh@nodomain.org> To: <asterisk-users@lists.digium.com> Sent: Saturday, May 22, 2004 11:11 PM Subject: [Asterisk-Users] Asterisk firewall config> The asterisk wiki states that it needs SIP, IAX2, IAX and RTP open tothe> world to work. Is this necessarily true, or does it only need some ofthese> outgoing? > > I'm concerned as anyone that could guess an extension number&passwordcould> use my server to make outgoing calls. It would help if the extensionshad a> netmask/allowable IP setting like the iax.conf file uses, but thereisn't one> documented... > > Tony > > -- > Te audire no possum. Musa sapientum fixa est in aure. > > Tony Hoyle <tmh@nodomain.org> Key ID: 104D/4F4B6917 2003-09-13 > Fingerprint: 063C AFB4 3026 F724 0AA2 02B8 E547 470E 4F4B 6917 > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >_______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ ________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________