asterisk users - Nov 2004 - Fedora Core 2 firewall rules - NO NAT!

This depends on what services you want available on the box?  Do you want
to limit visibility of Asterisk on this machine to certain hosts?

My recommendation is to disable all telnet/ftp/rlogin period.  Limit SSH
access from known hosts and drop all ICMP packets so you look like a black
hole.

If you want some specific examples of rules, email me offline and I'll h
elp you out.

Ed

On Tue, 30 Nov 2004, Mike Dent wrote:
> Hi,
> I managed to get some more IP's from my ISP and am considering putting
my
> Asterisk box on one of them, so it is not behind NAT anymore :)
>
> However I need to make sure it is secure, is anybody else doing this
> who would be
> so kind as to share their firewall rules/ideas?
>
> Many thanks
>
> Mike
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users@lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>

Hi,
I managed to get some more IP's from my ISP and am considering putting my
Asterisk box on one of them, so it is not behind NAT anymore :)

However I need to make sure it is secure, is anybody else doing this
who would be
so kind as to share their firewall rules/ideas?

Many thanks

Mike

Ed Robbins wrote:
> My recommendation is to disable all telnet/ftp/rlogin period.  Limit SSH
> access from known hosts and drop all ICMP packets so you look like a black
> hole.
NEVER drop all ICMP packets.  If you do that it will break TCP MTU 
discovery and random hosts will not be reachable.  Accept all ICMP 
packets, drop outgoing ICMP except for the few you need like 
packet-too-big and things like that.  Read up on ICMP blocking and 
firewalls.

--Eric

-- 
I am seeking part or full time employment in Toronto, The Netherlands,
or Belgium.  My preference is part time employment in Toronto with
some telecommuting. Currently located in New Orleans, Louisiana and am
happy to relocate. Contact eric at fnords.org.

> I managed to get some more IP's from my ISP and am considering putting
my
> Asterisk box on one of them, so it is not behind NAT anymore :)
> 
> However I need to make sure it is secure, is anybody else doing this
> who would be
> so kind as to share their firewall rules/ideas?
Lots of folks are doing it, and practically all ITSP's are doing it.

If you're not sure how to secure the box, there are several well written
documents from various security groups to help you. In a nut shell,
disable all services that aren't needed, ssh term sessions only, and 
secure those services that you absolutely need. What's left running,
ensure those apps are up2date.

Rich