This depends on what services you want available on the box? Do you want to limit visibility of Asterisk on this machine to certain hosts? My recommendation is to disable all telnet/ftp/rlogin period. Limit SSH access from known hosts and drop all ICMP packets so you look like a black hole. If you want some specific examples of rules, email me offline and I'll h elp you out. Ed On Tue, 30 Nov 2004, Mike Dent wrote:> Hi, > I managed to get some more IP's from my ISP and am considering putting my > Asterisk box on one of them, so it is not behind NAT anymore :) > > However I need to make sure it is secure, is anybody else doing this > who would be > so kind as to share their firewall rules/ideas? > > Many thanks > > Mike > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
Hi, I managed to get some more IP's from my ISP and am considering putting my Asterisk box on one of them, so it is not behind NAT anymore :) However I need to make sure it is secure, is anybody else doing this who would be so kind as to share their firewall rules/ideas? Many thanks Mike
Eric Wieling aka ManxPower
2004-Nov-30 11:47 UTC
[Asterisk-Users] Fedora Core 2 firewall rules - NO NAT!
Ed Robbins wrote:> My recommendation is to disable all telnet/ftp/rlogin period. Limit SSH > access from known hosts and drop all ICMP packets so you look like a black > hole.NEVER drop all ICMP packets. If you do that it will break TCP MTU discovery and random hosts will not be reachable. Accept all ICMP packets, drop outgoing ICMP except for the few you need like packet-too-big and things like that. Read up on ICMP blocking and firewalls. --Eric -- I am seeking part or full time employment in Toronto, The Netherlands, or Belgium. My preference is part time employment in Toronto with some telecommuting. Currently located in New Orleans, Louisiana and am happy to relocate. Contact eric at fnords.org.
Rich Adamson
2004-Nov-30 13:19 UTC
[Asterisk-Users] Fedora Core 2 firewall rules - NO NAT!
> I managed to get some more IP's from my ISP and am considering putting my > Asterisk box on one of them, so it is not behind NAT anymore :) > > However I need to make sure it is secure, is anybody else doing this > who would be > so kind as to share their firewall rules/ideas?Lots of folks are doing it, and practically all ITSP's are doing it. If you're not sure how to secure the box, there are several well written documents from various security groups to help you. In a nut shell, disable all services that aren't needed, ssh term sessions only, and secure those services that you absolutely need. What's left running, ensure those apps are up2date. Rich