Re: [asterisk-users] Is this doable?

Tue, 07 Feb 2012 09:44:01 -0800 



It is indeed. This is already implemented in Asterisk I take it then? If
so, brilliant news!
More or less. I don't know if it's easy to trigger for specific caller ID values, or for none. You might need to to a little customization, but something mostly like what you describe is present.
I am glad to see this! Which modules/functions present this functionality - do you know? I am almost certainly going to customise this as the screening of calls will be done using my own custom-defined criteria and the response options will also have to be customised/enhanced as well (how much really depends on what is currently implemented in Asterisk). 


Is there some kind of attack that you believe is possible on one 
interface that isn't on the other?  I can't conceive of any way that 
making your service available on additional addresses increases your 
vulnerability.

Of course it does - by making Asterisk service available on, say eth2 
(by binding on 0.0.0.0 that is automatically enabled, i.e. Asterisk can 
receive packets coming from that interface). This is not what I want.



If I could restrict Asterisk to bind only on the eth0 and eth1 for 
example, packets coming from that interface (eth2) won't affect Asterisk 
at all and they will either be dropped or rejected as nothing would 
listen on that address/port.



I know that you may say "netfilter/iptables is there to protect you", 
but the system will be more secure if Asterisk don't have the (physical) 
ability to answer requests coming from "undesired" interfaces - 
regardless of whether I have a fully-functional netfilter/iptables in 
place (even if it is compromised), rather than having Asterisk 
potentially answering such requests (by binding to 0.0.0.0) even if 
netfilter/iptables are functioning.



In other words, having physically restricted Asterisk from answering 
requests coming from undesired interfaces (short of directly 
forwarding/routing packets from/to that interface) is better than 
allowing it do so and relying solely on netfilter/iptables for protection.


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
              http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users























					Reply via email to